Fwd: metasploit auxiliary/server/capture/smb and pass the hash

[Joshua Smith <lazydj98 () gmail com>]

Sorry, meant to send this to the list

---------- Forwarded message ----------
Isn't that NTLMv2, isn't that what the NT_CLIENT_CHALLENGE indicates?  In
that case you can't directly pass the hash, you need a 3rd party.

-josh

On Thu, Apr 5, 2012 at 4:54 AM, macubergeek <macubergeek () comcast net> wrote:

> I've been working with the metasploit auxiliary/server/capture/smb module
> and have had good success capturing smb hashes.
>
> [*] Empty hash captured from 192.168.1.1:1981 captured, ignoring ...
> [*] 2012-03-30 22:57:24 -0400
> NTLMv2 Response Captured from 192.168.1.1:1981
> USER:DomainUser DOMAIN:MASSIVE OS:Windows 2002 Service Pack 3 2600
> LM:Windows
> 2002 5.1
> LMHASH:AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB
>  LM_CLIENT_CHALLENGE:cf4000a12bdec1ad
> NTHASH:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD
> NT_CLIENT_CHALLENGE:0101000000000000f89c09009812cd01cf4000a12bdec1ad0000
> 0000020000000000000000000000
>
> Chris Gates's Carnal Ownage blog suggests cracking the A's with John and
> guessing at the B's
>
> My questions are:
> does the "Empty hash captured" signify that the LM hash was disabled on
> this box?
>
> Passing the hash
> I've tried passing the hash using exploit/windows/smb/psexec  configured
> like so
>
> Module options (exploit/windows/smb/psexec):
>
>    Name       Current Setting
>        Required  Description
>    ----       ---------------
>        --------  -----------
>    RHOST      192.168.1.1
>        yes       The target address
>    RPORT      445
>        yes       Set the SMB service port
>    SHARE      ADMIN$
>       yes       The share to connect to, can be an admin share
> (ADMIN$,C$,...) or a normal read/write folder share
>    SMBDomain  MASSIVE
>        no        The Windows domain to use for authentication
>    SMBPass
>  AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD  no
>    The password for the specified username
>    SMBUser    DomainUser
>       no        The username to authenticate as
>
>
> Exploit target:
>
>    Id  Name
>    --  ----
>    0   Automatic
>
> This results in authentication/Login errors.
> I realize I can't pass the hash against DomainUser on his box while he's
> logged in but does anyone know if I can say use a domain admin cred against
> DomainUser's box? I've tried doing psexec against DomainUser's box after he
> logged out of the machine and still no go. I'm not sure if pass the hash
> works here or if I'm using the correct answer for SMBPass.
>
> Jim
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework


-- 
- Josh



-- 
- Josh

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework