Sunday, October 15, 2017

Pass The Hash (PTH) attack with pth-winexe


- Layout for this exercise:

1 - Introduction

- In cryptanalysis and computer security, Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

- After an attacker obtains valid user name and user password hash values they are then able to use that information to authenticate to a remote server or service using LM or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password. 

- The attack exploits an implementation weakness in the authentication protocol, where password hash remain static from session to session until the password is next changed.

- This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.

2 - UAC (User Account Control) remote restrictions and PTH attack

- However, the UAC (User Account Control) implemented since Windows Vista imposes severe restrictions to remote users, as explained in this Microsot document:

" When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop ... When a user with a domain user account logs on to a Windows Vista computer remotely, and the user is a member of the Administrators group, the domain user will run with a full administrator access token on the remote computer and UAC is disabled for the user on the remote computer for that session. "

- For further details and information:

- So, if the targeted machine is XP there is no need to disable UAC in order to launch a successful PTH attack, while it is necessary for Windows Vista,W7, W8, W10 desktops and W2008 and W2012 servers.

- In this exercise a Windows 7 is used, so for disabling UAC just follow these steps:

Start -> Control Panel -> User Accounts and Family Safety -> User Accounts -> User Account Control Settings -> Never notify -> OK

- Also, in case of exploiting with Metasploit, UAC can be disabled as explained in this exercise:

3 - Passing the hash in Windows

- The command winexe needs the username and the cleartext password, what can be tedious or difficult to obtain in some cases, depending of the complexity of the password:

- Running winexe for the user marie, the command prompts for her password in cleartext:

- In contrast, pth-winexe, a patched version of winexe can be used to get a remote shell just providing the username and the hash of the password (no cleartext password is needed):

- The first step for using pth-winexe is to take a user's password hash and export it as the enviroment variable SMBHASH:

- Running pth-winexe launches a remote command line from the targeted Windows 7 machine: