Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
DCERPC SrvSvc NetrRemoteTOD
One approach that can be taken to obtain very granular information
about the current system time of a target machine is to use the
SrvSvc's NetrRemoteTOD request. To transmit this request
to a target machine a NULL session (or authenticated session) must
be established using the standard Session Setup AndX SMB
request. After that, a Tree Connect AndX to the
IPC$ share should be issued. From there, an NT
Create AndX request can be issued on the This vector is very useful because it provides easy access to the complete state of a target machine's system time which in turn can be used to calculate the windows of time that a temporal address can be used during exploitation. The negatives to this approach is that it requires access to the SMB ports (either 139 or 445) which will most likely be inaccessible to an attacker. |