CVE-1999-0504
published 1997-01-01CVE-1999-0504: A Windows NT local user or administrator account has a default, null, blank, or missing password.
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.70%
99.1th percentile
A Windows NT local user or administrator account has a default, null, blank, or missing password.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SMB authentication attempts using null, blank, or missing passwords against Windows NT/XP accounts, particularly for the Administrator account over TCP 445. ↗
- →Alert on creation of randomly named Windows services (8 random alpha characters) with interactive/own-process type (0x00000110) and demand start (0x00000003) via DCE/RPC CreateServiceW (opcode 0x0c), especially when the binary path points to %SYSTEMROOT%. ↗
- →Monitor for executable files with random 8-character alpha names uploaded to the ADMIN$ share, followed by service creation and rapid deletion — a hallmark of PsExec-style exploitation. ↗
- →Monitor for WMI-based lateral movement (WMIC remote command execution) originating from a session context without explicit credential supply, using TCP 135 and ephemeral high ports. ↗
- →Detect PowerShell Remoting (WinRM) connections on TCP 47001 used to inject payloads, especially when initiated from a compromised host to multiple RHOSTS. ↗
- →Detect SMB credential reporting patterns where SMBPass matches the pattern of an NTLM hash (32hex:32hex), indicating pass-the-hash exploitation leveraging null/default credentials. ↗
- ·Windows XP systems not joined to a domain default to treating all network logons as Guest, limiting the impact of null-password exploitation over SMB — verify domain membership before assuming full admin access. ↗
- ·The PsExec-style exploit cannot fully clean up in all variants — the service and payload file may persist on disk and require manual removal, leaving forensic artifacts. ↗
- ·The WMI-based execution module requires the remote host to be explicitly configured to allow remote WMI — not all Windows hosts will be vulnerable by default. ↗
- ·The service created by the PsExec exploit uses a randomly chosen name and description each run, meaning repeated exploitation will clutter the services list with orphaned entries. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - (Authenticated) User Code Execution (Metasploit)
exploitdb·2010-12-02
CVE-1999-0504 Microsoft Windows - (Authenticated) User Code Execution (Metasploit)
Microsoft Windows - (Authenticated) User Code Execution (Metasploit)
---
##
# $Id: psexec.rb 11204 2010-12-02 17:29:26Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
=begin
Windows XP systems that are not part of a domain default to treating all
network logons as if they were Guest. This prevents SMB relay attacks from
gaining administrative access to these systems. This setting can be found
under:
Local Security Settings >
Local Policies >
Security Options >
Network Access: Sharing and security model for local accounts
=end
require 'msf/core'
class Metasploit3 'Mi
Metasploit
PsExec via Current User Token
metasploit
PsExec via Current User Token
PsExec via Current User Token
This module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.
Metasploit
Windows Management Instrumentation (WMI) Remote Command Execution
metasploit
Windows Management Instrumentation (WMI) Remote Command Execution
Windows Management Instrumentation (WMI) Remote Command Execution
This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. The remote host must be configured to allow remote Windows Management Instrumentation.
Metasploit
Powershell Remoting Remote Command Execution
metasploit
Powershell Remoting Remote Command Execution
Powershell Remoting Remote Command Execution
This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames.
Metasploit
Microsoft Windows Authenticated User Code Execution
metasploit
Microsoft Windows Authenticated User Code Execution
Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.
Metasploit
Microsoft Windows Authenticated Logged In Users Enumeration
metasploit
Microsoft Windows Authenticated Logged In Users Enumeration
Microsoft Windows Authenticated Logged In Users Enumeration
No writeups or analysis indexed.
1997-01-01
Published