Jump to content
Armando

[ELS-TUT] Pass the Hash with Metasploit

How do you like this video?  

8 members have voted

  1. 1. How do you like this video?

    • Excellent
      7
    • Good
      1
    • Bad
      0


Recommended Posts

robertray

Well done matu - I will check this out asap. Just need to get my other work done first!

Share this post


Link to post
robertray

Hey matugm.

I checked out the video file and there is a lot going on. I think in a situation like this peeps need a bit more detail just for clarity.

I read the post below and I wanted to ask, am I right in saying that these are local SAM accounts and cached credentials?

Useful though as an aid for further research no doubt so keep up the good work.

I would say to peeps also port 88 Kerberos is always a good indication for me of a DC. Though I have to wonder why yours has port 80 open, the sys admin needs to be shot. Well that and the lack of patches :-)

Anyway http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html

Share this post


Link to post
matugm

About your question:

yes these are credentials pulled from the local SAM,and as I understand cached credentials are a different thing (these are stored so you can log in with a domain account even if the dc is down or you are away from it) anyway what happens here is that the dc and the host share an account with the same credentials and since there is not salting or anything like that the hash stored on both sides are the same which is what makes it possible to login into the dc using these credentials,

btw you want to write this down because it took me a while to figure out: from vista and up you can't access admin shares by default,and psexec needs admin$ to work,here is what you can do if you want to enable this for testing,btw domain admin can bypass this but not anyone else apparently,needs more testing!

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System. Add a new DWORD called “LocalAccountTokenFilterPolicy” and give it a value of 1

You should check out these links for additional info:

http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash

http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283

About the port 80, I was playing with IIS and left it up =P

Share this post


Link to post
matugm

Yeah thats what I was trying to say,you can also dump and crack these but these are salted with the username so it's harder than a regular hash and you can't use these for pass-the-hash.

Share this post


Link to post
matugm

About the vista admin shares issue:

http://www.etcwiki.org/wiki/Psexec_with_vista

http://blogs.msdn.com/b/vistacompatteam/archive/2006/09/22/766945.aspx

After some testing I can confirm you can login with the 'administrator' account even without the registry change,needs some testing on win7...

Share this post


Link to post
matugm

Ok it looks like the administrator account is disabled by default on win7.

Share this post


Link to post
illumina

Just to give you a bit of an idea of the type of situation where this might be useful to a pentest/detrimental to a company, this is one that I was able to use in a real situation:

Each of the company machines was deployed with a local administrator account, which was the same on each of the machines. Once I had a meterpreter reverse TCP payload inside the organisation, it was just a matter of waiting for *1* person to run it (didn't matter who), and I was able to use the pass the hash attack to jump around to various PC's in the organisation. Because of this, I was also able to use incognito to steal/impersonate tokens and therefore access anyone's network files, but not only that, I was able to use the same pass the hash attack to jump to the file server, which has *everyone's* tokens, as they mount network drives when they log in. From there, I was able to impersonate anyone on the network, get the Domain Admin's account, etc. Game over, so to speak.

Share this post


Link to post
schuydorsey

I've been playing with this in my virtual lab at home and on some machines I get:

"Exploit exception: Login Failed: The server responded with error: STATUS_TRUSTED_RELATIONSHIP_FAILURE "

Is this because those are domain attached computers?

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×