A Windows 2000/NT/XP/Vista/7 system can be compromised with a technique called pass the Hash. For us to exploit this technique, we must know some basica.
In a Windows based authentication such as NTLM or Kerberos, the password is never sent as cleartext. Instead the password is transformed into a hash(LM or NTLM Hash) and then sent to the server. The server then compares this hash against the stored hash and grants/denies the access.
There are two types of hashes:
- LM hash, LanMan, or LAN Manager hash: It is the obsolete hashing algorithm. Refer to the link to see how it is computed.
- NTLMv2 Hash: This is latest hashing method used on Windows 7/Vists/2008 systems.
Whenever a domain user logs on to the client computer, the hash of its password is stored on the client so that user can be authenticated in future even if the domain controller is not available. There are two types of caching, which is mentioned here.
Now lets suppose, somebody has used your office laptop to log in and access some intranet based sites. Then that user’s password hash is stored in your system.
You can retrieve these hashes using a utility such as PSH Toolkit. It contains a utility whosthere which can dump the hashes.
Once you have grabbed the hash, you can anytime compromise the victim’s computer using metaspoilt’s psexec module, if you know the IP address, which is not difficult considering an intranet evnironment.
If you have trouble exploiting the target system, then it might be some security enabled your Administrator. For ex
- Simple file sharing is disabled (Windows XP)
- Windows UAC drops all the Administrator privileges from the SAT (Security Access Token) for REMOTE connections that are using LOCAL accounts. This restriction prevents all remote administrative functions such as connecting to administrative shares (C$, etc) installing services or launching a new process (psexec)
- “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” on the target systems and setting the value of “RequireSecuritySignature” to “0”.