Metasploit mailing list archives
Re: Pass the hash query
From: Jose Selvi <jselvi () pentester es>
Date: Fri, 20 May 2011 12:39:47 +0200
Hi TAS,If you use the pass-the-hash technique to access to a folder, then the user rights would be Administrator.
When using psexec, it works in a different way. Psexec use your Administrator privileges for installing a new service, and this service execute your payload. Since this service runs as SYSTEM, your payloads runs as SYSTEM also. When the payload is executed, psexec uninstall this service.
You need to be Administrator to create this new service, but this service runs as SYSTEM, this is the trick.
I hope it helps. Regards. El 20/05/11 12:19, TAS escribió:
I am trying pass the hash attack. On a windows 2003 system, I used ms08_067 exploit and got the meterpreter shell. My privilege is of nt authority\system. I then run a hashdump and collect the hash for the Administrator account. I provide the same hash to windows/smb/psexec and run it on the same windows 2003 box. I get a metrepreter and running getuid gives me privilege as nt authority\system. Why not Administrator?
-- Jose Selvi. Security Technical Consultant CISA, CISSP, CNAP, GCIH, GPEN http://www.pentester.es SANS Mentor in Madrid (Spain). September 23 - November 25 SEC560: Network Penetration Testing and Ethical Hacking http://www.sans.org/mentor/details.php?nid=24133 http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Pass the hash query TAS (May 20)
- Re: Pass the hash query Jose Selvi (May 20)
- Psexec on W2K8 Flippen, Benoit C (May 20)
- Re: Psexec on W2K8 Duncan Alderson (May 20)
- Re: Psexec on W2K8 Rob Fuller (May 20)
- Re: Psexec on W2K8 Adrian Puente Z. (May 20)
- Psexec on W2K8 Flippen, Benoit C (May 20)
- Re: Pass the hash query Jose Selvi (May 20)