![]() ![]() HASH PASS: Substituting user supplied NTLM HASH. Let’s use pth-winexe to spawn an interactive command line environement : pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe # Where WORKGROUP is the default WORKGROUP. Let’s give them a try shall we? They all follow the same basic usage : pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 pth-wmis: executes a command using WMI on remote computers. ![]() pth-wmic: executes WMI queries on remote computers.pth-winexe: executes interactively a command on remote computers.pth-smbclient: browses available shares on remote computers.pth-rpcclient: opens an interactive session to execute RPC commands.pth-net: executes net commands (net user, net share) on remote hosts.They are present by default on Kali Linux and include the following tools : My favorite set of tools to pass the hash from a Linux platform. Don’t worry, there are other easier means to exploit a pass the hash. To some fellow pentesters, PTH rhymes with Metasploit and if they cannot find a way to access their Backtrack/Kali, or if the AV kicks off their psexec module, they just feel helpless. What I wanted to do was to go over all tools and techniques to make the most of hash recovered in a pentest. This post does not aim to explain PTH, we have talked about it in HFB, plus there are other great resources that cover it pretty well. This prime example highlights the danger of screwing up the design of an authentication protocole. Few techniques can claim to be as popular and effective as good ol’ pass the hash in Windows environments. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |