8

I'm trying to understand all the methods available to execute remote commands on Windows through the impacket scripts:

https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

https://github.com/CoreSecurity/impacket

I understand the high level explanation of psexec.py and smbexec.py, how they create a service on the remote end and run commands through cmd.exe -c but I can't understand how can you create a service on a remote windows host through SMB. Wasn't smb supposed to be mainly for file transfers and printer sharing? Reading the source code I see in the notes that they use DCERPC to create this services, is this part of the smb protocol? All the resources on DCERPC i've found were kind of confusing, and not focused on its service creating capabilities. Looking at the sourcecode of atexec.py, it says that it interacts with the task scheduler service of the windows host, also through DCERPC. Can it be used to interact with all services running on the remote box?

Thanks!

ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
user134167
  • 195
  • 3
  • 9
  • Possible duplicate of [How to run file with smb](https://stackoverflow.com/questions/46572265/how-to-run-file-with-smb) – ivan_pozdeev Sep 11 '18 at 22:34

1 Answers1

12

DCERPC (https://en.wikipedia.org/wiki/DCE/RPC) : the initial protocol, which was used as a template for MSRPC (https://en.wikipedia.org/wiki/Microsoft_RPC).

MSRPC is a way to execute functions on the remote end and to transfer data (parameters to these functions). It is not a way to directly execute remote OS commands on the remote side.

SMB (https://en.wikipedia.org/wiki/Server_Message_Block ) is the file sharing protocol mainly used to access files on Windows file servers. In addition, it provides Named Pipes (https://msdn.microsoft.com/en-us/library/cc239733.aspx), a way to transfer data between a local process and a remote process.

One common way for MSRPC is to use it via Named Pipes over SMB, which has the advantage that the security layer provided by SMB is directly approached for MSRPC.

In fact, MSRPC is one of the most important, yet very less known protocols in the Windows world.

Neither MSRPC, nor SMB has something to do with remote execution of shell commands.

One common way to execute remote commands is:

  • Copy files (via SMB) to the remote side (Windows service EXE)
  • Create registry entries on the remote side (so that the copied Windows Service is installed and startable)
  • Start the Windows service. The started Windows service can use any network protocol (e.g. MSRPC) to receive commands and to execute them.
  • After the work is done, the Windows service can be uninstalled (remove registry entries and delete the files).

In fact, this is what PSEXEC does.

All the resources on DCERPC i've found were kind of confusing, and not focused on its service creating capabilities.

Yes, It’s just a remote procedure call protocol. But it can be used to start a procedure on the remote side, which can just do anything, e.g. creating a service.

Looking at the sourcecode of atexec.py, it says that it interacts with the task scheduler service of the windows host, also through DCERPC. Can it be used to interact with all services running on the remote box?

There are some MSRPC commands which handle Task Scheduler, and others which handle generic service start and stop commands.

A few final words at the end:

SMB / CIFS and the protocols around are really complex and hard to understand. It seems ok trying to understand how to deal with e.g. remote service control, but this can be a very long journey.

Perhaps this page (which uses Java for trying to control Windows service) may also help understanding.

https://dev.c-ware.de/confluence/pages/viewpage.action?pageId=15007754

Rainer Schaack
  • 1,558
  • 13
  • 16
  • Rainer, thanks for the complete answer! So just to check if I got this right, msrpc (and dcerpc) are rpc services on the windows box that can be interacted with **through** smb named pipes, but not part of smb themselves? And these rpc's are what is used to create the service that will run the command on the windows box? – user134167 Jul 15 '18 at 19:59
  • 4
    In layers, it is IP < TCP < SMB Named Pipes < MSRPC < app. So think you got it right. MSRPC can not only use SMB NP, but other transport protocols too, but Named Pipes should be most commonly used. And: in MS world, it is only MSRPC, which basically is DCERPC in it's roots, but there are no two sibling protocols, it's just MSRPC. And yes, nearly all remote admin calls like accessing registry, reading event logs, accessing services, setting ACLs is done via MSRPC calls. But be aware that I'm not someone like Raymond Chen: https://blogs.msdn.microsoft.com/oldnewthing/ (hard stuff ...) – Rainer Schaack Jul 16 '18 at 08:36
  • my only regret is that I'm only able to upvote this once. ty for this complete and lucid answer. you've helped a ton! – snerd Mar 18 '21 at 12:22
  • I didn't get tge phrase ``` MSRPC is a way to execute functions on the remote end and to transfer data (parameters to these functions). It is not a way to directly execute remote OS commands on the remote side. ``` – gstackoverflow Jul 02 '23 at 11:32
  • Unfortunately link https://dev.c-ware.de/confluence/pages/viewpage.action?pageId=15007754 is broken – gstackoverflow Jul 02 '23 at 11:38