Re: Simple script to swap hashes in SAM ..

[John Nash <rootsecurityfreak () gmail com>]

i am targeting a local account right now ...

yes, it's for a pentest. Have broken in but wanted to take a video of me
logging in as admin ... but ensuring that the admin never knows or suspects
till he sees the final report + vid  :)



On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman () gmail com>wrote:

> If its an Active Directory environment I dont think it would work since the
> password hashes are also stored with the user account unless you're trying
> to use a local account. Is this for a pentest?
>
>
> On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak () gmail com>wrote:
>
> > Craig,
> >
> > I am not trying to crack the hash.
> >
> > Quick breakdown:
> >
> > 1. I will generate hashes for a given password locally
> > 2. I will backup the hashes in the SAM for the admin account on the victim
> > 3. I will replace the hashes in the SAM file on the victim  with the one i
> > have generated in (1)
> > 4. I will login as admin and do what i want (i know the pass for the new
> > hashes stored)
> > 5. Restore the original hashes which i backed up in (2)
> > 6. now when the admin is back he can login without issues
> >
> > would this work?
> >
> >
> >
> > On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman () gmail com>wrote:
> >
> > > I dont know, I doubt it.
> > >
> > > Have you tried running your hash through something like
> > > http://www.lmcrack.com/index.php ?
> > >
> > >
> > > On Tue, Sep 7, 2010 at 7:56 AM, John Nash <rootsecurityfreak () gmail com>wrote:
> > >
> > > > the OS is win 2003 server  ... i know i can run a keylogger after
> > > > attaching to winlogon.exe or some other process attached to the winlogon
> > > > desktop in winsta0
> > > > but waiting for an admin may take too long ...
> > > >
> > > > would the solution i am proposing work? if it does, wait time is almost
> > > > 0.
> > > >
> > > >
> > > >
> > > > On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <craigfreyman () gmail com>wrote:
> > > >
> > > > > What is the OS of the box you popped? Do you already have meterpreter?
> > > > > Did you try running a simple keylogger to have the Admin give the password
> > > > > right to you?
> > > > >
> > > > > On Tue, Sep 7, 2010 at 3:18 AM, John Nash <rootsecurityfreak () gmail com
> > > > > > wrote:
> > > > >
> > > > > > Hello List,
> > > > > >
> > > > > > While trying some post exploitation, one of the major issues i guess
> > > > > > is to login to the system as a user over rdp.
> > > > > >
> > > > > > We can do this in a couple of ways:
> > > > > >
> > > > > >
> > > > > >    1. create a new user <--- will create alarms
> > > > > >    2. change the password of existing user
> > > > > >
> > > > > >
> > > > > > in case of (2) i was wondering would it be possible to just swap the
> > > > > > existing hash with a new one (we now the password which hashes to this one)
> > > > > > .... then do all we need to on the remote system ....
> > > > > > then just replace the old hash for the original password back into the
> > > > > > SAM.
> > > > > >
> > > > > > Is there any reason why this should not be possible? If yes, a
> > > > > > meterepreter script could do this job very easily ....
> > > > > >
> > > > > > thoughts?
> > > > > >
> > > > > > Rgds,
> > > > > >
> > > > > > jn
> > > > > >
> > > > > > _______________________________________________
> > > > > > https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework