Thursday, July 26, 2012

Update to the NMAP Pass the Hash script


I've had a lot of questions about this, so let's see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers:

nmap --script=smb-enum-shares.nse --script-args=smbuser=[ADMIN],smbpass=[PASSWORD],smbdomain=[DOMAIN],smbbasic=1,smbtype=v1  -p445 --open -vv -Pn [IP RANGE TO TEST] -oA [FILENAME].txt 

smbuser=[ADMIN] = Shared administrator account name
smbpass=[PASSWORD] = The shared account password
Alternatively you can Pass-the-Hash using:
smbhash=LMLMLMLMLMLMLMLMLM:NTLMNTLMNTLMNTLMNTLM
smbdomain=[DOMAIN] = WORKGROUP or AD

[FILENAME] = The filename for the results output
[IP RANGE TO TEST] = The IP ranges in CIDR notation. 
Alternatively, you could make a list of all IPs and IP ranges and pass them to the scan using:
 "–iL [INPUT LIST TO SCAN].txt" 
smbbasic=1
Forces the authentication to use basic security, as opposed to "extended security". 
--          Against most modern systems, extended security should work, but there may be cases
--          where you want to force basic. There's a chance that you'll get better results for 
--          enumerating users if you turn on basic authentication.
smbtype=v1
The type of SMB authentication to use. These are the possible options:
-- * <code>v1</code>:     Sends LMv1 and NTLMv1.
-- * <code>LMv1</code>:   Sends LMv1 only.
-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
-- * <code>v2</code>:     Sends LMv2 and NTLMv2.
-- * <code>LMv2</code>:   Sends LMv2 only.
-- * <code>NTLMv2</code>: Doesn't exist; the protocol doesn't support NTLMv2 alone.

If you have local administrator rights, the scan will show READ/WRITE access to the SMB shares:

Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-22 15:41 PDT
Nmap scan report for 172.0.0.1
Host is up (0.00069s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Users: 0, Max: <unlimited>
|     Path: C:\Windows
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   C$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: C:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   D$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: D:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   IPC$
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Users: 2, Max: <unlimited>
|     Path: 
|     Anonymous access: READ <not a file share>
|     Current user ('sysadmin') access: READ <not a file share>
|   SQLBACKUP
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 1, Max: <unlimited>
|     Path: D:\SQLBACKUP
|     Anonymous access: <none>
|_    Current user ('admin') access: READ/WRITE

No comments:

Post a Comment

Thanks for adding to the conversation. I'll update your post shortly.