Pentesting Tools (Exploiting SMB With PsExec)
بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ
Hello everyone, I’ve decided to make a series where I explain certain tools used in penetration testing/ethical hacking that can be useful and today I’ll be explaining how to use PsExec and when to use it for pentesting so let’s begin [ *Made for educational purposes only ;) *].
PsExec is a windows utility/tool that was developed by Microsoft that allows you to execute commands on a remote windows system using any user’s credentials, in order to be able to execute those commands/processes you will need to of course provide credentials/authentication with PsExec which is done through the SMB protocol.
The first step will involve performing a port scan to ensure whether the target system is running SMB or not, to make sure that message signing is not required and I’ll explain why.
After performing the scan, we can see that the system is indeed running SMB and most importantly message signing is not required which means we can perform multiple attacks such as PsExec execution, NTLM Relay Attacks, Pass-The-Hash via SMB, however even if SMB does require message signing and you still have the right credentials you can still exploit it because authentication is valid.
Now in order to utilize PsExec to gain access to a Windows target, we will need to identify legitimate user accounts and their respective passwords or password hashes. This can be done by leveraging various tools and techniques, however, the most common technique will involve performing an SMB login brute-force attack.
To peform the brute-force attack we can simply use Metasploit by using the module named as auxiliary/scanner/smb/smb_login and setting the needed options such as the RHOSTS, RPORT, USER_FILE and PASS_FILE, you can also set the VERBOSE option to false to prevent output for all attempts.
After obtaining the credentials as seen below we can now use PsExec to authenticate with the target system and run arbitrary commands on there.
One thing to be cognizant of is that the PsExec utility is a windows utility or a portable executable, however we can’t execute executables on a linux system of course we can do this with the use of wine, You can download if on windows from here if you wish:
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
However there’s a really nifty tool or python script called PsExec.py, it’s a python implementation of the PsExec utility and allows us to authenticate with a target system, I’ll show you below how to download it (don’t worry it’s simple):
First make sure you have python installed and its dependencies by running this command:
sudo apt update && sudo apt install python3 python3-pip gitNext we need to use Impacket, since psexec.py a is part of Impacket, you need to install Impacket to use it. So we clone it on our machine.
git clone https://github.com/fortra/impacket.gitNext we install Impacket by navigating to the place where you downloaded it, like so:
cd impacket
pip3 install .Once installed, you can find psexec.py inside the /examples/ directory.
To use it we run the command as following (It will ask for the password of the user after running it):
psexec.py username@<target-ip> [the command you wish to execute]Example:
psexec.py Administrator@<target-ip> cmd.exeThis command will launch a cmd for us on that machine so we can execute commands remotely on it.
Impacket also has a feature which allows you to authenticate with the victim’s machine using the user’s hash which is extremely helpful in cases where you aren’t able to crack these NTLM hashes, in order to do so we run it as following:
impacket-psexec — hashes
The great thing about this technique is we’re not launching any exploit on the target system, we are utilizing windows tools and utilities and protocols to perform legitimate authentication because we’re authenticating with the actual credentials and that means we’re not running any exploits or uploading any malicious files to the target system that could be detected.
If we want to extend this attack in order to get a meterpreter session we can utilize a Metasploit module called exploit/windows/smb/psexec but you want to be cognizant of the fact that this is indeed running a malicious file on the target and you have to be cognizant of anti-virus solutions installed on the target system that could detect this so be careful with what modules you use.
Lessons learned? Enable required message signing.
That’s it! Thanks for reading. My Linkedin
