Problem:Recently I found the need to pass the hash without using Metasploit's psexec module. Ok, no problem, Google Fu engage..
At least one article mentioned that psexec could pass the hash by throwing the hash after the "-p" argument.
psexec does NOT pass the hash by itself.
Here is how to do it.
First, get Windows Credential Editor version 1.3 is the newest at the time of this writing. WCE is a tool that can dump clear text passwords from memory or allow you to perform pass the hash attacks.
This quick tutorial assumes that you are leveraging a local administrator account that has the same password on multiple machines in an environment. (pretty common).
First dump password hashes. There are a lot of tools to do this if the Administrator is logged on wce will work, just run wce.exe. If not you can try fgdump. Either way .. get hashes.
Here you can see the local Administrator on the machine MILTON-PC, along with the LM and NTLM hashes.
*Note* if you use "wce -w" depending on the contents of memory you may just dump plain text passwords.
But this isn't about that....
You can use "wce -s" to change your credentials in memory. Passing the hash to another system becomes a matter of changing your credentials to that system. You can then use psexec, or other commands and the remote system will not challenge your authority to do so.
The remote system I will be "passing the hash" to is PeterGibbons-pc, so in my example I just switch "MILTON-PC" with "PETERGIBBONS-PC" and that is that. (this works because the Local administrator accounts have the same password, if they are different, this will be a big fail)
A good step would be to map the administrative share so that psexec has it available when it needs it. If this works you are in business.
Some reasons this may fail:
- Windows Firewall Rules are set to disallow Remote Administration
- This is going to be default if your lab includes fresh windows VM's, just disable the firewall.
- The Local Account hashes are not the same
- dump the hashes on both systems to check if they are the same, if they are different , you're going to have a bad time.
- Your domain is wrong.
- fix it.
Now you can finally use psexec and have a remote shell, or upload whatever you want using the "-c" flag.