export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"
net user ADD someuser somepass -I 192.168.0.80 -U administrator
net rpc group ADDMEM administrators someuser -I 192.168.0.80 -U administrator
During the course of performing internal audits (yes, all legal), I've collected a significant number of sam._ and pwdump files. Hell, it's hard not get them with all the fun toys available to us script kiddies these days. Unfortunately, L0pht is still painfully slow to crack the accounts I'd like and some other tools are not publicly available. Also, it seems that the machines I pull the password hashes from are never the hosts I really want to have access to. Luckily, for us, people seem to like to use the same password everywhere. This is where "Passing the Hash" becomes useful.
"Passing the Hash" style attacks seem to have been talked about forever. Google for it, if you haven't heard of it. During my research on this subject, I stumbled on a public tool which looked to be just what I wanted. Unfortunately, I'm too dumb to actually get the thing to work correctly. There's also been talk of adding a little feature to SAMBA to perform the attack. Of course, the only implementation of this I could locate was from 1997. That really did not do me a whole lot of good since SAMBA wasn't used for much more than file and print sharing at that time.
After a little bit of research, I found that a lot has changed regarding SAMBA since 1997.
The new 'net' command in version 3 can (or looks like it will eventually) do some fairly cool
things. Below are several patches against SAMBA and SAMBA-TNG to implement LM,
NTLM and NTLMv2 hash passing. Here's how to have fun with them:
Mounting shares is great and all, but wouldn't it be really nice to have an administrative level
account to which you know the password? SAMBA 3.0.0 has the 'net' command which looks like it
should be able to create remote accounts with something like: 'net rpc user ADD foo -S server
-U user'. This creates the account, but the account is annoyingly locked. There appears to be
some incorrect account masks and other bugs in the SAMBA code that still need a bit of work.
Instead of directly creating an account, here's a fun little exercise: