Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

I wanted to share my experience with a client recently and mention a great tool that helped us resolve an issue that many IT admins probably face on a regular basis. It is my hope that it can help someone as it has helped me and my client.

We recently took on a client who has a Windows 2003 SBS server and did not have the current password for the Administrator user. We used several methods to try and crack the existing password and they were all failing. I even used a method to remove the SAM and system registry to begin to crack it offline (a process that took almost 8 hours to setup). After an hour or two of running a tool to try and brute force the password I thought I would try to ‘pass the hash’ (a method that windows uses when a password is used to access resources across the network on remote shares).

Mimikatz in action

Mimikatz is a tool written by Benjamin DELPY who also goes by Gentle Kiwi (https://github.com/gentilkiwi/mimikatz) and this tool can setup and impersonate a session that can be used to authenticate to your system. All you need is the ntlm hash, the domain (which is found on the login screen) and the username (also found in the hash – usually ‘Administrator’). When used correctly it can setup a session that will impersonate the user and the password without knowing what the password is!

PsExec in action

Once you open a new command prompt you can use another fantastic tool from Mark Russinovich called PsExec (http://msdn.microsoft.com/en-us/library/bb897553.aspx) to connect using the authenticated command window to your target machine as if you have a local login with those credentials and run a remote command window on your target – viola.

Now we have a remote shell on the target we can add a new user and make them administrator.

We have installed our remote software and all completed before the second hour of cracking the password has begun.