Re: Pass the hash for computer accounts?

[David Porcello <DPorcello () vermontmutual com>]

Yes, I realize there are many ways to do this with *user* account hashes, but I'm looking for a way to relay or pass 
*computer* account hashes within a windows domain.

Basically I'm trying to "steal" the machine credentials from one computer and inject them into an off-domain PC to 
obtain domain membership.

I can use PSHtoolkit to extract the machine account password hash in this format: ComputerName$:Domain:LMHash:NTLMHash 
(Note the $). Just not sure where to go from there. PHstoolkit, meterpreter, and Samba let you inject NTLM hashes for 
user accounts, but I can't find any way to do this for machine accounts.


-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Ryan 
Sears
Sent: Monday, November 22, 2010 12:55 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Pass the hash for computer accounts?

What exactly do you mean? Is Pass-The-Hash still a viable vector of attack? Yes. Very much so actually. 

Spoofing domain membership requires you to manipulate your network tokens, or steal someone else's who's logged into a 
machine you have SYSTEM level access to. Think of them like web session cookies. 

Delicious, delicious session cookies. :)

As for actual exploitation, you can find modified versions of SMBClient, or just use Meta$ploit (for great justice). 
You're going to have to figure the rest out on your own. 

BTW vermontmutual.com reeks of sketchy. Just sayin.

RS

----- Original Message -----
From: "David Porcello" <DPorcello () vermontmutual com>
To: "PaulDotCom Security Weekly Mailing List" <pauldotcom () mail pauldotcom com>
Sent: Monday, November 22, 2010 10:20:54 AM GMT -05:00 US/Canada Eastern
Subject: [Pauldotcom] Pass the hash for computer accounts?



Is it possible to relay or pass Windows machine account password hashes in the same manner as SMBrelay or pshtoolkit 
does for user account hashes? I’m trying to spoof domain membership using an extracted machine account password hash. 
Dave. 



________________________________ 
NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. 

Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any 
loss or damage arising if such a virus or defect exists. 

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com