Thanks to Hernan for responding to my other post about msvctl (no thanks to the msvctl author for not responding to my email) and getting me motivated to check out his pashthehash toolkit v1.3.
I'm going to consider this post half finished because i dont think iam.exe and iam-alt.exe are working properly for me yet. hopefully Hernan will respond to this post or the comments i made on his blog and get me fixed up.
ok so on with it. the scenario goes that you have a local admin account on a box, which is easy to get from a remote exploit but no domain user permissions. From a data mining perspective or for further enumeration even domain user permissions are nice. At a minimum i can browse public shares in the domain for info.
ok first step is that i have already created my local admin account on the box, i've uploaded my tools whosthere-alt.exe, its dll and iam-alt.exe and its dll.
lets log in via psexec and run whosthere-alt.exe
we can see that we have logged in via our test account, and there is a vmware user account that proabably doesnt have any permissions. whosthere-alt.exe has a cool feature that it will listen indefinitely and log to a file, so you can start the process and wait for someone hopefully with domain admin to log into the box and it will capture those hashes for you.
let's check out the help options for whosthere-alt.exe and iam-alt.exe and using whosthere-alt.exe to capture logins for us.
as you can see in the image above; whoami says i am test/segfault and we start running whosthere-alt in logging mode (-i -o bigfun.txt) and then in the 2nd shell we check our bigfun.txt to see if anyone new has logged in and a user "root" has logged in.
from there we use iam-alt.exe to become user root, it appears from the output that its working i couldnt confirm that it was working, whoami.exe still said i was test and starting any processes resulted in them still being owned by test :-(
iam.exe/iam-alt.exe not working is not the end of the world though (in fact i'm sure its user error), if the account you gathered through whosthere.exe is admin+ you can still use the psexec module in metasploit to pass the hash as well and get yourself a shell.