mailing list archives
Re: Pass the hash query
From: Jose Selvi <jselvi () pentester es>
Date: Fri, 20 May 2011 12:39:47 +0200
If you use the pass-the-hash technique to access to a folder, then the
user rights would be Administrator.
When using psexec, it works in a different way. Psexec use your
Administrator privileges for installing a new service, and this service
execute your payload. Since this service runs as SYSTEM, your payloads
runs as SYSTEM also. When the payload is executed, psexec uninstall this
You need to be Administrator to create this new service, but this
service runs as SYSTEM, this is the trick.
I hope it helps.
El 20/05/11 12:19, TAS escribió:
I am trying pass the hash attack. On a windows 2003 system, I used
ms08_067 exploit and got the meterpreter shell. My privilege is of nt
authority\system. I then run a hashdump and collect the hash for the
I provide the same hash to windows/smb/psexec and run it on the same
windows 2003 box. I get a metrepreter and running getuid gives me
privilege as nt authority\system. Why not Administrator?
Security Technical Consultant
CISA, CISSP, CNAP, GCIH, GPEN
SANS Mentor in Madrid (Spain). September 23 - November 25
SEC560: Network Penetration Testing and Ethical Hacking