AD Hacking: Getting Meterpreter Session

Getting a Meterpreter session is always a wonderful thing. You can elevate privileges, dump hashes, clear windows logs, download/upload files, and more.

Prerequisites:

  • Domain controller with Active Directory setup.
  • Kali Linux
  • Windows 10 VM, joined to a domain

Setting your environment

On Kali, we’re going to use exploit/windows/smb/psexec on Metasploit to get our Meterpreter session. For that, we’ll need to take some necessary steps to make this work.

Go to your Windows 10 machine that is joined to the domain. Open up File Explorer, and go to your C:\ drive. Right click > New > New Folder. Name the folder “Scans”.
Note: Create this folder while logged in as a domain user, in this example I’m using tgreyjoy (WINTERFELL\tgreyjoy).

Now that we have the new Folder, we need to set sharing enabled for it.

Making your domain user a local administrator

Go ahead and switch users to the domain administrator.

Disable Windows Defender

Believe it or not, not everyone is using Windows Defender. They may not be patching their machines enough and they might be using a different AV software. Because of this, it’s not entirely unrealistic that we’re disabling Windows Defender for this tutorial.

Now that we’ve disabled it for good, restart your Windows 10 VM.

Getting Meterpreter Shell

The above pictures pretty much sum up the commands you’ll need to run to get meterpreter shell with psexec.

Note: You may need to type “show targets” and “set target #” to get this to work.