Live-Fire Security Testing with Armitage and Metasploit
After post-exploitation, you'll want to compromise more hosts. Pass the hash is a technique for further compromising a Windows network.
Windows hosts do not pass your network credentials in the clear. Rather, they use a challenge-response scheme to generate a hash. Windows uses this hash to authenticate you on the Active Directory domain. Windows hosts cache and re-use hashes to authenticate to other hosts on the network. This saves you the trouble of retyping your password when you access a file share. Attackers use stolen hashes to get access to other hosts on your active directory domain.
Dumping cached hashes requires local administrator access. Use Meterpreter→Access→Escalate Privileges to try several local exploits to increase your privileges. Go to Meterpreter→Access→Dump Hashes to steal the local cached credentials.
Now you need targets. Use the auxiliary/windows/smb/smb_version module to find other Windows hosts on the Active Directory domain.
Go to Attacks→Find Attacks to generate an Attack menu for each host. Highlight several Windows hosts, right-click, and use Attacks→smb→pass the hash. Armitage lets you choose which set of credentials to try. Pick a pair and click Launch. You've passed the hash. Each successful login will give you a Meterpreter session.
Patches exist for Metasploit's Windows privilege escalation exploits. Attackers who compromise a patched system don't have to stop though. They may scan for an unpatched host, exploit it and then carry out these steps.
Earlier, I defined a penetration test as a way to learn how attackers may get access to key systems and files. I suspect you did not find a working exploit for your key servers. Before you conclude your network penetration test, I'd like you to think like an attacker for a moment.
Attackers will use social engineering and client-side attacks to get a foothold. Attackers then will try to exploit a workstation to collect hashes. Using pass-the-hash, your patched Windows systems are no longer safe. What happens if attackers access your workstation, install a key logger and download your SSH keys? One vulnerable host can lead to a total compromise of your otherwise secure assets.
In this article, I've shown you the techniques attackers use against your network. You learned how to scan your network, exploit hosts and carry out post-exploitation actions. You also learned how to maneuver deeper into your network using the pass-the-hash technique. The next step is to apply what you have learned.
I recommend that you download the Metasploitable virtual machine. Metasploitable has many services you can exploit for shell access and information. Attack Metasploitable to become familiar with Armitage and Metasploit before you start your first penetration test.
BackTrack Linux: www.backtrack-linux.org
Documentation for Armitage: www.fastandeasyhacking.com
Metasploitable Virtual Machine: blog.metasploit.com/2010/05/introducing-metasploitable.html
Raphael Mudge is the developer of Armitage. He lives in Washington, DC. Contact him at www.hick.org/~raffi.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- New Products
- New Products
- The Pari Package On Linux
- Dart: a New Web Programming Experience
- This is the easiest tutorial
3 hours 2 min ago
- Ahh, the Koolaid.
8 hours 40 min ago
- git-annex assistant
14 hours 40 min ago
- direct cable connection
15 hours 2 min ago
- Agreed on AirDroid. With my
15 hours 13 min ago
- I just learned this
15 hours 17 min ago
15 hours 47 min ago
- not living upto the mobile revolution
18 hours 38 min ago
- Deceptive Advertising and
19 hours 14 min ago
- Let\'s declare that you have
19 hours 15 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.