You can simply fire up one of the many SMB-related Metasploit modules, set the SMBUser, set the SMBPass as the dumped hash, and cross your fingers. If the hash you're using is a local account, you're essentially relying on password reuse, which is rampant in my experience, to exploit other Windows machines in your target's environment.
One of the most common ways to "pass the hash" is by using the PSEXEC module (exploit/windows/smb/psexec)in Metasploit. This module executes an arbitrary payload by authenticating to Windows SMB using administrative credentials (password or hash), and creating a Windows service. This is a pretty powerful module on most pen-tests, once you get to the point of dumping hashes on a Windows machine.
Once you use it successfully it will become very apparent that this power could be multiplied by several orders of magnitude if someone wrote a scanning-capable version that accepts an RHOSTS option rather than a single RHOST. Apparently that's what Carlos Perez thought when he wrote psexec_scanner and he was dead on. His module will scan entire subnets, spraying hashes at any SMB service that will listen. Once you configure it with a well-used administrator-level hash, it will net you a meterpreter session on every machine to which it successfully authenticates. Reusing local Windows administrator account names and passwords across the enterprise is a LOT more common than anyone in our industry wants to admit.
Doing this with the right targets, and hashes will give you more shells than you have time for in many environments. It's truly a surreal feeling to compromise one host remotely, dump hashes, pivot (route add W.X.Y.Z A.B.C.D Session_Number) to internal networks, load the PSEXEC scanner with a suspected admin hash, type exploit, and have dozens of reverse TCP meterpreter sessions firing back.
Source : blog.depthsecurity.com
No comments:
Post a Comment