Re: windows/smb/psexec getting detected

[Ron <ron () skullsecurity net>]

On Mon, 17 May 2010 02:54:22 -0700 Mark <maark86 () gmail com> wrote:
> Sorry to send two emails, but until this gets worked out, is there
> anything I can do for an interim fix? Maybe something using irb? I
> could probably get away with just using the core psexec /
> pass-the-hash functionality to exploit remotely, is that easy to do?
>
> Thanks,
> Mark

I realize this is shameless self promotion, but you can use Nmap's smb-psexec.nse script (that I wrote). But, if it's a 
heuristic detection, you might be outta luck -- it's pretty easy to detect psexec heuristically, I suspect. 

Are you sure it isn't just the payload getting detected, though? The actual psexec simply logs into the machine, 
uploads the payload, and creates a service pointing to the payload. Not a lot going on. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework