9/8/12

Pass the Hash without Metasploit

Problem:

Recently I found the need to pass the hash without using Metasploit's psexec module. Ok, no problem, Google Fu engage..

At least one article mentioned that psexec could pass the hash by throwing the hash after the "-p" argument.

psexec does NOT pass the hash by itself.


Here is how to do it.

Scenario: 


First, get Windows Credential Editor version 1.3 is the newest at the time of this writing. WCE is a tool that can dump clear text passwords from memory or allow you to perform pass the hash attacks.


This quick tutorial assumes that you are leveraging a local administrator account that has the same password on multiple machines in an environment. (pretty common).

First dump password hashes. There are a lot of tools to do this if the Administrator is logged on wce will work, just run wce.exe. If not you can try fgdump. Either way .. get hashes.




Here you can see the local Administrator on the machine MILTON-PC, along with the LM and NTLM hashes.

*Note* if you use "wce -w" depending on the contents of memory you may just dump plain text passwords.







But this isn't about that....

You can use "wce -s" to change your credentials in memory. Passing the hash to another system becomes a matter of changing your credentials to that system. You can then use psexec, or other commands and the remote system will not challenge your authority to do so.

The remote system I will be "passing the hash" to is PeterGibbons-pc, so in my example I just switch "MILTON-PC" with "PETERGIBBONS-PC" and that is that. (this works because the Local administrator accounts have the same password, if they are different, this will be a big fail)









A good step would be to map the administrative share so that psexec has it available when it needs it. If this works you are in business.








Some reasons this may fail:

  • Windows Firewall Rules are set to disallow Remote Administration
    • This is going to be default if your lab includes fresh windows VM's, just disable the firewall.
  • The Local Account hashes are not the same
    • dump the hashes on both systems to check if they are the same, if they are different , you're going to have a bad time.
  • Your domain is wrong.
    • fix it.
Now you can finally use psexec and have a remote shell, or upload whatever you want using the "-c" flag.






2 comments:

  1. Thanks for the tutorials your stuff has helped me learn.
    I am in the same process of establishing a virtual box network to learn pen-testing on an Ubuntu precise Toshiba laptop I knocked the EISA partition off of.
    I was hoping to download BackTrack as well and this is point of my question. I have tried everything.FTP, Torrents but they all fail at about halfway.and as I'm not really up to scratch a bit pensive about using unencrypted telnet and have to read up on ssh. I even decided to go against their site advice and try a manager as nothing else seemed to work but the sum check was wayout which leads me to suspect that even though it stated the download was successful the file was again stopped at about half the size. Could you please explain the method you had success with please so I can at least apply tenacity in confidence?.
    I got to thinking, that as i am in a situation where I can only implement mobile BB , they might get peeved me choking the bandwidth with such a laborious instance and chop the connection (cant say i blame em) I'm getting to the stage I wish they sold live disks or flash-drives as my main trade was rendered redundant by computer tech so if you cant beat em :)......
    Thanks for sharing again, its pertinent and useful information and I appreciate it.
    Be well.

    ReplyDelete