This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine.

Module Name

auxiliary/admin/smb/psexec_command

Authors

• Royce Davis [at] R3dy__ <rdavis [at] accuvant.com>

References

• CVE-1999-0504
• OSVDB-3106
• URL: https://www.optiv.com/blog/owning-computers-without-shell-access
• URL: http://sourceforge.net/projects/smbexec/
• URL: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Reliability

• Normal

Development

• Source Code
• History

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

Related Vulnerabilities

• No password on CIFS Administrator account
• Password password on CIFS Administrator account
• No password on CIFS guest account
• Password guest on CIFS guest account

Related Modules

• PsExec via Current User Token
• Microsoft Windows Authenticated Logged In Users Enumeration
• Microsoft Windows Authenticated User Code Execution
• Powershell Remoting Remote Command Execution
• Microsoft Windows Authenticated Powershell Command Execution
• Windows Management Instrumentation (WMI) Remote Command Execution