Wednesday, August 15, 2007

Release of Pass-The-Hash Toolkit v1.0 for Windows

Ok, so today I'm releasing a tool whose origins go back to 2000, but here it is now, I hope you find it useful, interesting or at least amusing :), any feedback is welcome!!.

I'm releasing Pass-The-Hash Toolkit v1.0, you can find it here:

source code:


For those of you that do not want to read the detailed description :),
in a nutshell, it is pass-the-hash for windows (iam.exe), for example:

iam.exe administrator mydomain 0102030405060708090A0B0C0D0E0F10

After running the program, outbound network connections that use NTLM
authentication will use the new credentials. And a tool
(whosthere.exe) to list currently logged on users and their NTLM
credentials by reading LSASS.EXE's internal structures (see the 'long
description' for use cases).

And now the long description:

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions mantained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged
in thru Remote Desktop/Terminal Services), and also change in runtime
the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH
on Windows!).

Utilities in the toolkit:

* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to
change your current NTLM credentials withouth having the cleartext
password but the hashes of the password. The program receives a
username, domain name and the LM and NT hashes of the password; using
this it will change in memory the NTLM credentials associated with the
current windows logon session. After the program performs this
operation, all outbound network connections to services that use for
authentication the NTLM credentials of the currently logged on user
will utilize the credentials modified by IAM.EXE. This includes 'net
use', 'net view', many third-party DCOM services that use NTLM
authentication, etc. This is basically 'pass-the-hash' for windows;
one of the main advantages is that you don't need to use a modified
version of samba or samba-tng and be restricted to the limited
functionality they implement, you can now use windows and any
third-party software with stolen hashes withouth having to obtain the
cleartext version of a password. For more information take a look at
this paper I wrote back in 2000 Modifying Windows NT Logon Credentials

* WHOSTHERE.EXE: This tool will list the current logon sessions
with NTLM credentials (username,domain name, LM and NT hashes). Logon
sessions are created by windows services that log in using specific
users, remote desktop connections, etc. This tool has many uses, one
that i think is interesting: Let's say you compromised a Windows
Server that is part of a Windows Domain (e.g.: Backup server) but is
NOT the domain controller. Since it is not the domain controller, you
only have access to the local SAM and although you did effectively
comprise a sensitive server you did not compromise the domain.
However, it is very common in such situations to find that
administrators are using Remote Desktop to connect to the compromised
server to perform different tasks. So this is your chance, just wait
for the administrator to log into the compromised server using remote
desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.

* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.

No comments: