Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Passing the hash for SMB shares

  1. #11
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Take a look at Bruce Schneier's paper on MSCHAPv2, http://www.schneier.com/paper-pptpv2.html. NTLM functions very similarly to MSCHAP...

    E
    dd if=/dev/urandom of=/mybrain

  2. #12
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    1

    Default

    Here's a little tool I wrote that implements a modified samba client. It implements the passing-the-hash method and is plattform independent due to java.


    0x13.de/index.php/tools/37-tools/47-smbsphinx.html

  3. #13
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    The pass-the-hash tool from Core has been updated.
    http://oss.coresecurity.com/projects/pshtoolkit.htm

    From their site:

    Let's say you are pentesting a network with a Windows Domain. You managed to compromise a MS SQL Server joined to the domain. At this point, you can obtain user accounts stored on the local SAM database, but NOT user accounts stored in the Domain Controller. You have control over that particular machine, but not over the whole Windows domain. It would be great to have control over the Whole Windows Domain...
    You obtain the username and hashes of the local SAM database (of the MS SQL Server you compromised), and use IAM.EXE on your own desktop machine to, for example, try the administrator account on ther servers on the network (including the domain controller) to see if the password is the same. but no luck..
    You analize inbound network traffic for that MS SQL Server machine and you realize that the domain administrator (not necessarily the 'administrator' account, but any other user with 'Domain Admin' privileges for that matter), logs on to the MS SQL Server you compromised using Remote Desktop...that's your way in..
    You upload whosthere.exe to the compromised server, run it, and you observe scrolling down the screen the hashes of the domain administrator.. Now you go to your desktop machine again, use those hashes with IAM.EXE, and connect to the Domain Controller. You have now compromised the whole domain. You can do anything you want using regular windows domains administration tools.

    If your not sure how to compromise a SQL server, read this thread:
    http://forums.remote-exploit.org/showthread.php?t=12942

    William

  4. #14
    Junior Member
    Join Date
    Aug 2007
    Posts
    63

    Default

    ive tried to play around with the version of winexe already patched as he mean "Additionally, if you trust me and want a pre-compiled version:
    winexe with hash passing" but happen this error
    bt ~ # winexe
    -bash: ./winexe: Permission denied
    bt ~ # chmod a+x winexe
    bt ~ # winexe
    winexe: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory

  5. #15
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Do a seach on your system for the libpam.so.0 file
    Code:
    slocate libpam.so.0
    copy it to the folder you are executing winexe from.
    If you cant find the file, do a search for libpam.so.* and create a symbolic link to the missing file using what you find.
    Code:
    ln libpam.so libpam.so.0

  6. #16
    Junior Member
    Join Date
    Aug 2007
    Posts
    63

    Default

    Thk much for the hint now it works

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •