IT Security, HackLAB challenges and general blogging blurb
TwitterLinkedInRSS
formats

WCE to the rescue!

Posted on by Posted in Pentesting, Security, Vulnerabilities 2 Comments

Recently I took part in an internal penetration test from where a directory traversal vulnerability was found within a management application hosted on a Windows 2003 server. It quickly became apparent that the application was installed on the system drive from where it was possible to locate the backup SAM and SYSTEM files from C:Windowsrepair. The files were downloaded and imported into Ophcrack to find that only the NT hash was present, so Ophcrack was left to work away for a few hours in the background, but without many expectations. The next step was to use Keimpx to send the hash around the network in the attempt to locate other systems using  common local administrator credentials, however unfortunately no matches were found. Finally the hash was imported into PSEXEC in Metasploit, but after numerous attempts to exploit the system it soon became clear that antivirus was performing well and blocking all attempts, even when testing with several different payloads. After a little experimenting I remembered that the WCE has the option to change the NTLM credentials of a current session, so essentially a user can run commands/programs under the context of another user if we have the hash.

The following is an example of this command usage:

wce -s username:system_name/domain:LMHASH:NTHASH -c command_to_run

We ran the above command on our local system and chose to load a mmc console from which the services snap-in was loaded for the remote system. It was then possible to stop the antivirus and then continue to run PSEXEC to compromise the system as previously intended. Luckily for us this entry point ultimately lead to the compromise of the entire Windows domain.

Another point goes to WCE.

2 thoughts on “WCE to the rescue!

  1. yes WCE is great. You could have run -c “psexec.exe \x.x.x.x cmd.exe” and would have had a shell on the remote system.

    or just cmd.exe then done

    net start to list the services and find the AV. i.e Microsoft Security Essentials.

    net start

    net stop “Microsoft Antimalware Service”

    then your meterpreter shell would then work.

    If your hashes had of matched you could have search for domain tokens using WCE also.

    do the normal -s cmd.exe then use Incognito binary from your WCE prompt “find_token.exe -f ips.txt” this will use your impersonated creds and search all systems for domain tokens to impersonate and get you domain admin. Handy if you find a common local admin hash you cant crack and have 2,000 hosts matched with Keimpx. Rather than manually psexec to each, use find_token and WCE combo.

    Reply

  2. so what you’re saying is that basically in this case wce works kind of like ssh client, right? and it’s not detected by the AV……

    Reply

Leave a comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>