├── README.md ├── SMB-Session-Spoofing.cpp ├── attack-path.png ├── main.cpp ├── smbSessSpoofing-Service-VS-Project.zip └── smbSessionSpoofing-VS-Project.zip /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ________ _________ _____ _ _____ __ 3 | / ___| \/ || ___ \ / ___| (_) / ___| / _| 4 | \ `--.| . . || |_/ / \ `--. ___ ___ ___ _ ___ _ __ \ `--. _ __ ___ ___ | |_ ___ _ __ 5 | `--. \ |\/| || ___ \ `--. \/ _ \/ __/ __| |/ _ \| '_ \ `--. \ '_ \ / _ \ / _ \| _/ _ \ '__| 6 | /\__/ / | | || |_/ / /\__/ / __/\__ \__ \ | (_) | | | | /\__/ / |_) | (_) | (_) | || __/ | 7 | \____/\_| |_/\____/ \____/ \___||___/___/_|\___/|_| |_| \____/| .__/ \___/ \___/|_| \___|_| 8 | | | 9 | |_| 10 | ``` 11 | 12 | Welcome! 13 | This is a utility that can be compiled with Visual Studio 2019 (or newer). The goal of this program is to create a fake SMB Session. The primary purpose of this is to serve as a method to lure attackers into accessing a honey-device. This program comes with no warranty or guarantees. 14 | 15 | ### Program Modifications Instructions 16 | This program will require you to modify the code slightly. On line 144, the Windows API CreateProcessWithLogonW API is called, there are two parameters that have been supplied by default - svc-admin (the Username) and contoso.com (the domain). It is necessary that you change these values to something that matches your **production network**. 17 | ``` 18 | CreateProcessWithLogonW(L"DomainAdminUser", L"YourDomain.com", NULL, LOGON_NETCREDENTIALS_ONLY, ); 19 | ``` 20 | 21 | ### Implementation Instructions 22 | After modifying the code and compiling it, you must then install the service. You can do so with the following command: 23 | ``` 24 | sc create servicename binpath="C:\ProgramData\Services\Inject\service.exe" start="auto" 25 | ``` 26 | 27 | ### Verification Steps 28 | To verify the program is functioning correctly, you should check and see what sessions exist on the system. This can be done with the following command: 29 | ``` 30 | C:\ProgramData\Services\Inject> net sessions 31 | Computer User name Client Type Opens Idle time 32 | 33 | ------------------------------------------------------------------------------- 34 | \\[::1] svc-admin 0 00:00:04 35 | The command completed successfully. 36 | 37 | ``` 38 | 39 | You should check back in about 13 minutes to verify that a new session has been created and the program is working properly. 40 | 41 | ### What an Attacker Sees 42 | The theory behind this is when an adversary runs SharpHound and collects sessions and analyzes attack paths from owned principals, they can identify that a high privileged user is signed in on Tier-2 infrastructure (Workstations), which (it appears) they can then access and dump credentials on to gain Domain Admin access. 43 | 44 | In the scenario above, an attacker has compromised the user "wadm-tom@contoso.com" who is a Local Administrator on lab-wkst-2.contoso.com. The user svc-admin is logged in on lab-wkst-2.contoso.com, meaning that all the attacker has to do is sign into the Workstation, run Mimikatz and dump credentials. So, how do you monitor for this? 45 | 46 | ### How you Should Configure Monitoring 47 | Implementation of this tool is important, so is monitoring. If you implement the tool with no monitoring, it is effectively useless; therefore monitoring is a must. 48 | The most effective way to monitor this host is to alert on any logon. This program is best utilized on a host with no user activity that is joined to the domain with standard corporate monitoring tools (EDR, AV, Windows Event Log Forwarding, etc). It is highly recommended that you have an email alert, SMS alert, and many others if possible to ensure that incidents involving this machine are triaged as quickly as possible since this has the highest probability for a real adversary to engage with the workstation in question. 49 | 50 | ### Credits 51 | Thank you to Microsoft for providing the service template code and for the excellent Windows API Documentation. 