.

Pass-the-hash attack with Metasploit

<<

Orhan

Newbie
Newbie

Posts: 14

Joined: Wed May 20, 2009 2:26 pm

Post Wed May 20, 2009 4:05 pm

Pass-the-hash attack with Metasploit

I recently attended the very excellent SANS 560 course and there was a section on the "pass-the-hash" attack. The course covers both the pass-the-hash toolkit by Core Security and the patch for samba by JoMo-kun of FooFus. Both of which work very well. But there is an easier way!

If you're pen testing, you must be using Metasploit and there is a fantastic (and somewhat overlooked) exploit called:

windows/smb/psexec

This module allows you to run a command on a remote machine. A feature of this module is that it gives you the option to add a password or a hash value to the credentials being used. So if you have just exploited a machine and gained a hash dump, simply set your username (defaults is administrator) and put your password hash straight into the SMBPass field:

set SMBPass {insert in the LANMAN & NT hash only}

You can setup your payloads in the normal way:

set PAYLOAD windows/meterpreter/reverse_tcp

Setup your other variables and go exploit!

The art of password cracking without password cracking.....
GPEN OSCP OSWP CCSE CCSA CHFI..etc
Bronze Swimming certificate..
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 20, 2009 10:49 pm

Re: Pass-the-hash attack with Metasploit

I am always surprised how many workstations are running with the local Administrator account having a blank password. 
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed May 20, 2009 10:52 pm

Re: Pass-the-hash attack with Metasploit

Windows does not allow remote Admin access if the local admin (or similar priveledged account) has a blank password.

"Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive"

http://en.wikipedia.org/wiki/Administrative_share

I blogged about this recently too.
http://blog.securitywhole.com/2009/05/1 ... sword.aspx
Last edited by timmedin on Wed May 20, 2009 10:54 pm, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 21, 2009 12:42 am

Re: Pass-the-hash attack with Metasploit

I wasn't sure if that applied to psexec, but now that I think about it, psexec probably uploads an exe to one of the admin shares.

I am wondering if the story is different in a Domain environment though.  The reason I wonder is because I recently encountered yet another XP box that had a blank Administrator password.  I was able to psexec a meterpreter shell on this box, using the local Administrator account with a blank password.  I can't imagine anyone in the right mind would change group policy settings to disable this feature purposely.  I can't imagine the the workstation user changed it either.  I don't remember, but I will go back and check the GPO dumps from that job.  I am going to do some testing on a couple of domain PCs as well.
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri May 22, 2009 8:58 am

Re: Pass-the-hash attack with Metasploit

Ketchup wrote:I wasn't sure if that applied to psexec, but now that I think about it, psexec probably uploads an exe to one of the admin shares.

I am wondering if the story is different in a Domain environment though.   The reason I wonder is because I recently encountered yet another XP box that had a blank Administrator password.   I was able to psexec a meterpreter shell on this box, using the local Administrator account with a blank password.   I can't imagine anyone in the right mind would change group policy settings to disable this feature purposely.   I can't imagine the the workstation user changed it either.   I don't remember, but I will go back and check the GPO dumps from that job.  I am going to do some testing on a couple of domain PCs as well.


i guess I stand corrected then. My understanding was RPC would not allow you to connect since the token would be restricted due to the blank password.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 22, 2009 9:58 am

Re: Pass-the-hash attack with Metasploit

I think that you are correct actually, timmedin.  I haven't been able to reproduce this on my domain.  Still, I think that the workstation I hacked last week had some weird GPO settings on it, although I don't have that data.  I know I connected with a blank Administrator password, even Nessus identified it.  I know it was XP Pro, SP2.  Weird, I wish I still had access to that machine.
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri May 22, 2009 10:20 am

Re: Pass-the-hash attack with Metasploit

Ketchup wrote:I think that you are correct actually, timmedin.   I haven't been able to reproduce this on my domain.   Still, I think that the workstation I hacked last week had some weird GPO settings on it, although I don't have that data.   I know I connected with a blank Administrator password, even Nessus identified it.   I know it was XP Pro, SP2.   Weird, I wish I still had access to that machine.


I just tested it again and I had the same result. Blank password is more secure than no password. :)
twitter.com/timmedin | http://blog.securitywhole.com

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software