Metasploit mailing list archives
Re: PSEXEC - Pass the Hash - Domain Credentials
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Sat, 30 Jan 2010 21:16:55 -0400
Upload dsadd tool and execute it with the -t option meterperter http://support.microsoft.com/kb/322684 Sent from my Mobile Phone On Jan 30, 2010, at 7:28 PM, troy () defendit com au wrote:
Hi All, Is it possible to "pass the hash" using domain credentials to a DC?The situation I find myself in. You get SYSTEM or Local Admin privs on adomain member (server/workstation). You PSEXEC pass the local admin account hash around to other boxes until you find one that a DomainAdministrator has used recently (using incognito). Impersonate the domain admin account then gives you domain admin access, so you can map drives, create domain users (dependent on policy). However, you can not change thegroup membership of domain accounts, this must be done on a DC.Meterpreter can not dump cached credentials, so I use smb_relay and get the impersonated account to map to my smb_relay and capture the challengeresponse. Which looks like: pwfileAdministrator:ACME: 1122334455667788: 8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04
logfileHOMER:192.168.0.9:<NULL>:<NULL>:Windows 2002 2600:<NULL>:<NULL>:Fri Jan 2919:14:25 -0500 2010 HOMER:192.168.0.9:Administrator:ACME:Windows 20022600: c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04: 8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:FriJan 29 19:14:25 -0500 2010 Load up smb/psexec and payload meterpreter/bind_tcp set SMBUser Administrator set SMBDomain ACME Attempt the hash above and I get STATUS_LOGON_FAILURE. Even using the known password I can not psexec to the DC, but the known password will work to a member server (still not to the DC). Could anybody provide their input please? Thanks in advance. Regards, Troy _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- PSEXEC - Pass the Hash - Domain Credentials troy (Jan 30)
- Re: PSEXEC - Pass the Hash - Domain Credentials Carlos Perez (Jan 30)
- Message not available
- Message not available
- Re: [Fwd: PSEXEC - Pass the Hash - Domain Credentials] Jonathan Cran (Jan 30)
- Message not available
- Re: PSEXEC - Pass the Hash - Domain Credentials HD Moore (Jan 30)