SMB protocol
This page deals with lateral movement using smb protocol.
Introduction
Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose.
Requirements
Definitions
There are 5 types of users:
Local users
With admin privileges on the machine
RID500
Non-RID500
Without admin privileges on the machine
Domain users
With admin privileges on machines
Without admin privileges on machines
RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator).
UAC remote restrictions
Judging from microsoft and harmj0y, we can say following things:
Local admin privileges are required to WmiExec or PsExec
Non-RID 500 local admin accounts cannot WmiExec or PsExec on WinVista+ machines
Domain users with admin privileges on machine can
RID 500 local admin account can WmiExec or PsExec on machines
PsExec, WmiExec, SmbExec, AtExec, etc. | |
Local users | No |
Local admins | No |
Local admin RID 500 | Yes |
Domain users without local admin privileges | No |
Domain users with local admin privileges | Yes |
To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1
To prevent RID 500 from being able to WmiExec or PsExec, execute:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1
Tools
PsExec
On Windows, use Sysinternal's PsExec:
On Kali, use Impacket's PsExec:
WmiExec
On Kali, use Impacket's WmiExec:
AtExec
On Kali, use Impacket's AtExec:
SmbExec
On Kali, use Impacket's SmbExec:
References
Last updated