SMB protocol
This page deals with lateral movement using smb protocol.
Introduction
Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose.
Requirements
Definitions
There are 5 types of users:
Local users
With admin privileges on the machine
RID500
Non-RID500
Without admin privileges on the machine
Domain users
With admin privileges on machines
Without admin privileges on machines
RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator).
UAC remote restrictions
Judging from microsoft and harmj0y, we can say following things:
Local admin privileges are required to WmiExec or PsExec
Non-RID 500 local admin accounts cannot WmiExec or PsExec on WinVista+ machines
Domain users with admin privileges on machine can
RID 500 local admin account can WmiExec or PsExec on machines
PsExec, WmiExec, SmbExec, AtExec, etc.
Local users
No
Local admins
No
Local admin RID 500
Yes
Domain users without local admin privileges
No
Domain users with local admin privileges
Yes
To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1
To prevent RID 500 from being able to WmiExec or PsExec, execute:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1
Tools
PsExec
On Windows, use Sysinternal's PsExec:
On Kali, use Impacket's PsExec:
WmiExec
On Kali, use Impacket's WmiExec:
AtExec
On Kali, use Impacket's AtExec:
SmbExec
On Kali, use Impacket's SmbExec:
References
Last updated