RSS

Pass the Hash Attack

08 Apr

One of the biggest security problems that organizations and users are facing is that they use the same passwords for many systems.This can create a huge risk in an organization because If someone manage to obtain a hash from a system he can use it to authenticate with other systems that have the same password without the need of cracking it.This technique is called pass the hash and we will examine it in this article.

For the needs of this tutorial we will use a Windows 2003 Server and Backtrack.So we already know that Windows 2003 Servers are vulnerable to the netapi service.So we will use the appropriate exploit in order to gain access to the remote system.You can see the exploit settings in the image below:

Exploit Settings

 

As a payload we have used the meterpreter because we will need it in order to obtain the hashes of the remote system easily.So we are exploiting the system:

Exploitation of the system

 

Now it is time to obtain the hashes of the remote system with the command hashdump.

Obtaining the hashes

 

Now that we have the hashes we can try to crack them offline.However this process requires time so we will try to use the administrator hash in order to authenticate with the system.Metasploit has a module that has the same function with the psexec utility.So we will use that module in order to authenticate through SMB to the remote target.You can see a description of that module in the next image:

Description of psexec

 

This metasploit module requires to know in which workgroup the remote target belongs.We can discover that very easily by using the Nmap script engine and executing the following script:

Discovery of the workgroup

 

We can see that the workgroup is York.So we go back to the metasploit and we are configuring the psexec module You can see all the configurations that we have made in the next screenshot:

psexec configurations

 

As you can see from the image below we have used the Administrator’s hash that we have obtained before in order to authenticate.Also we changed the LPORT to 4445 because the 4444 in our system is in use from the previous exploitation.Now it is time to authenticate as an administrator:

Authentication with the Administrator's hash

 

We have successfully authenticated as an administrator to the remote system just by using the hash and we have opened a meterpreter session.An attacker could try to use the same hash to other systems as well that use the same password in order to gain access without the need of finding a vulnerability.

Conclusion

Windows hashes are not salted so anybody with a valid hash can use it directly to authenticate by using this attack.Also this method points out the need for use multiple passwords especially in organizations because if one system is compromised then the other systems that have the same passwords will be at risk regardless of how complex the password will be.

About these ads
 
Leave a comment

Posted by on April 8, 2012 in Exploitation Techniques

 

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 622 other followers

%d bloggers like this: