Ditch PsExec, SprayWMI is here ;)

PsExec is an utility developed by Sysinternals and then acquired by Microsoft that allows to control a Windows computer by using the command line and represents a light-weight alternative to telnet. Unlike other remote administration tools it doesn’t require to install a client on the remote computer and it doesn’t need any complicated setup, just copy PsExec onto your executable path, type “psexec” and you are ready to go. Now I’ll show you the syntax and a few examples of use cases:



The following command launches an interactive command prompt on \\fabio:

This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally:

This command copies the program test.exe to the remote system and executes it interactively:

Specify the full path to a program that is already installed on a remote system if its not on the system’s path:

Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys::

To run Internet Explorer as with limited-user privileges use this command:

PsExec one liners

Multiple commands on one line:

opens a new shell, echo a b c and pause

Multiple commands split over multiple lines:

Multiple commands, lines, escapes:

grants Everyone Modify access to a folder on the remote machine:

Single line FOR loop:

remotely registering 32bit .OCX files in 64bit Windows 7’s syswow64 folder for backwards compatibility with old app:

Run commands after psexec communication terminates:

Install something under a SYSTEM account (sample batch file):

Remotely add a user with administrator rights with password xxxxx that never expires :

PsExec Pass The Hash

PsExec is interesting because it will authenticate with either a plaintext password or a password hash. This is possible because the NTLM authentication mechanism doesn’t transmit a plaintext password and its challenge-response scheme doesn’t require the client to know the user’s plaintext password.

This feature is very useful for a penetration tester because it allows to gain a shell on the victim’s machine even without knowing the password (cracking a password takes time) if he has got the password hash. Often as penetration testers, we successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values. One great method with psexec in metasploit is it allows you to enter the password itself, or you can simply just specify the hash values, no need to crack to gain access to the system. Let’s think deeply about how we can utilize this attack to further penetrate a network. Lets first say we compromise a system that has an administrator password on the system, we don’t need to crack it because psexec allows us to utilize just the hash values, that administrator account is the same on every account within the domain infrastructure. We can now go from system to system without ever having to worry about cracking the password. One important thing to note on this is that if NTLM is only available (for example its a 15+ character password or through GPO they specify NTLM response only), simply replace the ****NOPASSWORD**** with 32 0’s for example:

Would be replaced by:
While testing this in your lab, you may encounter the following error even though you are using the correct credentials:
This can be remedied by navigating to the registry key, “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” on the target systems and setting the value of “RequireSecuritySignature” to “0”.
Now that we have a meterpreter console and dumped the hashes, lets connect to a different victim using PSExec and just the hash values.
The Metasploit psexec module is very handy but sometimes we may not be able to use Metasploit because it is either unavailable or prohibited to use (OSCP anyone?), then the Nmap smb-psexec.nse script comes to rescue.
if you either don’t know the username/password, or you have many machines with different accounts, you can combine smb-psexec.nse with smb-brute.nse:

PsExec is noisy, we like silence

silence please

shut up

PsExec has worked very well for more than 15 years(!!!), but the problem is that nowadays it can be easily detected by AV because it creates a service and touches the disk.

Using WMI (Windows Management Instrumentation) we can execute code and commands on remote systems without touching disk or creating a new service. We also have the ability to use the actual password or the hash.

The initial WMI communications use TCP port 135 and afterwards a random port is negotiated. Since WMI and RPC services are often used for remote administration and administration tools, it is common to see these ports open and unfiltered on internal networks.

Two tools that ship with Kali for executing code with WMI are impackets wmiexec and pth-wmis.

Recently Dave Kennedy, CEO of TrustedSec released a tool in collaboration with Justin Elze (author of the pth-toolkit): SprayWMI

SprayWMI which leverages wmis and Magic Unicorn to automatically sweep subnet ranges for 135 and automatically attempts to login with either a password or hashes and automatically generate powershell injection to give you access to your payloads instantly and without touching disk.

With SprayWMI – it moves super quick, finishing a class C in around 4 seconds and automatically creates the injection code, the listener inside of Metasploit, and launches everything for you. All you need to do is sit back and watch the shells flow in.

Below is the standard syntax to start the tool:

Actual usage is pretty simple:

Next, let the shells rain in:

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.
I agree to have my personal information transfered to MailChimp ( more information )

Author: Fabio Baroni   Date: 2015-10-19 23:22:52

Comments 2

  1. Pingback: Mao Zeshao

Leave a Reply

Your email address will not be published. Required fields are marked *