Armando 156 Report post Posted March 8, 2011 Another great video by matugm: This is the scenario used: Do not forget to subscribe to our channel here: http://www.youtube.com/user/eLearnSecurity 2 Share this post Link to post
robertray 41 Report post Posted March 8, 2011 Well done matu - I will check this out asap. Just need to get my other work done first! Share this post Link to post
robertray 41 Report post Posted March 9, 2011 Hey matugm. I checked out the video file and there is a lot going on. I think in a situation like this peeps need a bit more detail just for clarity. I read the post below and I wanted to ask, am I right in saying that these are local SAM accounts and cached credentials? Useful though as an aid for further research no doubt so keep up the good work. I would say to peeps also port 88 Kerberos is always a good indication for me of a DC. Though I have to wonder why yours has port 80 open, the sys admin needs to be shot. Well that and the lack of patches :-) Anyway http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html Share this post Link to post
matugm 64 Report post Posted March 10, 2011 About your question: yes these are credentials pulled from the local SAM,and as I understand cached credentials are a different thing (these are stored so you can log in with a domain account even if the dc is down or you are away from it) anyway what happens here is that the dc and the host share an account with the same credentials and since there is not salting or anything like that the hash stored on both sides are the same which is what makes it possible to login into the dc using these credentials, btw you want to write this down because it took me a while to figure out: from vista and up you can't access admin shares by default,and psexec needs admin$ to work,here is what you can do if you want to enable this for testing,btw domain admin can bypass this but not anyone else apparently,needs more testing! HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System. Add a new DWORD called “LocalAccountTokenFilterPolicy” and give it a value of 1 You should check out these links for additional info: http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283 About the port 80, I was playing with IIS and left it up =P Share this post Link to post
robertray 41 Report post Posted March 10, 2011 About cached credentials. Win xp will normally store a few accounts in cached incase the dc is down up to 10 I think http://support.microsoft.com/kb/913485 Share this post Link to post
matugm 64 Report post Posted March 10, 2011 Yeah thats what I was trying to say,you can also dump and crack these but these are salted with the username so it's harder than a regular hash and you can't use these for pass-the-hash. Share this post Link to post
matugm 64 Report post Posted March 10, 2011 About the vista admin shares issue: http://www.etcwiki.org/wiki/Psexec_with_vista http://blogs.msdn.com/b/vistacompatteam/archive/2006/09/22/766945.aspx After some testing I can confirm you can login with the 'administrator' account even without the registry change,needs some testing on win7... Share this post Link to post
matugm 64 Report post Posted March 10, 2011 Ok it looks like the administrator account is disabled by default on win7. Share this post Link to post
illumina 1 Report post Posted April 15, 2011 Just to give you a bit of an idea of the type of situation where this might be useful to a pentest/detrimental to a company, this is one that I was able to use in a real situation: Each of the company machines was deployed with a local administrator account, which was the same on each of the machines. Once I had a meterpreter reverse TCP payload inside the organisation, it was just a matter of waiting for *1* person to run it (didn't matter who), and I was able to use the pass the hash attack to jump around to various PC's in the organisation. Because of this, I was also able to use incognito to steal/impersonate tokens and therefore access anyone's network files, but not only that, I was able to use the same pass the hash attack to jump to the file server, which has *everyone's* tokens, as they mount network drives when they log in. From there, I was able to impersonate anyone on the network, get the Domain Admin's account, etc. Game over, so to speak. Share this post Link to post
schuydorsey 51 Report post Posted November 24, 2011 I've been playing with this in my virtual lab at home and on some machines I get: "Exploit exception: Login Failed: The server responded with error: STATUS_TRUSTED_RELATIONSHIP_FAILURE " Is this because those are domain attached computers? Share this post Link to post