Non-Domain-Joined systems

How to run Amnesiac from Non-Domain-Joined systems

Amnesiac is primarily designed to operate within a domain-joined system and perform authenticated actions within Active Directory. However, in some scenarios, you may need to run Amnesiac from a non-domain-joined system. This guide explains how to set up and use Amnesiac in such environments while acknowledging its limitations and security concerns.

Configuring a non-domain-joined system to run Amnesiac and target an Active Directory environment involves several steps, including DNS configuration and using the "runas" command with the "/netonly" flag. These steps are necessary to ensure that the non-domain-joined system can communicate with the domain controller and authenticate properly.

DNS Configuration:

DNS resolution is crucial for locating and connecting to domain resources, including the domain controller. By configuring DNS settings to point to the domain controller's IP address, you ensure that the non-domain-joined system can correctly resolve domain-related hostnames and communicate with the domain controller.

  • Navigate to the Control Panel on your non-domain-joined host.

  • Access the Network Connections settings.

  • Right-click your network interface card (NIC) and select "Properties."

  • Locate and select the "Internet Protocol Version 4 (TCP/IPv4)" option.

  • Click on "Properties" to open a new window.

  • Select "Use the following DNS server addresses" and set the "Preferred DNS server" to the IP address of your Domain Controller (DC).

Using "runas" with "/netonly" Flag:

The "runas" command with the "/netonly" flag allows you to open a new command prompt session while temporarily authenticating as a user with domain credentials. This step is essential because the non-domain-joined system does not have direct access to the domain. By using "runas" with "/netonly," you create a temporary context in which authentication occurs against the domain controller, enabling Amnesiac to interact with Active Directory resources.

  • Open a command prompt on your non-domain-joined system.

  • Use the "runas" command with the "/netonly" flag to open a new command prompt session while authenticating as a user with valid credentials.

Inside the new command prompt session, run Amnesiac by providing the necessary information:

  • Domain: Specify the target domain you want to interact with.

  • Domain Controller: Provide the IP address or hostname of the Domain Controller.

  • "-Detached" flag: Tells Amnesiac that you are running from a non-domain-joined system.

  • Provide the local machine's IP address.

Limitations:

Due to limitations with named pipe functionality in this setup, you won't be able to use option 1 from the Amnesiac menu.

Security Concerns:

Running Amnesiac in Domain-Detached mode is less secure than the standard method.

Named pipes are set up on target systems with the "Everyone" security descriptor, allowing anyone in the same network to connect to the named pipe created on the targets. This makes target systems potentially vulnerable.

Use this mode only when necessary and be cautious about the security implications.

Last updated