PSEXEC - Pass the Hash - Domain Credentials

[troy () defendit com au]

Hi All,

Is it possible to "pass the hash" using domain credentials to a DC?

The situation I find myself in. You get SYSTEM or Local Admin privs on a
domain member (server/workstation). You PSEXEC pass the local admin
account hash around to other boxes until you find one that a Domain
Administrator has used recently (using incognito). Impersonate the domain
admin account then gives you domain admin access, so you can map drives,
create domain users (dependent on policy). However, you can not change the
group membership of domain accounts, this must be done on a DC.
Meterpreter can not dump cached credentials, so I use smb_relay and get
the impersonated account to map to my smb_relay and capture the challenge
response. Which looks like:

pwfile
Administrator:ACME:1122334455667788:8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04

logfile
HOMER:192.168.0.9:<NULL>:<NULL>:Windows 2002 2600:<NULL>:<NULL>:Fri Jan 29
19:14:25 -0500 2010
HOMER:192.168.0.9:Administrator:ACME:Windows 2002
2600:c3d6d3245736dc5168c89e2dc1c48fd939f964ed1f0faa04:8b35f9c3c5dd2e65b50eeac1fa8056e809f3c2c21aa1572f:Fri
Jan 29 19:14:25 -0500 2010

Load up smb/psexec and payload meterpreter/bind_tcp
set SMBUser Administrator
set SMBDomain ACME

Attempt the hash above and I get STATUS_LOGON_FAILURE. Even using the
known password I can not psexec to the DC, but the known password will
work to a member server (still not to the DC).

Could anybody provide their input please?

Thanks in advance.

Regards,
Troy


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework