SMB Pivoting

The pivot_smb command uses ConnectNamedPipe WinAPI to connect to a named pipe of the SMB badger. SMB runs on port 445 and they are used to transfer data throughout Active Directory. SMB Badgers are privilege dependent. A user with medium integrity token cannot connect to the named pipe of a privileged named pipe, which means that if you start a SMB badger with high privileges, then you would need a user who has similar token or privileges on the remote host to connect to that named pipe.

In order to use SMB badgers, the best way is to find a privileged credential for a target host, or steal a token for a target computer which has administrative privileges. If you harvest a credential, then you can convert the credential to a windows token using the make_token command. Once you have created the token and provided you have privileges, you should be able to use the psexec command to create a service on the target host. Note that this is just an example. There are other better ways to start processes on target hosts such as using the scdivert command, wmiexec and other pivot techniques. However for the sake of this example, once you’ve created a service on the target host, and provided you’ve created an SMB service, you should be able to connect to the host using your current token using the pivot_smb command. The below example shows that if you revert your token to a normal user, you get E: 5 which stands for Access Denied. Upon recreating the token, the user is able to connect to the Named Pipe of the SMB. These SMB pipe names are configurable on-the-fly from the Payload Profiler.

NOTE: Make note that your pivot badgers need to have the same authentication keys as of your HTTPS listener so that they can authenticate properly after pivoting via the HTTPS Badger. If the auth key is not the same, then you won’t be able to authenticate.