Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Simple script to swap hashes in SAM ..

From: John Nash <rootsecurityfreak () gmail com>
Date: Tue, 7 Sep 2010 19:53:46 +0530
I had proposed creation of a new user as an option, and the "clearev" can
clear the event logs ... but overall creation of a new user is a messy
affair.
This would definitely be the last resort .... but i am just curious if what
i am proposing would work, theoretically to begin with?

On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <mr.r.birtles () gmail com>wrote:


If i remember correctly ( not at my home laptop to check ) I do
believe metasploit offers a script to delete event logs. Could you not
add a new account. Record the login. Then remove the account and
finally clean out the account creation and login events?

Regards,
-- Mr R Birtles



On 7 September 2010 15:13, John Nash <rootsecurityfreak () gmail com> wrote:

i am targeting a local account right now ...
yes, it's for a pentest. Have broken in but wanted to take a video of me
logging in as admin ... but ensuring that the admin never knows or

suspects

till he sees the final report + vid  :)


On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman () gmail com>
wrote:


If its an Active Directory environment I dont think it would work since
the password hashes are also stored with the user account unless you're
trying to use a local account. Is this for a pentest?

On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak () gmail com>
wrote:


Craig,
I am not trying to crack the hash.
Quick breakdown:
1. I will generate hashes for a given password locally
2. I will backup the hashes in the SAM for the admin account on the
victim
3. I will replace the hashes in the SAM file on the victim  with the

one

i have generated in (1)
4. I will login as admin and do what i want (i know the pass for the

new

hashes stored)
5. Restore the original hashes which i backed up in (2)
6. now when the admin is back he can login without issues
would this work?


On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman () gmail com>
wrote:


I dont know, I doubt it.
Have you tried running your hash through something
like http://www.lmcrack.com/index.php ?

On Tue, Sep 7, 2010 at 7:56 AM, John Nash <

rootsecurityfreak () gmail com>

wrote:


the OS is win 2003 server  ... i know i can run a keylogger after
attaching to winlogon.exe or some other process attached to the

winlogon

desktop in winsta0
but waiting for an admin may take too long ...
would the solution i am proposing work? if it does, wait time is

almost

0.


On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <

craigfreyman () gmail com>

wrote:


What is the OS of the box you popped? Do you already have

meterpreter?

Did you try running a simple keylogger to have the Admin give the

password

right to you?

On Tue, Sep 7, 2010 at 3:18 AM, John Nash
<rootsecurityfreak () gmail com> wrote:


Hello List,
While trying some post exploitation, one of the major issues i

guess

is to login to the system as a user over rdp.
We can do this in a couple of ways:

create a new user <--- will create alarms
change the password of existing user

in case of (2) i was wondering would it be possible to just swap

the

existing hash with a new one (we now the password which hashes to

this one)

.... then do all we need to on the remote system ....
then just replace the old hash for the original password back into
the SAM.
Is there any reason why this should not be possible? If yes, a
meterepreter script could do this job very easily ....
thoughts?
Rgds,
jn
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework














_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: