Metasploit mailing list archives
Re: PSEXEC - Pass the Hash - Domain Credentials
From: HD Moore <hdm () metasploit com>
Date: Sun, 31 Jan 2010 00:11:35 -0600
On 1/30/2010 5:28 PM, troy () defendit com au wrote:
Meterpreter can not dump cached credentials, so I use smb_relay and get the impersonated account to map to my smb_relay and capture the challenge response. Which looks like:
As jcran said, those tokens are not the raw LM/NTLM hash, they are the hash encrypted against the challenge ID. Normally, you would just set SMBPASS LMHASH:NTLMHASH, but in this case you still don't have the raw hashes to work with. One way to solve this is by using your SMB relayed session to run hashdump, then use those hashes with PTH. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- PSEXEC - Pass the Hash - Domain Credentials troy (Jan 30)
- Re: PSEXEC - Pass the Hash - Domain Credentials Carlos Perez (Jan 30)
- Message not available
- Message not available
- Re: [Fwd: PSEXEC - Pass the Hash - Domain Credentials] Jonathan Cran (Jan 30)
- Message not available
- Re: PSEXEC - Pass the Hash - Domain Credentials HD Moore (Jan 30)