PTH Attack with patched Samba

[oceanonre]

Hi,

I am having trouble configuring samba to work with a pass the hash attack. Was wondering if anyone would be able to lead me in the right direction with this one?

I have done (in order):
downloaded samba 3.0.22
patched the appropriate files
configured samba (--with-smbmount)
make + make install
add the hash to the SMBHASH env variable with export

When I do the following:
./smbmount //target/drive /mnt/target -o username=target-user

I receive this error:
params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf":
No such file or directory
Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it
Password:
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied LM HASH...
16526: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed

This is interesting because the smb.conf file is in /etc/samba and not in /usr/.../samba/. So I was wondering if anyone knew how to redirect samba to look in /etc/samba. I don't know if it matters but it should be noted that /etc/smb.conf existed before I installed samba 3.0.22 (was on default install of bt4).

Also, when I create a mount point (mkdir /mnt/target) and try and mount it (mount /mnt/target) I receive the following error:
mount: can't find /mnt/target/ in /etc/fstab or /etc/mtab

Any ideas on this would be appreciated.

Thanks.

[oceanonre]

OK, took me quite a while figure this one out but I finally managed to get it working.

If anyone's interested, I have posted a tutorial on my blog:

defenceindepth [dot] net

Hope it helps.

[Gitsnik]

Did you come across the Pass-The-Hash Toolkit - Docs & Info in your travels?

Good work on following up though.

If your mountpoint doesn't exist in the /etc/fstab or mtab's, you need to specify a few more details, mount -t smbfs host:blah and so on.