smbtakeover: Unbind 445/tcp on Windows via SCM interactions
smbtakeover
A technique to unbind and rebind 445/tcp on Windows without loading a driver, loading a module into LSASS, or rebooting the target machine. Implemented to ease the burden of SMB-based NTLM relays while operating over C2. Technical analysis of the technique is discussed in more detail during the Relay Your Heart Away: An OPSEC Concious Approach to 445 Takeover presentation at x33fcon.
PoCs are written in both Python and BOF format. Both utilize RPC over TCP (ncacn_ip_tcp) as transport when targeting remote machines.
Operational Usage Notes
Please see Operations Usage section of the associated blog post for an overview of considerations. The highlights include:
- Disabling these services effectively disables the target’s ability to leverage namedpipes and and the server-side of SMB-based communication (CIFS, etc). Understand what the target machine is used for, especially if the target is critical / production infrastructure. The services will resume normal functionality once re-enabled.
- Occasionally there is slightly different series of services that need to be disabled. I’ve seen this occur in some version of Windows Server, as well as if certain third-party networking drivers are installed. This won’t prevent you from using this technique. You can enumerate service dependencies backwards from
srvnet
and see if there are additional dependents to consider. - You don’t have to use this PoC to abuse this technique! Your favorite tool to interact with service control manager (SCM) should work.
- Make sure you understand if the tool of your choice leverages
ncacn_ip_tcp
orncacn_np
as transport for RPC. If it uses the latter (named pipes) then you won’t be able to communicate remotely with the target to re-enable.
- Make sure you understand if the tool of your choice leverages