Hacking Remote Windows Systems with Winexe
Winexe is a remote administration tool for Windows systems that runs on Linux. With Winexe, we can run applications on the target system or open up an interactive command prompt. One additional benefit is that we can ask Winexe to launch our shell as “system” if we are targeting a system where our user has elevated credentials, giving us additional privileges to the system.
Using Winexe to Access Remote Systems
We have a password to our victim system from using Responder, but how do we now interact with our victim system? Using Winexe is a common way for attackers to access remote systems. It uses named pipes through the hidden IPC share on the target system to create a management service. Once that service is created, we can connect to it and call commands as the service. To verify that the target system is sharing the IPC share, we use smbclient to list the shares on the target system:
For many of the tools we use in the rest of this chapter, we’re going to see this common way of specifying the logon credentials for the target system. The format is <DOMAIN>\<USERNAME>%<PASSWORD>. Here, we specified our user credentials as User%Password1, our username and password. The -L option asks smbclient to list the shares on the system. We can see that there are a number of shares, including our IPC$ share.
With knowledge that our IPC share is available, let’s see if we have the ability to launch a command prompt. We’ll use the same syntax for specifying the username, only this time, we’ll use the syntax //<IP ADDRESS> to specify the target system. We also add the --uninstall flag, which will uninstall our service on exit. Finally, we specify cmd.exe for the cmd.exe application, which gives us an interactive shell on the target system.
We now see the Windows banner and command prompt, which means we succeeded. Next, we want to check our privilege level so that we can determine the rights we are operating with. By typing in whoami, we can print out the user ID of our shell. In this case, our user is the “user” user, which means that we will have privileges as that user.
WARNING If you exit the shell by using CTRL-C or if you don’t use the --uninstall flag, the service that’s created will remain on the target system. As an attacker, this is bad because you’re leaving a trace of the techniques you’re using for remote access. As a penetration tester, leaving artifacts makes it difficult to determine if another breach has occurred, and it may set off red flags after you’ve left a system. This doesn’t always come up right away. In six months, someone might ask if you left the service around. So, if you aren’t cleaning up, you’ll be left relying on notes to answer some very uncomfortable questions.
Finally, to leave our shell, we can just type exit at the command prompt. We should then see the Bash prompt, which lets us know that we have left the shell. On the server side, our service is being uninstalled and our connection closed.
Using Winexe to Gain Elevated Privileges
In many cases, the things we want to do on a target system will require elevated privileges. In the previous lab, we were able to get access as a normal user, but we really want access as the SYSTEM user. Because this user has full privileges over the system, we can access credentials, memory, and other valuable targets. To execute our attack, we’re going to use all the same options as our previous lab, but we’ll add in the --system flag. This will take care of escalation for us, and the end result is a highly privileged shell, as shown here:
As you can see here, we’re now accessing the victim machine as the SYSTEM user. Although not part of the scope of this exercise, this allows us to dump credentials, create new users, reconfigure the device, and perform many other tasks that a normal user might not be able to do.