hacktricks/windows-hardening/lateral-movement/smbexec.md
Carlos Polop cfff5cc9a8 re
2024-12-14 12:46:15 +01:00

5.2 KiB

SmbExec/ScExec

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Get a hacker's perspective on your web apps, network, and cloud

Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

How it Works

Smbexec is a tool used for remote command execution on Windows systems, similar to Psexec, but it avoids placing any malicious files on the target system.

Key Points about SMBExec

  • It operates by creating a temporary service (for example, "BTOBTO") on the target machine to execute commands via cmd.exe (%COMSPEC%), without dropping any binaries.
  • Despite its stealthy approach, it does generate event logs for each command executed, offering a form of non-interactive "shell".
  • The command to connect using Smbexec looks like this:
smbexec.py WORKGROUP/genericuser:genericpassword@10.10.10.10

Executing Commands Without Binaries

  • Smbexec enables direct command execution through service binPaths, eliminating the need for physical binaries on the target.
  • This method is useful for executing one-time commands on a Windows target. For instance, pairing it with Metasploit's web_delivery module allows for the execution of a PowerShell-targeted reverse Meterpreter payload.
  • By creating a remote service on the attacker's machine with binPath set to run the provided command through cmd.exe, it's possible to execute the payload successfully, achieving callback and payload execution with the Metasploit listener, even if service response errors occur.

Commands Example

Creating and starting the service can be accomplished with the following commands:

sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"
sc start [ServiceName]

FOr further details check https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/

References

Get a hacker's perspective on your web apps, network, and cloud

Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}