了解smb和DCERPC的远程命令执行功能

Question

I'm trying to understand all the methods available to execute remote commands on Windows through the impacket scripts:

https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

https://github.com/CoreSecurity/impacket

I understand the high level explanation of psexec.py and smbexec.py, how they create a service on the remote end and run commands through cmd.exe -c but I can't understand how can you create a service on a remote windows host through SMB. Wasn't smb supposed to be mainly for file transfers and printer sharing? Reading the source code I see in the notes that they use DCERPC to create this services, is this part of the smb protocol? All the resources on DCERPC i've found were kind of confusing, and not focused on its service creating capabilities. Looking at the sourcecode of atexec.py, it says that it interacts with the task scheduler service of the windows host, also through DCERPC. Can it be used to interact with all services running on the remote box?

Thanks!

Answer 1

DCERPC ( https://en.wikipedia.org/wiki/DCE/RPC ) : the initial protocol, which was used as a template for MSRPC ( https://en.wikipedia.org/wiki/Microsoft_RPC ).

MSRPC is a way to execute functions on the remote end and to transfer data (parameters to these functions). It is not a way to directly execute remote OS commands on the remote side.

SMB ( https://en.wikipedia.org/wiki/Server_Message_Block ) is the file sharing protocol mainly used to access files on Windows file servers. In addition, it provides Named Pipes ( https://msdn.microsoft.com/en-us/library/cc239733.aspx ), a way to transfer data between a local process and a remote process.

One common way for MSRPC is to use it via Named Pipes over SMB, which has the advantage that the security layer provided by SMB is directly approached for MSRPC.

In fact, MSRPC is one of the most important, yet very less known protocols in the Windows world.

Neither MSRPC, nor SMB has something to do with remote execution of shell commands.

One common way to execute remote commands is:

• Copy files (via SMB) to the remote side (Windows service EXE)
• Create registry entries on the remote side (so that the copied Windows Service is installed and startable)
• Start the Windows service. The started Windows service can use any network protocol (eg MSRPC) to receive commands and to execute them.
• After the work is done, the Windows service can be uninstalled (remove registry entries and delete the files).

In fact, this is what PSEXEC does.

All the resources on DCERPC i've found were kind of confusing, and not focused on its service creating capabilities.

Yes, It's just a remote procedure call protocol. But it can be used to start a procedure on the remote side, which can just do anything, eg creating a service.

Looking at the sourcecode of atexec.py, it says that it interacts with the task scheduler service of the windows host, also through DCERPC. Can it be used to interact with all services running on the remote box?

There are some MSRPC commands which handle Task Scheduler, and others which handle generic service start and stop commands.

A few final words at the end:

SMB / CIFS and the protocols around are really complex and hard to understand. It seems ok trying to understand how to deal with eg remote service control, but this can be a very long journey.

Perhaps this page (which uses Java for trying to control Windows service) may also help understanding.

https://dev.c-ware.de/confluence/pages/viewpage.action?pageId=15007754