7

Metasploit smartly stores your creds in its internal database, whether you've manually entered them by using a previous module or whether you've dumped them with smart_hashdump. You can view stored creds with creds.

I've searched, but without result, if there is a way to "plug" stored creds into a module. For example, when using psexec exploit, is there a way I can tell metasploit to use a set of domain/login/hash from the creds DB?

Something like "set creds admin", where admin is the username associated with stored creds.

Juicy
  • 1,447
  • 4
  • 17
  • 33

2 Answers2

1

If i remember correctly, psexec is part of the smb exploit kit. I think what you are looking for is the complimentary scanner kit.

use auxiliary/scanner/smb/smb_login

then go through and set the common options the same as you would in your smb exploit except there is one option here

db_all_creds

set this to true, and run the scan. you will now know which users to use in the psexec exploit.

is that what you are looking for? The reason most exploits don't plug like that is that sometimes you will break whatever it is you are exploiting, running it against multiple hashes might be worthless, and misinformative.

so first you scan what users can connect. Then run the corresponding exploit with those accounts.

Nalaurien
  • 1,654
  • 10
  • 16
1

Yes, exploit/windows/local/current_user_psexec

More on the differences between the metasploit-framework psexec modules here -- https://community.rapid7.com/community/metasploit/blog/2013/03/09/psexec-demystified -- and SANS detailed these methods using just the Psexec tool here -- https://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass

atdre
  • 19,072
  • 6
  • 61
  • 108