52 | - https://docs.microsoft.com/en-us/windows/win32/services/the-complete-service-sample 53 | - https://docs.microsoft.com/en-us/windows/win32/services/svc-cpp 54 | - https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw 55 | -------------------------------------------------------------------------------- /SMB-Session-Spoofing.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "advapi32.lib") 6 | 7 | using namespace std; 8 | int main() { 9 | while (true) { 10 | STARTUPINFO si; 11 | PROCESS_INFORMATION pi; 12 | si.wShowWindow = 0; 13 | si.dwFlags = 0x00000001; 14 | wchar_t cmdLine[] = L"'C:\\Windows\\System32\\net.exe' use \\\\10.0.0.70\\c$"; 15 | CreateProcessWithLogonW(L"ea-patrick", L"contoso.com", NULL, LOGON_NETCREDENTIALS_ONLY, L"C:\\Windows\\System32\\net.exe", cmdLine, NULL, NULL, NULL, &si, &pi); 16 | Sleep(750000); 17 | } 18 | } -------------------------------------------------------------------------------- /attack-path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sq00ky/SMB-Session-Spoofing/30fcb73e6789af923f7880c96a3a129e662ac186/attack-path.png -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "advapi32.lib") 6 | 7 | #define SVCNAME TEXT("SvcName") 8 | 9 | SERVICE_STATUS gSvcStatus; 10 | SERVICE_STATUS_HANDLE gSvcStatusHandle; 11 | HANDLE ghSvcStopEvent = NULL; 12 | 13 | VOID SvcInstall(void); 14 | VOID WINAPI SvcCtrlHandler(DWORD); 15 | VOID WINAPI SvcMain(DWORD, LPTSTR*); 16 | 17 | VOID ReportSvcStatus(DWORD, DWORD, DWORD); 18 | VOID SvcInit(DWORD, LPTSTR*); 19 | VOID SvcReportEvent(LPTSTR); 20 | 21 | 22 | int __cdecl _tmain(int argc, TCHAR* argv[]) 23 | { 24 | 25 | if (lstrcmpi(argv[1], TEXT("install")) == 0) 26 | { 27 | SvcInstall(); 28 | return 0; 29 | } 30 | 31 | SERVICE_TABLE_ENTRY DispatchTable[] = 32 | { 33 | { (LPWSTR)SVCNAME, (LPSERVICE_MAIN_FUNCTION)SvcMain }, 34 | { NULL, NULL } 35 | }; 36 | 37 | // This call returns when the service has stopped. 38 | // The process should simply terminate when the call returns. 39 | 40 | if (!StartServiceCtrlDispatcher(DispatchTable)) 41 | { 42 | SvcReportEvent(LPTSTR("StartServiceCtrlDispatcher")); 43 | } 44 | } 45 | 46 | VOID SvcInstall() 47 | { 48 | SC_HANDLE schSCManager; 49 | SC_HANDLE schService; 50 | TCHAR szUnquotedPath[MAX_PATH]; 51 | 52 | if (!GetModuleFileName(NULL, szUnquotedPath, MAX_PATH)) 53 | { 54 | printf("Cannot install service (%d)\n", GetLastError()); 55 | return; 56 | } 57 | 58 | TCHAR szPath[MAX_PATH]; 59 | StringCbPrintf(szPath, MAX_PATH, TEXT("\"%s\""), szUnquotedPath); 60 | 61 | schSCManager = OpenSCManager( 62 | NULL, // local computer 63 | NULL, // ServicesActive database 64 | SC_MANAGER_ALL_ACCESS); // full access rights 65 | 66 | if (NULL == schSCManager) 67 | { 68 | printf("OpenSCManager failed (%d)\n", GetLastError()); 69 | return; 70 | } 71 | 72 | schService = CreateService( 73 | schSCManager, // SCM database 74 | SVCNAME, // name of service 75 | SVCNAME, // service name to display 76 | SERVICE_ALL_ACCESS, // desired access 77 | SERVICE_WIN32_OWN_PROCESS, // service type 78 | SERVICE_DEMAND_START, // start type 79 | SERVICE_ERROR_NORMAL, // error control type 80 | szPath, // path to service's binary 81 | NULL, // no load ordering group 82 | NULL, // no tag identifier 83 | NULL, // no dependencies 84 | NULL, // LocalSystem account 85 | NULL); // no password 86 | 87 | if (schService == NULL) 88 | { 89 | printf("CreateService failed (%d)\n", GetLastError()); 90 | CloseServiceHandle(schSCManager); 91 | return; 92 | } 93 | else printf("Service installed successfully\n"); 94 | 95 | CloseServiceHandle(schService); 96 | CloseServiceHandle(schSCManager); 97 | } 98 | 99 | VOID WINAPI SvcMain(DWORD dwArgc, LPTSTR* lpszArgv) 100 | { 101 | // Register the handler function for the service 102 | 103 | gSvcStatusHandle = RegisterServiceCtrlHandler( 104 | SVCNAME, 105 | SvcCtrlHandler); 106 | 107 | if (!gSvcStatusHandle) 108 | { 