Rebootuser | Tag Archives: wce

Tag Archives: wce

Remotely Dump SAM/SYSTEM Files & Avoid A/V

Posted on by

This command came in very handy on a recent pentest. Essentially this allows us to dump out the SAM and SYSTEM files on a compromised host, whilst also helping avoid A/V. It should be noted that this is a post exploitation task and assumes you have SYSTEM access to the host/or are using a privileged hash to authenticate from a remote system.

If you wish to perform this attack remotely you’ll need the relevant hash and wce to perform the following command:

wce.exe -s administrator:500:LMHASH:NTHASH -c cmd.exe

Then in the spawned window you can use the following:

PsExec.exe \%VICTIM_IP% reg save hklmsystem %LOCATION% & PsExec.exe \%VICTIM_IP% reg save hklmsam %LOCATION%

If you have local access you can obviously drop the wce and psexec sections.

If you have any issues accessing ADMIN$ etc you can always use the reg hack as described in a previous post.

Enjoy!

Windows 7, Administrative Shares and Metasploit PSExec Working in Harmony

Posted on by

I was using Metasploit on an internal test (it’s been a while as I meant to write this up some time ago) and I came across the following issue when attempting to gain access to a Windows 7 system via a remote PSExec/Meterpreter session with the compromised local administrator account hash; ‘The server responded with error: STATUS_ACCESS_DENIED (Command=117)‘.

It dawned on me that the newer versions of Windows (7 and 2008) don’t allow remote access to administrative shares such as ADMIN$, C$ etc from untrusted systems. I searched a little and found the following. This should be added to the victims registry:

  1. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
  2. Add a new DWORD (32-bit) key named ‘ LocalAccountTokenFilterPolicy’ and set the value to 1

If you don’t have access to an interactive session on the victim system, it’s possible to open a remote registry editor console using wce (Windows Credential Editor) with the following command:

wce.exe -s %local_admin_user_hash% -c cmd.exe

Essentially this command opens a cmd.exe window that’s running under the context of the chosen hash. Further, if you enter regedt32 in the spawned command window and change the target of the registry editor to the remote host, this will also authenticate on the host as the user from which cmd.exe was initially launched.

If the registry editor for the remote system is unavailable (i.e. the Remote Registry service is not running) a similar exploit can be run using wce to open an mmc. From here the computer management snap-in can be added for the remote system, again running under the context of the compromised account. The service can then be started on the remote host and you can continue to add the registry key.

After the registry settings have been added you’ll need to change the password of the user account you’re using to authenticate. Alternatively, create another local admin user via the remote computer management mmc on the remote host. Articles I’ve seen have also stated that once the changes have been made the system should be restarted. I haven’t had this issue to date and changes seem to be applied immediately.

It’s also worth noting that if you’ve previously authenticated to the system via SMB you’ll need to flush the current sessions by issuing the command net use /delete *

PSExec should then execute as planned.

Why would you want to do all of this if you already have the local administrator hash? For a number of reasons:

  • AV on the system kills/deletes any malicious process/binary from spawning. Therefore wce can be used to open a remote computer management mmc in the context of the compromised account in order to disable the offending service (if the AV policies allow).
  • A Meterpreter extension such as incognito (usually the reason for me) may be required so you can impersonate a user that is logged onto the system. Hence the admin shares will need to be accessible for Meterpreter to successfully spawn.
  • You may want to access the administrative shares to upload/download files.
  • Access to services, such as RDP or remote management facilities, may be blocked and hence attacks need to be performed over SMB.

 

Windows Credentials Editor v1.2 – Pass the hash

Posted on by

I’m loving WCE (Windows Credentials Editor) v1.2! Download available here

On the most basic level this allows you to view logon sessions and change the associated credentials, which in turn can be used to perform pass the hash. I’ve just tested this technique between my fully patched Windows 7 SP1 laptop and an ESXi hosted VM with no issues – I state this as I’ve found Core Security Technologies’ pass the hash toolkit v1.4 isn’t too happy with the later Microsoft OS’s.

Overview of the Available Switches:

-l List logon sessions and NTLM credentials (default).

-s Changes NTLM credentials of current logon session.
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.

-r Lists logon sessions and NTLM credentials indefinitely. Refreshes every 5 seconds if new sessions are found.
Optional: -r<refresh interval>.

-c Run in a new session with the specified NTLM credentials.
Parameters: <cmd>.

-e Lists logon sessions NTLM credentials indefinitely. Refreshes every time a logon event occurs.

-o saves all output to a file.
Parameters: <filename>.

-i Specify LUID instead of use current logon session.
Parameters: <luid>.

-d Delete NTLM credentials from logon session.
Parameters: <luid>.

-v verbose output.