EH-Net

I recently attended the very excellent SANS 560 course and there was a section on the "pass-the-hash" attack. The course covers both the pass-the-hash toolkit by Core Security and the patch for samba by JoMo-kun of FooFus. Both of which work very well. But there is an easier way!

If you're pen testing, you must be using Metasploit and there is a fantastic (and somewhat overlooked) exploit called:

windows/smb/psexec

This module allows you to run a command on a remote machine. A feature of this module is that it gives you the option to add a password or a hash value to the credentials being used. So if you have just exploited a machine and gained a hash dump, simply set your username (defaults is administrator) and put your password hash straight into the SMBPass field:

set SMBPass {insert in the LANMAN & NT hash only}

You can setup your payloads in the normal way:

set PAYLOAD windows/meterpreter/reverse_tcp

Setup your other variables and go exploit!

The art of password cracking without password cracking.....

I am always surprised how many workstations are running with the local Administrator account having a blank password. 

Windows does not allow remote Admin access if the local admin (or similar priveledged account) has a blank password.

"Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive"

http://en.wikipedia.org/wiki/Administrative_share

I blogged about this recently too.
http://blog.securitywhole.com/2009/05/16/make-windows-more-secure-and-use-a-blank-password.aspx

I wasn't sure if that applied to psexec, but now that I think about it, psexec probably uploads an exe to one of the admin shares.

I am wondering if the story is different in a Domain environment though.   The reason I wonder is because I recently encountered yet another XP box that had a blank Administrator password.   I was able to psexec a meterpreter shell on this box, using the local Administrator account with a blank password.   I can't imagine anyone in the right mind would change group policy settings to disable this feature purposely.   I can't imagine the the workstation user changed it either.   I don't remember, but I will go back and check the GPO dumps from that job.  I am going to do some testing on a couple of domain PCs as well.

i guess I stand corrected then. My understanding was RPC would not allow you to connect since the token would be restricted due to the blank password.

I think that you are correct actually, timmedin.   I haven't been able to reproduce this on my domain.   Still, I think that the workstation I hacked last week had some weird GPO settings on it, although I don't have that data.   I know I connected with a blank Administrator password, even Nessus identified it.   I know it was XP Pro, SP2.   Weird, I wish I still had access to that machine.

I just tested it again and I had the same result. Blank password is more secure than no password. :)