Hello and welcome to this course in which we're talking about using Python for lateral movement. In this video we're going to talk about using Python and remote services. Or in more detail, using Python to access network file shares and send data or files over, to those network file shares, and then execute them once there. And so one thing that we need to know for when we're dealing with file shares on Windows is that not all file shares are enabled by default on Windows 10. So while we're not using this particular function in this code here, it would be necessary to ensure that file shares are enabled on a computer that you have access to. And so Windows file shares, there is a key in the Windows registry that manages whether or not certain file shares are accessible. It's located at HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion- \Policies\System. And it's called LocalAccountTokenFilterPolicy. And so, what this function does here is it takes a computerName And uses winreg to connect to the Windows registry on that computer. So, we'll pass in the computerName and specify the registry hive that we want access to, in this case, HKEY_LOCAL_MACHINE or HKLM. With access to the registry, we can open a particular key which is located at this path and specify that we want key right access. Then we could call winreg.SetValueEx, pass in that key, pass in the particular value that we want set, the type of value in this case winreg.REG_ reg D word and then a value of one to enable that file shares on that machine. And then as noted here afterwards, the computer needs to be rebooted to have these settings come into effect. And so if necessary that would allow access to a file share. In this case, we're going to be using a file share called C that's located on a system, in this case will be accessing file share on the local machine. And so we're going to call on this access share function. We're going to provide the name of the computer on which we can get by using os.environ and look for COMPUTERNAME. And then also we're going to have a file that we're going to transfer over and execute on the shared file share. So with this computer name and executable name, we're going to build a path. So we have two backslashes followed by the computerName followed by a backslash c$ indicating we want that c file share. That'll give us access to the C directory on the machine. We're using an R here for raw so that we don't have to individually double backslash, every backslash that we want. We're going to back this file share to the local drive z, which will hopefully be available. And then we need to build out paths for the file that we'll be transferring both locally and remotely. So locally once we've mapped or sorry remotely once we've mapped the file share to Z, we can say local plus backslash executable. We're executable is the name of our program, in this case malicious.py. Locally, this executable in the current working directory, so we can use os.path.join, os.getcwd,execurtable. We can also change this path to wherever we want our tool to be located on the system. So now we're prepared to actually mount the file share locally on this machine. How we can do that, is using the net use command in the windows shell. Which we can call with os.system, we then provide local which is the drive we want it to be mapped to, in this case z space and then remote, which is the name of the file share. So the computerName backslash c$. Once net use has been performed, we now have access to that file share on Drive Z. And so we can use shutil.move to move the file that were storing locally to that remote location. And so it's no longer located in what will be c users, username downloads malicious stuff py. It's now located on the remote location, which is the C directory on our system. We're then going to use os.system to run that remote file. So we're providing that on file name, z, backslash file name. And then finally we'll use net use again, provide the local drive number and then delete it once we've executed the code on remote system. And so in the end, we're going to attach a network file share to a particular letter on our drive, copy a file or move a file over there, execute it there and then remove that file share from our local drive letter. And so let's see how this works. If we minimize here, we see our initial setup. So notice we don't have any network file shares mounted here and we've got RemoteServices, which is our python code and a program called malicious.py that will be transferring over. [SOUND] And here in Administrator Command Prompt, if we run python, RemoteServices.py and hit enter, we're going, we've mounted the file share, move the file over, executed as we see and then remove the file share again. So we don't actually have RemoteServices located here at this location anymore. It's now at the remote location. Sorry, we don't have malicious.py located here anymore. It's now at the remote location. If we actually open up our C folder here we see that it is in fact located here. And so this demonstrates how we can take advantage of remote services. Like file shares to gain lateral movement through a network. If we can access those file shares, copy files over and have the permissions to execute them on the remote machine, then we can gain a foothold on that machine, install malware, etc. Thank you
