Here's a little tool I wrote that implements a modified samba client. It implements the passing-the-hash method and is plattform independent due to java.
0x13.de/index.php/tools/37-tools/47-smbsphinx.html
Take a look at Bruce Schneier's paper on MSCHAPv2, http://www.schneier.com/paper-pptpv2.html. NTLM functions very similarly to MSCHAP...
E
dd if=/dev/urandom of=/mybrain
Here's a little tool I wrote that implements a modified samba client. It implements the passing-the-hash method and is plattform independent due to java.
0x13.de/index.php/tools/37-tools/47-smbsphinx.html
The pass-the-hash tool from Core has been updated.
http://oss.coresecurity.com/projects/pshtoolkit.htm
From their site:
Let's say you are pentesting a network with a Windows Domain. You managed to compromise a MS SQL Server joined to the domain. At this point, you can obtain user accounts stored on the local SAM database, but NOT user accounts stored in the Domain Controller. You have control over that particular machine, but not over the whole Windows domain. It would be great to have control over the Whole Windows Domain...
You obtain the username and hashes of the local SAM database (of the MS SQL Server you compromised), and use IAM.EXE on your own desktop machine to, for example, try the administrator account on ther servers on the network (including the domain controller) to see if the password is the same. but no luck..
You analize inbound network traffic for that MS SQL Server machine and you realize that the domain administrator (not necessarily the 'administrator' account, but any other user with 'Domain Admin' privileges for that matter), logs on to the MS SQL Server you compromised using Remote Desktop...that's your way in..
You upload whosthere.exe to the compromised server, run it, and you observe scrolling down the screen the hashes of the domain administrator.. Now you go to your desktop machine again, use those hashes with IAM.EXE, and connect to the Domain Controller. You have now compromised the whole domain. You can do anything you want using regular windows domains administration tools.
If your not sure how to compromise a SQL server, read this thread:
http://forums.remote-exploit.org/showthread.php?t=12942
William
ive tried to play around with the version of winexe already patched as he mean "Additionally, if you trust me and want a pre-compiled version:
winexe with hash passing" but happen this error
bt ~ # winexe
-bash: ./winexe: Permission denied
bt ~ # chmod a+x winexe
bt ~ # winexe
winexe: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory
Do a seach on your system for the libpam.so.0 file
copy it to the folder you are executing winexe from.Code:slocate libpam.so.0
If you cant find the file, do a search for libpam.so.* and create a symbolic link to the missing file using what you find.
Code:ln libpam.so libpam.so.0
Thk much for the hint now it works
Posting Permissions