.

[Article]-Video Tutorial: Pass-The-Hash Toolkit

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 06, 2009 3:16 pm

[Article]-Video Tutorial: Pass-The-Hash Toolkit

Another video by Ryan Linn. Same technical goodness. Enjoy!

Permanent link: [Article]-Video Tutorial: Pass-The-Hash Toolkit


Image


Ryan Linn is back with another video for your learning pleasure. This time he gives a video tutorial of an existing toolset, the Pass-The-Hash Toolkit by Core Security. Core describes it as, "The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)."

So what does all that mean? As with his other videos, Ryan tackles this topic in a very easy to follow process. So watch along as he integrates the PTH Toolkit in a makeshift penetration test, and shows how an attacker can utilize credentials without ever having to crack a single password. Oh by the way, he cracks them, too. This way he can impersonate a legitimate user without knowing their password, and then again while knowing their password. Ryan then goes one step further with his talk at ChicagoCon 2009s on May 9 with fellow EH-Net Columnists, Brian Wilson, when they team up for Cain BeEF Hash: Snagging Passwords without Popping Boxes. They not only show you some of their cutting-edge research results, but also perform it in a live demo! Click for Conference Details.



Let us know what you think and/or what else you'd like to see from Ryan,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Apr 06, 2009 3:31 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

i'd like to see Ryan do some Middler and SSL strip demos, if he has some time ;)
<<

sommersb

Newbie
Newbie

Posts: 6

Joined: Mon Dec 22, 2008 2:36 pm

Post Mon Apr 06, 2009 4:30 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Good stuff - I like the hands-on example method in the video...

Thanks!
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Mon Apr 06, 2009 7:15 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Nice one Linn, just finished watching it. Couldn't expect anything less then another excellent tool from core. Keep up the good work, I'd also like to see those demos Jhaddix mentioned when whoever has time! -Coughs- Gates -Coughs- joking... :P
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

LSOChris

Post Mon Apr 06, 2009 8:12 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

i'm slacking...what videos are you talking about?
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Apr 07, 2009 10:16 am

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

The Middler  & SSL Strip  8)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Wed Apr 08, 2009 12:48 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

I posted this question in a different thread but, following advice, I split the post and here's the question about which I'm confused:

There's an administrator logged on locally and don is logged onto the domain (how can this occur on the same XP SP3 PC?).  I'm not sure how it's possible to do the Pass the Hash attack.  I didn't hear specifically how the network was set up (I assume it was a domain in VMWare).  It appears that hashes are retrieved from the local SAM (I realise that a user logged on locally has the hashes stored there, so how would that help in gaining access to the DC?  As far as I understand, when the user logs onto the domain, the username and password are checked against the DC and the local SAM is of no relevance.  Are don's hashes retrieved from RAM using the utilities in the toolkit?

Sorry if my misunderstanding spreads to others, but maybe it's my interpretation of what you (Ryan) said.

Thanks for your time.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Wed Apr 08, 2009 3:17 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Let me setup a slightly different scenario that may help this make more sense. 

You are at your workstation, and you are logged in via your domain account.  You have a patch missing on your machine, and while I am on your network performing a pen test, I scan your machine and notice that it is vulnerable.  By exploiting that vulnerability, I am able to get a session that has the privilege of SYSTEM.  At this point, you are logged into your workstation with your credentials and I am logged on via SYSTEM.  Because windows helps you by ensuring you don't have to enter your password each time you access a resource, I can take your domain credentials, which are stored in memory,  and assign them to my session as SYSTEM using iam.exe.  Once I have taken your in-memory credentials, I can present them as my own without having to know your password at all.

Once I have your credentials and can impersonate you, then I would use them to go to other machines on the network.  If you were a Domain Admin for example, I could use them to perform actions on the domain controllers, or if you had access to a machine that a domain admin was logged in on, then I might move to that machine and perform the same attack again to gain the Domain Admin's credentials. 

All of this happens outside the SAM, and for clarity when you log into a machine, your credentials many times are stored locally however.  The cached credential feature of windows allows for disconnected use of machines, but also allows for your domain credentials to be stored locally on machines that you have logged into.  These credentials can also be attacked and cracked even when you are not on the machine.

If you have any more questions, please let me know.
-Ryan
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Wed Apr 08, 2009 3:59 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Thank you Ryan - that's crystal clear now.  My confusion was about the terminology.  When you mentioned logged in, I interpreted "logged into the PC" as if it were standalone and not connected to the domain (hence my mentioning SAM).  I appreciate now that I (as the victim of your attack) am actually logged onto the domain via the PC on my desk.  I realise that you are somewhere else on the network and compromise my system.  I was unaware that my domain credentials would be stored in RAM and that Windows uses them every time that I access a resource.  When you've explained it as clearly as you have, it all makes perfect sense and it would be a real pain to have an annoying username/password dialogue every time I wanted to access something!

Thank you for your efforts and, like others, I am looking forward to your future video tutorials.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Wed Apr 08, 2009 8:39 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Hey cool stuff Ryan. You da man!
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Apr 10, 2009 2:12 pm

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Great video.

Everything looks very easy, but I know we have to lern to much to do it and understand how to get the box. Hopely after my MCSA and Linux+ I will go for CEH.

Great video again and thanks.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Apr 15, 2009 2:58 am

Re: [Article]-Video Tutorial: Pass-The-Hash Toolkit

Maybe I'm late on this one (not sure if anyone's posted anything on it) but I just saw a video on SSLStrip on John Strands page:

http://vimeo.com/3970303

It's a damn good video too, very well explained. Hope it helps! 8)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP

Return to Linn

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software