It's possible to impersonate users with PowerShell without a password (given sufficient privilege), taking advantage of the normal .NET way of doing that. It only works on domain accounts because the credential-less WindowsIdentity constructor only works with actual UPNs.
Construct a WindowsIdentity like this:
$ident = New-Object System.Security.Principal.WindowsIdentity("user@domain.tld")
Then, actually start the impersonation of that identity (requires SeTcbPrivilege):
$ctx = $ident.Impersonate()
If you don't have SeTcbPrivilege, that command will royally mess up your PowerShell session. Either way, it returns an impersonation context that has an Undo method that stops impersonation.
No comments:
Post a Comment