Re: Simple script to swap hashes in SAM ..

[Carlos Perez <carlos_perez () darkoperator com>]

The only problem I see with this is breaking the account you modify, if services are using this account it will break 
those services practically creating a DoS on the service, this could be a pain point specially depending the ROE's that 
might be in place during the pentest. 

Sent from my iPhone

On Sep 7, 2010, at 10:23 AM, John Nash <rootsecurityfreak () gmail com> wrote:

> I had proposed creation of a new user as an option, and the "clearev" can clear the event logs ... but overall 
> creation of a new user is a messy affair. 
> This would definitely be the last resort .... but i am just curious if what i am proposing would work, theoretically 
> to begin with? 
>
> On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <mr.r.birtles () gmail com> wrote:
> If i remember correctly ( not at my home laptop to check ) I do
> believe metasploit offers a script to delete event logs. Could you not
> add a new account. Record the login. Then remove the account and
> finally clean out the account creation and login events?
>
> Regards,
> -- Mr R Birtles
>
>
>
> On 7 September 2010 15:13, John Nash <rootsecurityfreak () gmail com> wrote:
> > i am targeting a local account right now ...
> > yes, it's for a pentest. Have broken in but wanted to take a video of me
> > logging in as admin ... but ensuring that the admin never knows or suspects
> > till he sees the final report + vid  :)
> >
> >
> > On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman () gmail com>
> > wrote:
> > > If its an Active Directory environment I dont think it would work since
> > > the password hashes are also stored with the user account unless you're
> > > trying to use a local account. Is this for a pentest?
> > >
> > > On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak () gmail com>
> > > wrote:
> > > > Craig,
> > > > I am not trying to crack the hash.
> > > > Quick breakdown:
> > > > 1. I will generate hashes for a given password locally
> > > > 2. I will backup the hashes in the SAM for the admin account on the
> > > > victim
> > > > 3. I will replace the hashes in the SAM file on the victim  with the one
> > > > i have generated in (1)
> > > > 4. I will login as admin and do what i want (i know the pass for the new
> > > > hashes stored)
> > > > 5. Restore the original hashes which i backed up in (2)
> > > > 6. now when the admin is back he can login without issues
> > > > would this work?
> > > >
> > > >
> > > > On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman () gmail com>
> > > > wrote:
> > > > > I dont know, I doubt it.
> > > > > Have you tried running your hash through something
> > > > > like http://www.lmcrack.com/index.php ?
> > > > >
> > > > > On Tue, Sep 7, 2010 at 7:56 AM, John Nash <rootsecurityfreak () gmail com>
> > > > > wrote:
> > > > > > the OS is win 2003 server  ... i know i can run a keylogger after
> > > > > > attaching to winlogon.exe or some other process attached to the winlogon
> > > > > > desktop in winsta0
> > > > > > but waiting for an admin may take too long ...
> > > > > > would the solution i am proposing work? if it does, wait time is almost
> > > > > > 0.
> > > > > >
> > > > > >
> > > > > > On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <craigfreyman () gmail com>
> > > > > > wrote:
> > > > > > > What is the OS of the box you popped? Do you already have meterpreter?
> > > > > > > Did you try running a simple keylogger to have the Admin give the password
> > > > > > > right to you?
> > > > > > >
> > > > > > > On Tue, Sep 7, 2010 at 3:18 AM, John Nash
> > > > > > > <rootsecurityfreak () gmail com> wrote:
> > > > > > > > Hello List,
> > > > > > > > While trying some post exploitation, one of the major issues i guess
> > > > > > > > is to login to the system as a user over rdp.
> > > > > > > > We can do this in a couple of ways:
> > > > > > > >
> > > > > > > > create a new user <--- will create alarms
> > > > > > > > change the password of existing user
> > > > > > > >
> > > > > > > > in case of (2) i was wondering would it be possible to just swap the
> > > > > > > > existing hash with a new one (we now the password which hashes to this one)
> > > > > > > > .... then do all we need to on the remote system ....
> > > > > > > > then just replace the old hash for the original password back into
> > > > > > > > the SAM.
> > > > > > > > Is there any reason why this should not be possible? If yes, a
> > > > > > > > meterepreter script could do this job very easily ....
> > > > > > > > thoughts?
> > > > > > > > Rgds,
> > > > > > > > jn
> > > > > > > > _______________________________________________
> > > > > > > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework