What is SMbexec?

What is SMbexec?

The quick description is that smbexec is a tool that focuses on using native windows functions/features for post exploitation and expanding access on a network after you gain some credentials, whether that be a hash or password for a local or domain account.

What can you do with an NTLM hash?

NTLMv1/v2 are challenge response protocols used for authentication in Windows environments. These use the NT-hash in the algorithm, which means it can be used to recover the password through Brute Force/Dictionary attacks. They can also be used in a relay attack, see byt3bl33d3r’s article [1].

Why are NTLM hashes important?

This was just a quick post showing that an NTLM hash is pretty much just as good as a password when it comes to security tools. If you compromise a hash, all the same tools and techniques are still valid and you can authenticate as that user to browse file shares and execute commands.

What is the pass the hash attack?

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.

What is crack map exec?

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.

What is Psexec PY?

The psexec.py script is one of many examples of super useful penetration testing scripts that are distributed with the IMPACKET Python module available from Core Labs. After downloading and installing IMPACKET, running the Python version of psexec is pretty intuitive.

Why is NTLM bad?

NTLM Relay The most critical issue with NTLM is that it does not commonly provide mutual authentication. And while this is an issue by itself, it leads to the more severe issue of NTLM being susceptible to replay and man-in-the-middle attacks. This can happen whenever a user authenticates to a server via NTLM.

Can you pass the hash with NTLMv2?

Net-NTLMv2 can’t be used for passing the hash attack, or for offline relay attacks due to the security improvements made. But yet it still can be relayed or cracked, the process is slower but yet applicable.

How long is an NTLM hash?

16 bytes
Both hash values are 16 bytes (128 bits) each. The NTLM protocol also uses one of two one-way functions, depending on the NTLM version; NT LanMan and NTLM version 1 use the DES-based LanMan one-way function (LMOWF), while NTLMv2 uses the NT MD4 based one-way function (NTOWF).

Why crack when you can pass the hash?

A weakness exists in the design of Windows unsalted password hashing mechanism. The static nature of this password hash provides the means for someone to masquerade as another user if the victim’s hash can be obtained.

What’s the difference between pass the hash and pass the ticket?

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).

What is CME SMB?

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

What does smbexec do for remote shell commands?

It allows execution of remote shell commands directly with full interactive console. easy-creds is a bash script that leverages ettercap and other tools to obtain credentials. It allows you to easily attack with basic arp poison, oneway arp poison and DHCP spoofing or a Fake AP.

How does SMB work with PSExec and SMB?

With SMB, psexec transfers a small binary to the target system, placing it in the C:\\Windows directory. The next point is that psexec creates a Windows service, using the copied binary, and then launches the service, under the surprisingly shocking name of PSEXECSVC.

What are the parameters of the SMB command execution function?

SMB (PsExec) command execution function supporting SMB1, SMB2 (2.1), and SMB signing. Target – Hostname or IP address of the target. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username.

Why do you need 24 / 7 monitoring for smbexec?

With 24/7 monitoring, you can be alerted as something happens or set up conditional alerts to further remove false positives. When an alert is generated, you know the exact time the error occurred. Knowing exactly when things changed allows for quicker mean time to resolution. Be the first to post a review of smbexec!