109 | SvcReportEvent(LPTSTR("RegisterServiceCtrlHandler")); 110 | return; 111 | } 112 | 113 | gSvcStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS; 114 | gSvcStatus.dwServiceSpecificExitCode = 0; 115 | 116 | 117 | ReportSvcStatus(SERVICE_START_PENDING, NO_ERROR, 3000); 118 | 119 | SvcInit(dwArgc, lpszArgv); 120 | } 121 | 122 | VOID SvcInit(DWORD dwArgc, LPTSTR* lpszArgv) 123 | { 124 | ghSvcStopEvent = CreateEvent( 125 | NULL, // default security attributes 126 | TRUE, // manual reset event 127 | FALSE, // not signaled 128 | NULL); // no name 129 | 130 | if (ghSvcStopEvent == NULL) 131 | { 132 | ReportSvcStatus(SERVICE_STOPPED, GetLastError(), 0); 133 | return; 134 | } 135 | 136 | ReportSvcStatus(SERVICE_RUNNING, NO_ERROR, 0); 137 | 138 | while (true) { 139 | STARTUPINFO si; 140 | PROCESS_INFORMATION pi; 141 | si.wShowWindow = 0; 142 | si.dwFlags = 0x00000001; 143 | wchar_t cmdLine[] = L"'C:\\Windows\\System32\\net.exe' use \\\\localhost\\c$"; 144 | CreateProcessWithLogonW(L"svc-admin", L"contoso.com", NULL, LOGON_NETCREDENTIALS_ONLY, L"C:\\Windows\\System32\\net.exe", cmdLine, NULL, NULL, NULL, &si, &pi); 145 | Sleep(750000); 146 | } 147 | 148 | } 149 | 150 | VOID ReportSvcStatus(DWORD dwCurrentState, 151 | DWORD dwWin32ExitCode, 152 | DWORD dwWaitHint) 153 | { 154 | static DWORD dwCheckPoint = 1; 155 | 156 | // Fill in the SERVICE_STATUS structure. 157 | 158 | gSvcStatus.dwCurrentState = dwCurrentState; 159 | gSvcStatus.dwWin32ExitCode = dwWin32ExitCode; 160 | gSvcStatus.dwWaitHint = dwWaitHint; 161 | 162 | if (dwCurrentState == SERVICE_START_PENDING) 163 | gSvcStatus.dwControlsAccepted = 0; 164 | else gSvcStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP; 165 | 166 | if ((dwCurrentState == SERVICE_RUNNING) || 167 | (dwCurrentState == SERVICE_STOPPED)) 168 | gSvcStatus.dwCheckPoint = 0; 169 | else gSvcStatus.dwCheckPoint = dwCheckPoint++; 170 | 171 | // Report the status of the service to the SCM. 172 | SetServiceStatus(gSvcStatusHandle, &gSvcStatus); 173 | } 174 | 175 | VOID WINAPI SvcCtrlHandler(DWORD dwCtrl) 176 | { 177 | // Handle the requested control code. 178 | 179 | switch (dwCtrl) 180 | { 181 | case SERVICE_CONTROL_STOP: 182 | ReportSvcStatus(SERVICE_STOP_PENDING, NO_ERROR, 0); 183 | 184 | // Signal the service to stop. 185 | 186 | SetEvent(ghSvcStopEvent); 187 | ReportSvcStatus(gSvcStatus.dwCurrentState, NO_ERROR, 0); 188 | 189 | return; 190 | 191 | case SERVICE_CONTROL_INTERROGATE: 192 | break; 193 | 194 | default: 195 | break; 196 | } 197 | 198 | } 199 | 200 | VOID SvcReportEvent(LPTSTR szFunction) 201 | { 202 | HANDLE hEventSource; 203 | LPCTSTR lpszStrings[2]; 204 | TCHAR Buffer[80]; 205 | 206 | hEventSource = RegisterEventSource(NULL, SVCNAME); 207 | 208 | if (NULL != hEventSource) 209 | { 210 | StringCchPrintf(Buffer, 80, TEXT("%s failed with %d"), szFunction, GetLastError()); 211 | 212 | lpszStrings[0] = SVCNAME; 213 | lpszStrings[1] = Buffer; 214 | 215 | ReportEvent(hEventSource, // event log handle 216 | EVENTLOG_ERROR_TYPE, // event type 217 | 0, // event category 218 | NULL, // event identifier 219 | NULL, // no security identifier 220 | 2, // size of lpszStrings array 221 | 0, // no binary data 222 | lpszStrings, // array of strings 223 | NULL); // no binary data 224 | 225 | DeregisterEventSource(hEventSource); 226 | } 227 | } 228 | -------------------------------------------------------------------------------- /smbSessSpoofing-Service-VS-Project.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sq00ky/SMB-Session-Spoofing/30fcb73e6789af923f7880c96a3a129e662ac186/smbSessSpoofing-Service-VS-Project.zip -------------------------------------------------------------------------------- /smbSessionSpoofing-VS-Project.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Sq00ky/SMB-Session-Spoofing/30fcb73e6789af923f7880c96a3a129e662ac186/smbSessionSpoofing-VS-Project.zip --------------------------------------------------------------------------------