SMB/Windows Admin Shares

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares.

Windows systems have hidden network shares that are accessible only to Administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMINS$ and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution.

Boy is this one a famous one (WannaCry), this port now uncommon but not dead is still facing the public internet (do your recon if you don't believe me). This port is another common service offered by operating systems, it allows us to share files across the network with ease, but it also allows attackers to gain access to machines and even move laterally through the network!!(More on that later).


We start with our nmap scan to find the service running on the Operating System we are aware that the service runs on port 445 so we will focus on this one on our initial enumeration.

We see our port and service open and running with some enumeration we can find that this service is vulnerable to Eternalblue Exploit. This was a very known vulnerability leaked by Shadow Brokers in 2017 and developed by the NSA. It has been properly tested and developed on the Metasploit Framework (please do try and manually exploit this as there are many around flying on github). We will use this to gain a shell and access on to the machine.

But!!, let's be honest even though we are having and simulating an APT let's be CAREFUL when using these exploits as they are well known to crash servers, YES, YES they have been tested and properly configured to work on the framework but computers are so random that you don't even know if this will work, it is always best and of good practice to replicate the environment in a Virtual Machine and TEST your exploits THERE!!.

We verify our variables that are set onto Metasploit and execute the Exploit and we get a Shell.

And it's SYSTEM Access. This was another great example of Services facing the public internet and how attackers can leverage this vulnerabilities and gain access to the network. With some proper enumeration and the correct tools we can find these vulnerabilities on the targeted machine and be able to gain access to the PC.

Remember even though this was a very dangerous vulnerability and it's not seen in the wild anymore, well not as often it is unfortunately still out there.

Last updated