There's a rumor going around the Internet, present in several wanna-be hacking articles that PsExec (the Sysinternals tool to run processes remotely) can use an NTLM hash to authenticate to the remote computer. This is not true of the standalone tool, but the PsExec module in Metasploit can (just set SMBPass to the hash).
If you want to pass-the-hash without Metasploit, you'll need to add WCE (Windows Credentials Editor) to your toolbox. You can then use that to set your session's credentials to those of a matching account on the target computer. Once that is done, PsExec without any authentication parameters will present those credentials to the target.
Unfortunately, that doesn't matter at all, thanks to a part of UAC. Unless the account is a domain account, in which case you probably wouldn't use an NTLM hash, users logging on remotely cannot use any administrative privileges they may have. It's like they're permanently trapped in UAC isolation. This can be disabled without affecting normal UAC, but only after changing an admin-only registry setting on the target computer, which hamstrings the entire attack.
Good job, Microsoft!
No comments:
Post a Comment