Why your Metasploit PSEXEC exploit might be failing


Have you had trouble using PSEXEC or other remote administrative tools on Windows Vista, Windows 7 and WIndows 2008 servers? If so, UAC (User Access Control) might be preventing your tools from working. Windows UAC drops all the Administrator privileges from the SAT (Security Access Token) for REMOTE connections that are using LOCAL accounts. This restriction prevents all remote administrative functions such as connecting to administrative shares (C$, etc) installing services or launching a new process (psexec).
In the scenario where Computer1 belongs to the PenTesterDomain and Computer2 belongs to WORGROUP or the PentestCustomerDomain, Computer1 will not be able to connect to computer2c$ or other administrative functions using the local administrator username and password on computer2. Because UAC restricts the use of administrator privileges to Interactive local sessions and to Domain accounts you will need to use a domain account.
If your using Metasploits psexec module you will need to specify the SMBDomain. This option doesn’t appear when you type “show options”, but it is available under the advanced options (“show advanced”).
Once you’ve obtained some type of remote execution on the target host you can enable remote administrative functions by creating the following registry key:
Create a DWORD entry at that location and set it’s value to 1.
After the target machine has been rebooted you will be able to connect to the C$ share, launch PSEXEC and perform other administrative functions using the local accounts on the target system.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.