Passing the Hash

by JoMo-kun 09/24/2003



[Update: 09/03/2009]
The following patch merges my two primary Samba modifications: client hash passing and nmb auto-response w/ hash response logging. I should note that the "add user" patch does not appear to be necessary anymore with 3.3.7.

SAMBA 3.3.7 (HASH PASS/FIXED CHALLENGE/AUTO RESPONSE)


[Update: 03/19/2007]
The following patches resolve issues with "net rpc user ADD". The hash pass patch also should now work with hosts requiring NTLM signing.

Example usage:
export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"
net user ADD someuser somepass -I 192.168.0.80 -U administrator
net rpc group ADDMEM administrators someuser -I 192.168.0.80 -U administrator

SAMBA 3.0.22 (HASH PASS)
SAMBA 3.0.22 (ADD USER FIX)
SAMBA 3.0.24 (ADD USER FIX)

The mighty pmonkey recently pointed out the slick tool winexe to me. It's basically the Linux equivalent of psexec and can be found here. The code compiles against Samba 4, so I've updated my pass-the-hash patch support it.

SAMBA 4 [SVN:17234] (HASH PASS)

Additionally, if you trust me and want a pre-compiled version:
winexe with hash passing



Some quick notes about "Passing the LM/NTLM Hash"...

During the course of performing internal audits (yes, all legal), I've collected a significant number of sam._ and pwdump files. Hell, it's hard not get them with all the fun toys available to us script kiddies these days. Unfortunately, L0pht is still painfully slow to crack the accounts I'd like and some other tools are not publicly available. Also, it seems that the machines I pull the password hashes from are never the hosts I really want to have access to. Luckily, for us, people seem to like to use the same password everywhere. This is where "Passing the Hash" becomes useful.

"Passing the Hash" style attacks seem to have been talked about forever. Google for it, if you haven't heard of it. During my research on this subject, I stumbled on a public tool which looked to be just what I wanted. Unfortunately, I'm too dumb to actually get the thing to work correctly. There's also been talk of adding a little feature to SAMBA to perform the attack. Of course, the only implementation of this I could locate was from 1997. That really did not do me a whole lot of good since SAMBA wasn't used for much more than file and print sharing at that time.

After a little bit of research, I found that a lot has changed regarding SAMBA since 1997. The new 'net' command in version 3 can (or looks like it will eventually) do some fairly cool things. Below are several patches against SAMBA and SAMBA-TNG to implement LM, NTLM and NTLMv2 hash passing. Here's how to have fun with them:

Mounting shares is great and all, but wouldn't it be really nice to have an administrative level account to which you know the password? SAMBA 3.0.0 has the 'net' command which looks like it should be able to create remote accounts with something like: 'net rpc user ADD foo -S server -U user'. This creates the account, but the account is annoyingly locked. There appears to be some incorrect account masks and other bugs in the SAMBA code that still need a bit of work. Instead of directly creating an account, here's a fun little exercise:


CODE:
SAMBA 3.0.3
SAMBA Client 3.0.3 FC2 RPM
SAMBA 3.0.0
SAMBA TNG 4.0
SAMBA TNG 0.3.2


Enjoy,
-j