I was using Metasploit on an internal test (it’s been a while as I meant to write this up some time ago) and I came across the following issue when attempting to gain access to a Windows 7 system via a remote PSExec/Meterpreter session with the compromised local administrator account hash; ‘The server responded with error: STATUS_ACCESS_DENIED (Command=117)‘.
It dawned on me that the newer versions of Windows (7 and 2008) don’t allow remote access to administrative shares such as ADMIN$, C$ etc from untrusted systems. I searched a little and found the following. This should be added to the victims registry:
- Add a new DWORD (32-bit) key named ‘ LocalAccountTokenFilterPolicy’ and set the value to 1
If you don’t have access to an interactive session on the victim system, it’s possible to open a remote registry editor console using wce (Windows Credential Editor) with the following command:
wce.exe -s %local_admin_user_hash% -c cmd.exe
Essentially this command opens a cmd.exe window that’s running under the context of the chosen hash. Further, if you enter regedt32 in the spawned command window and change the target of the registry editor to the remote host, this will also authenticate on the host as the user from which cmd.exe was initially launched.
If the registry editor for the remote system is unavailable (i.e. the Remote Registry service is not running) a similar exploit can be run using wce to open an mmc. From here the computer management snap-in can be added for the remote system, again running under the context of the compromised account. The service can then be started on the remote host and you can continue to add the registry key.
After the registry settings have been added you’ll need to change the password of the user account you’re using to authenticate. Alternatively, create another local admin user via the remote computer management mmc on the remote host. Articles I’ve seen have also stated that once the changes have been made the system should be restarted. I haven’t had this issue to date and changes seem to be applied immediately.
It’s also worth noting that if you’ve previously authenticated to the system via SMB you’ll need to flush the current sessions by issuing the command net use /delete *
PSExec should then execute as planned.
Why would you want to do all of this if you already have the local administrator hash? For a number of reasons:
- AV on the system kills/deletes any malicious process/binary from spawning. Therefore wce can be used to open a remote computer management mmc in the context of the compromised account in order to disable the offending service (if the AV policies allow).
- A Meterpreter extension such as incognito (usually the reason for me) may be required so you can impersonate a user that is logged onto the system. Hence the admin shares will need to be accessible for Meterpreter to successfully spawn.
- You may want to access the administrative shares to upload/download files.
- Access to services, such as RDP or remote management facilities, may be blocked and hence attacks need to be performed over SMB.