A technique to unbind and rebind 445/tcp on Windows without loading a driver, loading a module into LSASS, or rebooting the target machine. Implemented to ease the burden of SMB-based NTLM relays while operating over C2. Technical analysis of the technique is dicussed in more detail during the Relay Your Heart Away: An OPSEC Concious Approach to 445 Takeover presentation at x33fcon.
PoCs written in both Python and BOF format. Both utilize RPC over TCP (ncacn_ip_tcp) as transport when targeting remote machines.
Please see Operations Usage section of the associated blog post for an overview of considerations. The highlights include:
- Disabling these services effectively disables the target's ability to leverage namedpipes and and the server-side of SMB-based communication (CIFS, etc). Understand what the target machine is used for, especially if the target is critical / production infrastructure. The services will resume normal functionality once re-enabled.
- Occasionally there is slightly different series of services that need to be disabled. I've seen this occur in some version of Windows Server, as well as if certain third-party networking drivers are installed. This won't prevent you from using this technique. You can enumerate service dependencies backwards from
srvnet
and see if there are additional dependents to consider. - You don't have to use this PoC to abuse this technique! Your favorite tool to interact with service control manager (SCM) should work.
- Make sure you understand if the tool of your choice leverages
ncacn_ip_tcp
orncacn_np
as transport for RPC. If it uses the latter (named pipes) then you won't be able to communicate remotely with the target to re-enable.
- Make sure you understand if the tool of your choice leverages
Create a Python virtual environment and pip install
impacket.
git clone https://github.com/zyn3rgy/smbtakeover.git
cd smbtakeover
python3 -m virtualenv venv
source venv/bin/activate
python3 -m pip install impacket
python3 smbtakeover.py -h
python3 smbtakeover.py atlas.lab/josh:[email protected] check
python3 smbtakeover.py atlas.lab/josh:[email protected] stop
python3 smbtakeover.py atlas.lab/josh:[email protected] start
bof_smbtakeover localhost check
bof_smbtakeover 10.0.0.21 stop
bof_smbtakeover localhost start
- Python implementation is heavily based on the wmiexec-Pro project by @Memory_before
- BOF implementation is heavily based on code within the CS-Remote-OPs-BOF repository, such as sc_config, from the great folks at @TrustedSec
- BOF makes use of the bof-vs template from Fortra