[framework] Simple script to swap hashes in SAM ..

John Nash rootsecurityfreak at gmail.com
Tue Sep 7 07:23:46 PDT 2010


I had proposed creation of a new user as an option, and the "clearev" can
clear the event logs ... but overall creation of a new user is a messy
affair.
This would definitely be the last resort .... but i am just curious if what
i am proposing would work, theoretically to begin with?

On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <mr.r.birtles at gmail.com>wrote:

> If i remember correctly ( not at my home laptop to check ) I do
> believe metasploit offers a script to delete event logs. Could you not
> add a new account. Record the login. Then remove the account and
> finally clean out the account creation and login events?
>
> Regards,
> -- Mr R Birtles
>
>
>
> On 7 September 2010 15:13, John Nash <rootsecurityfreak at gmail.com> wrote:
> > i am targeting a local account right now ...
> > yes, it's for a pentest. Have broken in but wanted to take a video of me
> > logging in as admin ... but ensuring that the admin never knows or
> suspects
> > till he sees the final report + vid  :)
> >
> >
> > On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <craigfreyman at gmail.com>
> > wrote:
> >>
> >> If its an Active Directory environment I dont think it would work since
> >> the password hashes are also stored with the user account unless you're
> >> trying to use a local account. Is this for a pentest?
> >>
> >> On Tue, Sep 7, 2010 at 8:03 AM, John Nash <rootsecurityfreak at gmail.com>
> >> wrote:
> >>>
> >>> Craig,
> >>> I am not trying to crack the hash.
> >>> Quick breakdown:
> >>> 1. I will generate hashes for a given password locally
> >>> 2. I will backup the hashes in the SAM for the admin account on the
> >>> victim
> >>> 3. I will replace the hashes in the SAM file on the victim  with the
> one
> >>> i have generated in (1)
> >>> 4. I will login as admin and do what i want (i know the pass for the
> new
> >>> hashes stored)
> >>> 5. Restore the original hashes which i backed up in (2)
> >>> 6. now when the admin is back he can login without issues
> >>> would this work?
> >>>
> >>>
> >>> On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <craigfreyman at gmail.com>
> >>> wrote:
> >>>>
> >>>> I dont know, I doubt it.
> >>>> Have you tried running your hash through something
> >>>> like http://www.lmcrack.com/index.php ?
> >>>>
> >>>> On Tue, Sep 7, 2010 at 7:56 AM, John Nash <
> rootsecurityfreak at gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> the OS is win 2003 server  ... i know i can run a keylogger after
> >>>>> attaching to winlogon.exe or some other process attached to the
> winlogon
> >>>>> desktop in winsta0
> >>>>> but waiting for an admin may take too long ...
> >>>>> would the solution i am proposing work? if it does, wait time is
> almost
> >>>>> 0.
> >>>>>
> >>>>>
> >>>>> On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <
> craigfreyman at gmail.com>
> >>>>> wrote:
> >>>>>>
> >>>>>> What is the OS of the box you popped? Do you already have
> meterpreter?
> >>>>>> Did you try running a simple keylogger to have the Admin give the
> password
> >>>>>> right to you?
> >>>>>>
> >>>>>> On Tue, Sep 7, 2010 at 3:18 AM, John Nash
> >>>>>> <rootsecurityfreak at gmail.com> wrote:
> >>>>>>>
> >>>>>>> Hello List,
> >>>>>>> While trying some post exploitation, one of the major issues i
> guess
> >>>>>>> is to login to the system as a user over rdp.
> >>>>>>> We can do this in a couple of ways:
> >>>>>>>
> >>>>>>> create a new user <--- will create alarms
> >>>>>>> change the password of existing user
> >>>>>>>
> >>>>>>> in case of (2) i was wondering would it be possible to just swap
> the
> >>>>>>> existing hash with a new one (we now the password which hashes to
> this one)
> >>>>>>> .... then do all we need to on the remote system ....
> >>>>>>> then just replace the old hash for the original password back into
> >>>>>>> the SAM.
> >>>>>>> Is there any reason why this should not be possible? If yes, a
> >>>>>>> meterepreter script could do this job very easily ....
> >>>>>>> thoughts?
> >>>>>>> Rgds,
> >>>>>>> jn
> >>>>>>> _______________________________________________
> >>>>>>> https://mail.metasploit.com/mailman/listinfo/framework
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100907/fdbd5981/attachment.html>


More information about the framework mailing list