Metasploit mailing list archives
Re: Simple script to swap hashes in SAM ..
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Tue, 7 Sep 2010 11:56:44 -0400
The only problem I see with this is breaking the account you modify, if services are using this account it will break those services practically creating a DoS on the service, this could be a pain point specially depending the ROE's that might be in place during the pentest. Sent from my iPhone On Sep 7, 2010, at 10:23 AM, John Nash <rootsecurityfreak () gmail com> wrote:
I had proposed creation of a new user as an option, and the "clearev" can clear the event logs ... but overall creation of a new user is a messy affair. This would definitely be the last resort .... but i am just curious if what i am proposing would work, theoretically to begin with? On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <mr.r.birtles () gmail com> wrote: If i remember correctly ( not at my home laptop to check ) I do believe metasploit offers a script to delete event logs. Could you not add a new account. Record the login. Then remove the account and finally clean out the account creation and login events? Regards, -- Mr R Birtles On 7 September 2010 15:13, John Nash <rootsecurityfreak () gmail com> wrote:i am targeting a local account right now ... yes, it's for a pentest. Have broken in but wanted to take a video of me logging in as admin ... but ensuring that the admin never knows or suspects till he sees the final report + vid :) On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman () gmail com> wrote:If its an Active Directory environment I dont think it would work since the password hashes are also stored with the user account unless you're trying to use a local account. Is this for a pentest? On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak () gmail com> wrote:Craig, I am not trying to crack the hash. Quick breakdown: 1. I will generate hashes for a given password locally 2. I will backup the hashes in the SAM for the admin account on the victim 3. I will replace the hashes in the SAM file on the victim with the one i have generated in (1) 4. I will login as admin and do what i want (i know the pass for the new hashes stored) 5. Restore the original hashes which i backed up in (2) 6. now when the admin is back he can login without issues would this work? On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman () gmail com> wrote:I dont know, I doubt it. Have you tried running your hash through something like http://www.lmcrack.com/index.php ? On Tue, Sep 7, 2010 at 7:56 AM, John Nash <rootsecurityfreak () gmail com> wrote:the OS is win 2003 server ... i know i can run a keylogger after attaching to winlogon.exe or some other process attached to the winlogon desktop in winsta0 but waiting for an admin may take too long ... would the solution i am proposing work? if it does, wait time is almost 0. On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <craigfreyman () gmail com> wrote:What is the OS of the box you popped? Do you already have meterpreter? Did you try running a simple keylogger to have the Admin give the password right to you? On Tue, Sep 7, 2010 at 3:18 AM, John Nash <rootsecurityfreak () gmail com> wrote:Hello List, While trying some post exploitation, one of the major issues i guess is to login to the system as a user over rdp. We can do this in a couple of ways: create a new user <--- will create alarms change the password of existing user in case of (2) i was wondering would it be possible to just swap the existing hash with a new one (we now the password which hashes to this one) .... then do all we need to on the remote system .... then just replace the old hash for the original password back into the SAM. Is there any reason why this should not be possible? If yes, a meterepreter script could do this job very easily .... thoughts? Rgds, jn _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Simple script to swap hashes in SAM .. John Nash (Sep 07)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Simple script to swap hashes in SAM .. John Nash (Sep 07)
- Re: Simple script to swap hashes in SAM .. ricky-lee birtles (Sep 07)
- Re: Simple script to swap hashes in SAM .. John Nash (Sep 07)
- Re: Simple script to swap hashes in SAM .. Carlos Perez (Sep 07)
- Re: Simple script to swap hashes in SAM .. Robin Wood (Sep 07)
- Re: Simple script to swap hashes in SAM .. John Nash (Sep 07)
- Message not available
- Message not available
- Re: Simple script to swap hashes in SAM .. John Nash (Sep 07)