Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pass the hash query

From: Jose Selvi <jselvi () pentester es>
Date: Fri, 20 May 2011 12:39:47 +0200
Hi TAS,
If you use the pass-the-hash technique to access to a folder, then the user rights would be Administrator.
When using psexec, it works in a different way. Psexec use your Administrator privileges for installing a new service, and this service execute your payload. Since this service runs as SYSTEM, your payloads runs as SYSTEM also. When the payload is executed, psexec uninstall this service.
You need to be Administrator to create this new service, but this service runs as SYSTEM, this is the trick. 

I hope it helps.
Regards.

El 20/05/11 12:19, TAS escribió:

I am trying pass the hash attack. On a windows 2003 system, I used
ms08_067 exploit and got the meterpreter shell. My privilege is of nt
authority\system. I then run a hashdump and collect the hash for the
Administrator account.

I provide the same hash to windows/smb/psexec and run it on the same
windows 2003 box. I get a metrepreter and running getuid gives me
privilege as nt authority\system. Why not Administrator?


--
Jose Selvi.
Security Technical Consultant
CISA, CISSP, CNAP, GCIH, GPEN

http://www.pentester.es

SANS Mentor in Madrid (Spain). September 23 - November 25
SEC560: Network Penetration Testing and Ethical Hacking
http://www.sans.org/mentor/details.php?nid=24133
http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: