Nothing new here, just some tips for when common passwords/hashes do not exist.

The scenario:

We have a Windows domain, all systems are fully patched except one workstation. GREAT!. We exploit the one workstation and gain a shell. We dump the hash values, then pass this hash around the network.. (with a great tool called Keimpx)

In this case there were no matches… :( , so we have a shell to a workstation and it appears they are using unique local administrator passwords for each workstation. The hash does not match any servers either. We use Incognito within Metasploit and no tokens are available to be impersonated and no interesting files on the systen are found (i.e web.config, batches etc).

So it seems nothing more we can do here… Unique passwords and everything is fully patched?

Well what is the password? In a test I done quite a while ago the password was Poland1 for the local administrator account, and as stated it was not common with others. The client also said “yes we all have unique passwords :) “.

Poland1.. ok so perhaps there is a theme here?

So what I did was download a list of cities and countries and knocked up a quick theme of passwords. i,e Japan, Japan1, Japan2, England1, Paris1 etc etc.

I then attempted to brute force the local administrator password using this list. In this case I used Metasploit’s smb login module (auxiliary/scanner/smb/smb_login), but you could also use other tools such as Medusa to do the same thing.




Bingo it found about 5 matches across workstations, so they were obviously using this theme in their unique passwords. One of the workstations had a domain admin token available to be impersonated,  we are now domain admin :) . Just be careful not to send the brute force attempts to any domain controllers as it will lock out accounts, sending to workstations will be fine as the local administrator account by default will not lock out.

 

It just shows that you can still easily obtain domain admin even when most systems are patched and using so called unique passwords. Something to remember when next on a test and in this situation, never under estimate the amazing brute force modules you can use and the not so unique passwords.