Getting the goods with smbexec

DerbyCon 3.0 - All In The Family

Presented by: Martin Bos (purehate), Eric Milam
Date: Saturday September 28, 2013
Time: 13:00 - 13:50
Location: Track 1
Track: Break Me

“Individuals often upload and execute a payload to a remote system during penetration tests for foot printing, gathering information, and to compromise additional hosts. When trying to remain stealthy, uploading a shell to a target may not be wise. smbexec takes advantage of native Windows functionality and SMB authentication to execute commands on remote Windows systems without having to upload a payload, decreasing the likelihood of being stopped by AntiVirus. The original intent of creating smbexec was to upload and execute obfuscated payloads using samba tools. Since the first PoC, it has expanded its capability to do more, including dumping local and domain cached password hashes, clear text passwords from memory, and stealing the NTDS.dit file from a Windows Domain controller all without the need for a shell on the victim. We will explore the creation of smbexec, the components behind it, and how to leverage its functionality to get the goods from a system without having to use a payload.”

Eric Milam

Eric is a principal security assessor on the Accuvant LABS enterprise assessment team with over fifteen (15) years of experience in information technology. Eric has performed innumerable consultative engagements including enterprise security and risk assessments, perimeter penetration testing, vulnerability assessments, social engineering, physical security testing, wireless assessments and extensive experience in PCI compliance controls and assessments. Eric is a project steward for the Ettercap project as well as creator and developer of the easy-creds and smbexec projects.

Martin Bos

Martin Bos is a consultant with the Accuvant LABS Attack & Penetration team and has multiple years of experience in the Information Security industry. Martin Bos is also a developer for the Kali-Linux project and one of the founders of Derbycon. Martin is rumored to have feelings but this can neither be confirmed nor denied.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats