metasploit-framework May 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] Pass the hash query

Re: [framework] Pass the hash query

From: Jose Selvi <jselvi_at_nospam>
Date: Fri May 20 2011 - 10:39:47 GMT
To: framework@spool.metasploit.com

Hi TAS,

If you use the pass-the-hash technique to access to a folder, then the
user rights would be Administrator.

When using psexec, it works in a different way. Psexec use your
Administrator privileges for installing a new service, and this service
execute your payload. Since this service runs as SYSTEM, your payloads
runs as SYSTEM also. When the payload is executed, psexec uninstall this
service.

You need to be Administrator to create this new service, but this
service runs as SYSTEM, this is the trick.

I hope it helps.
Regards.

El 20/05/11 12:19, TAS escribió:
> I am trying pass the hash attack. On a windows 2003 system, I used
> ms08_067 exploit and got the meterpreter shell. My privilege is of nt
> authority\system. I then run a hashdump and collect the hash for the
> Administrator account.
>
> I provide the same hash to windows/smb/psexec and run it on the same
> windows 2003 box. I get a metrepreter and running getuid gives me
> privilege as nt authority\system. Why not Administrator?

-- Jose Selvi. Security Technical Consultant CISA, CISSP, CNAP, GCIH, GPEN http://www.pentester.es SANS Mentor in Madrid (Spain). September 23 - November 25 SEC560: Network Penetration Testing and Ethical Hacking http://www.sans.org/mentor/details.php?nid=24133 http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework