[framework] Simple script to swap hashes in SAM ..

John Nash rootsecurityfreak at gmail.com
Tue Sep 7 07:13:33 PDT 2010


i am targeting a local account right now ...

yes, it's for a pentest. Have broken in but wanted to take a video of me
logging in as admin ... but ensuring that the admin never knows or suspects
till he sees the final report + vid  :)



On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman at gmail.com>wrote:

> If its an Active Directory environment I dont think it would work since the
> password hashes are also stored with the user account unless you're trying
> to use a local account. Is this for a pentest?
>
>
> On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak at gmail.com>wrote:
>
>> Craig,
>>
>> I am not trying to crack the hash.
>>
>> Quick breakdown:
>>
>> 1. I will generate hashes for a given password locally
>> 2. I will backup the hashes in the SAM for the admin account on the victim
>> 3. I will replace the hashes in the SAM file on the victim  with the one i
>> have generated in (1)
>> 4. I will login as admin and do what i want (i know the pass for the new
>> hashes stored)
>> 5. Restore the original hashes which i backed up in (2)
>> 6. now when the admin is back he can login without issues
>>
>> would this work?
>>
>>
>>
>> On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman at gmail.com>wrote:
>>
>>> I dont know, I doubt it.
>>>
>>> Have you tried running your hash through something like
>>> http://www.lmcrack.com/index.php ?
>>>
>>>
>>> On Tue, Sep 7, 2010 at 7:56 AM, John Nash <rootsecurityfreak at gmail.com>wrote:
>>>
>>>> the OS is win 2003 server  ... i know i can run a keylogger after
>>>> attaching to winlogon.exe or some other process attached to the winlogon
>>>> desktop in winsta0
>>>> but waiting for an admin may take too long ...
>>>>
>>>> would the solution i am proposing work? if it does, wait time is almost
>>>> 0.
>>>>
>>>>
>>>>
>>>> On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <craigfreyman at gmail.com>wrote:
>>>>
>>>>> What is the OS of the box you popped? Do you already have meterpreter?
>>>>> Did you try running a simple keylogger to have the Admin give the password
>>>>> right to you?
>>>>>
>>>>> On Tue, Sep 7, 2010 at 3:18 AM, John Nash <rootsecurityfreak at gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hello List,
>>>>>>
>>>>>> While trying some post exploitation, one of the major issues i guess
>>>>>> is to login to the system as a user over rdp.
>>>>>>
>>>>>> We can do this in a couple of ways:
>>>>>>
>>>>>>
>>>>>>    1. create a new user <--- will create alarms
>>>>>>    2. change the password of existing user
>>>>>>
>>>>>>
>>>>>> in case of (2) i was wondering would it be possible to just swap the
>>>>>> existing hash with a new one (we now the password which hashes to this one)
>>>>>> .... then do all we need to on the remote system ....
>>>>>> then just replace the old hash for the original password back into the
>>>>>> SAM.
>>>>>>
>>>>>> Is there any reason why this should not be possible? If yes, a
>>>>>> meterepreter script could do this job very easily ....
>>>>>>
>>>>>> thoughts?
>>>>>>
>>>>>> Rgds,
>>>>>>
>>>>>> jn
>>>>>>
>>>>>> _______________________________________________
>>>>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100907/fa092438/attachment.html>


More information about the framework mailing list