Exploiting SMB With PsExec
Last updated
Was this helpful?
Last updated
Was this helpful?
SMB (Server Message Block) is a network file sharing protocol that is used to facilitate the sharing of files and peripherals (printers and serial ports) between computers on a local network (LAN).
SMB uses port 445 (TCP). However, originally, SMB ran on top of NetBIOS using port 139.
SAMBA is the open source Linux implementation of SMB, and allows Windows systems to access Linux shares and devices. </aside>
The SMB protocol utilizes two levels of authentication, namely:
User Authentication
Share Authentication
User authentication - Users must provide a username and password in order to authenticate with the SMB server in order to access a share.
Share authentication - Users must provide a password in order to access restricted share.
Note: Both of these authentication levels utilize a challenge response authentication system.
Authentication with PsExec is performed via SMB.
It can be used to authenticate with the target system legitimately and run arbitrary commands or launch a remote command prompt.
PsExec is similar to RDP but instead of controlling the remote system via a GUI, commands are sent via CMD.
To utilize PsExec for gaining access to a Windows target, we need to identify legitimate user accounts along with their respective passwords or password hashes.
Various tools and techniques can be employed for this purpose, but a common approach is to perform an SMB login brute-force attack.
To enhance the efficiency of the brute-force attack, we can focus on common Windows user accounts such as Administrator
.
Once we have obtained valid user credentials, we can use PsExec to authenticate with the target system, allowing us to execute arbitrary system commands or establish a reverse shell.
Objective: Confirm whether the target host has the SMB service enabled.
Command:
Description: Scan port 445 on the target system to check if SMB (Server Message Block) service is available.
Objective: Obtain valid credentials to access the SMB service.
Command:
In Metasploit Framework:
Description: Use the smb_login
module in Metasploit to perform a brute-force attack or credential stuffing to find valid SMB user credentials.
Objective: Use valid credentials to get command-line access on the target system.
Method A: Using psexec.py
Command:
Description: Execute the cmd.exe
shell on the target system using psexec.py
, the Linux version of the PsExec tool.
psexec
ModuleCommand:
Description: Use the psexec
exploit module in Metasploit to run cmd.exe
on the target system with the provided credentials.
Objective: Perform further actions on the target system once command-line access is established.
Examples:
Enumerate system information:
Check for connected users:
List running processes:
Establish a persistent backdoor or further exploit vulnerabilities.
Hacker's Mantra:
Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature. Don’t become the next victim of unscrupulous cyberspace intruders. -
Kevin Mitnick
is a lightweight telnet-replacement tool developed by Microsoft that allows you to execute processes on remote Windows systems using any user’s credentials.