Saturday, March 15, 2008

Using the Pash the Hash Toolkit


Thanks to Hernan for responding to my other post about msvctl (no thanks to the msvctl author for not responding to my email) and getting me motivated to check out his pashthehash toolkit v1.3.

I'm going to consider this post half finished because i dont think iam.exe and iam-alt.exe are working properly for me yet. hopefully Hernan will respond to this post or the comments i made on his blog and get me fixed up.

ok so on with it. the scenario goes that you have a local admin account on a box, which is easy to get from a remote exploit but no domain user permissions. From a data mining perspective or for further enumeration even domain user permissions are nice. At a minimum i can browse public shares in the domain for info.

ok first step is that i have already created my local admin account on the box, i've uploaded my tools whosthere-alt.exe, its dll and iam-alt.exe and its dll.

lets log in via psexec and run whosthere-alt.exe


we can see that we have logged in via our test account, and there is a vmware user account that proabably doesnt have any permissions. whosthere-alt.exe has a cool feature that it will listen indefinitely and log to a file, so you can start the process and wait for someone hopefully with domain admin to log into the box and it will capture those hashes for you.

let's check out the help options for whosthere-alt.exe and iam-alt.exe and using whosthere-alt.exe to capture logins for us.




as you can see in the image above; whoami says i am test/segfault and we start running whosthere-alt in logging mode (-i -o bigfun.txt) and then in the 2nd shell we check our bigfun.txt to see if anyone new has logged in and a user "root" has logged in.

from there we use iam-alt.exe to become user root, it appears from the output that its working i couldnt confirm that it was working, whoami.exe still said i was test and starting any processes resulted in them still being owned by test :-(


iam.exe/iam-alt.exe not working is not the end of the world though (in fact i'm sure its user error), if the account you gathered through whosthere.exe is admin+ you can still use the psexec module in metasploit to pass the hash as well and get yourself a shell.
CG

4 comments:

hernan said...

Hi CG,

Thanks for taking the time to try out psh!.

Ok, I already answered you on my blog but here it goes anyways (this is a better answer anyways :)):

1-To verify if your credentials have changed you need to run whosthere-alt.exe or whosthere.exe, not whoami.exe. These two programs will extract credentials from memory and will let you know if the credentials you wanted to changed using iam.exe/iam-alt.exe were sucessfully changed or not.

2-Don't count on the output from whoami.exe to verify if the tools worked. The tools ARE NOT creating a new logon session or changing the username/domain of the logon session, they are just changing the CREDENTIALS of the current logon session.

So, even when whoami.exe says you are the same user, the credentials that are going to be sent over the network are the credentials you changed using the pass the hash toolkit.

3-to verify completely if the tool is working, you need to try to authenticate against a remote server, try it out! it will work! :). If it doesn't, please let me know! (it will work! :), as long as you are using NTLM auth of course ).

for more info you can go here:

http://oss.coresecurity.com/pshtoolkit/doc/index.html

and if you are interested on internal details, take a look at the paper I wrote in 2000 about pass the hash:

http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1030

Anyways, you'll probably get more quick and valuable info from me, so just ask me directly, I'm more than willing to answer you!.

Thanks!,
Hernan

CG said...

thanks for releasing it, its a badass tool.

I didnt post the screenshot but will tonight, when i run iam-alt.exe and re-run whosthere-alt.exe i see the user i tried to become logged in with a different hash than the one i "passed it." is that what i should be seeing or should i see the same hash?

is there anything people can do for a defense against this aside from not letting me get admin/system on the box and dumping the hashes in the first place? if its in the paper just let me know, i didnt read it yet.

-CG

Anonymous said...

You mention in a few of your posts that you want to move from SYSTEM to a domain account to get more information about the domain.

As SYSTEM I can successfully run commands to gather useful domain info:

net group "domain admins" /domain
net group "domain users" /domain

I guess this is because a machine in the domain has the machine domain account and will use this to gather the required info.

Anonymous Steve!

CG said...

@anon steve

that has only worked for me on one pentest and i dont have a reason for it.

in general you cannot run those commands as system and gather information because you are not a domain user.