Results 1 to 5 of 5

Thread: psexec - Microsoft Windows Authenticated User Code Execution

  1. #1
    Just burned his ISO
    Join Date
    Aug 2007
    Posts
    23

    Default psexec - Microsoft Windows Authenticated User Code Execution

    Greetings,

    I'm looking for documention on this particular exploit; Metasploit - Microsoft Windows Authenticated User Code Execution.

    It states it similar to sysinternals psexec tool, but I can't find information on patching or best recommendations. It simply links to the sysinternals page

    It appears that the code comments state the following:
    Windows XP systems that are not part of a domain default to treating all
    network logons as if they were Guest. This prevents SMB relay attacks from
    gaining administrative access to these systems. This setting can be found
    under:

    Local Security Settings >
    Local Policies >
    Security Options >
    Network Access: Sharing and security model for local accounts

    What, if any, recommendation does anyone for PC that are domain members? Changing the default administrator account name? As I understand it, the exploit uses a valid admin username and password (or password hash)....

    Am I simply missing something right in front of me?

    thanks,

  2. #2

    Default

    Quote Originally Posted by dmshady001 View Post

    What, if any, recommendation does anyone for PC that are domain members? Changing the default administrator account name? As I understand it, the exploit uses a valid admin username and password (or password hash)....
    you seem to have asked two questions. the psexec module is not the same as the smbrelay exploit. the psexec module creates a service and a registry key and sends back the payload you choose and requires local admin or higher on the box. you have to provide it a username/pass(or hash).

    the smbrelay, doesnt not require a username/pass(hash) but does require the attacker to "browse" to their smb share and it relays the hash back to the victim. again, it needs admin+ or higher.

    most of the drives those exploits is considered a feature and pretty much required for most windows domains. both are essentially internal attacks because you shouldnt being allowing smb/netbios traffic outside the firewall.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    What, if any, recommendation does anyone for PC that are domain members?
    This is common security practice.

    Create an account, like Sysadmin or whatever, add it to the Administrators group and set a strong password. Disable the default "Administrator" account.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    1

    Default

    Quote Originally Posted by __CG__ View Post
    you seem to have asked two questions. the psexec module is not the same as the smbrelay exploit. the psexec module creates a service and a registry key and sends back the payload you choose and requires local admin or higher on the box. you have to provide it a username/pass(or hash).
    CG,
    How would you use a hash with psexec? I found no options in psexec to use a hash instead of a password. Thanks.

  5. #5

    Default

    Quote Originally Posted by DigMan View Post
    CG,
    How would you use a hash with psexec? I found no options in psexec to use a hash instead of a password. Thanks.
    I'm talking about the psexec module for metasploit. just pass the LM:NTLM hash into the SMBPass field and of course the username.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •