Advertisement
opexxx

Authenticated Remote Code Execution Methods in Windows

May 14th, 2014
333
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 4.35 KB | None | 0 0
  1. Authenticated Remote Code Execution Methods in Windows
  2.  
  3. All of the below are supported ways of remotely executing code that are built-in to Windows. If psexec isn’t working since a service is not running or ports are blocked, you can try all these other options; defenders who want to detect intruders moving through the network need to detect all of these; incident responders might want to look for evidence of these, etc.
  4.  
  5. 1. Service Control Manager (SCM)
  6. This method is used by psexec and all of its clones to start the executable that psexec creates.
  7. Result:
  8. A command to be run on demand and/or boot as SYSTEM (or less privileged accounts, but why would you do that?).
  9. Example:
  10. step 1/2; a new service can be created:
  11. sc REMOTECOMPUTERNAME create myservicename binPath= executableToRun start= auto
  12. alternatively, an existing service can be reconfigured:
  13. sc REMOTECOMPUTERNAME config existingservice binPath= executableToRun start= auto
  14. step 2/2; executableToRun will run on the remote system on boot as SYSTEM, or when instructed by:
  15. sc REMOTECOMPUTERNAME start myservicename
  16. variants exist for specifying DLL to load instead of executable, etc.
  17. Implementation details:
  18. Writing to the svcctl named pipe (a.k.a. srvsvc) on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to srvsvc pipe)
  19. srvsvc pipe hosted by Server service in svchost.exe running as SYSTEM.
  20.  
  21. 2. Task scheduler
  22. Result:
  23. A command to be run at designated time(s) as SYSTEM.
  24. Example:
  25. AT \\REMOTECOMPUTERNAME 12:34 "command to run"
  26. Implementation details:
  27. Writing to atsvc named pipe on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to atsvc pipe)
  28. atsvc pipe hosted by Task Scheduler (Schedule) service in svchost.exe running as SYSTEM.
  29.  
  30. 3. WMI
  31. Result:
  32. An immediate command execution under the administrative account used.
  33. Example:
  34. WMIC /node:REMOTECOMPUTERNAME PROCESS call create "command to run"
  35. Implementation details:
  36. Connecting to remote procedure call interface (RpcSs service in svchost.exe directly listening on TCP port 135)
  37.  
  38. 4. Remote Registry
  39. Result:
  40. A command to be run or DLL to be loaded when specific events occur, such as boot or login or process execution, as active user or SYSTEM.
  41. Example:
  42. REG ADD \\REMOTECOMPUTERNAME\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v myentry /t REG_SZ /d "command to run"
  43. Command will run every time a user logs in as the user. Other options include creating or modifying services which can run as SYSTEM on the next reboot, loading a DLL into most new processes with the AppInit_DLLs registry value, using IFEO to hijack different commands, and many more.
  44. Implementation Details:
  45. Writing to the winreg named pipe on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to winreg pipe)
  46. The winreg pipe is hosted by Remote Registry service in svchost.exe
  47.  
  48. 5. Remote File Access
  49. Result:
  50. An executable will be run or DLL will be loaded when specific events occur, such as boot or login or process execution, as active user or SYSTEM.
  51. Example:
  52. xcopy executabletorun.exe "\\REMOTECOMPUTERNAME\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e.exe"
  53. Command will run every time a user logs in as the user. Other options include DLL hijacks or writing an MOF to the %WINDOWS%\system32\wbem\mof that will be executed automatically by WMI in older OS’s.
  54. Implementation Details:
  55. Writing to remote administrative shares using SMB. (TCP port 139 or 445 owned by kernel)
  56.  
  57. 6. Remote Desktop
  58. Best known for interactive GUI logins, the remote desktop protocol also allows for direct command execution.
  59. Result:
  60. Interactive desktop access and/or command execution with the privileges of the user account used.
  61. Example:
  62. rdesktop 1.2.3.4
  63. Opens an interactive remote desktop session.
  64. Implementation Details:
  65. Hosted by the TermService service (“Remote Desktop Services”) in svchost.exe by a server socket listening on TCP port 3389.
  66.  
  67. 7. Windows Remote Management
  68. Note: this is not enabled by default! But it is common enough, and the capability is built-in to recent Windows versions. Often used through powershell.
  69. Result:
  70. Immediate command execution under the administrative account used.
  71. Example:
  72. winrs -r:REMOTECOMPUTERNAME command to run
  73. Implementation Details:
  74. Hosted by Windows Remote Management service (svchost.exe), listens on TCP/80 or TCP/5985 and can share port with IIS.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement