Archive for May, 2014

Hey dude – pass the hash…

May 27, 2014 Leave a comment

I wanted to share my experience with a client recently and mention a great tool that helped us resolve an issue that many IT admins probably face on a regular basis. It is my hope that it can help someone as it has helped me and my client.

We recently took on a client who has a Windows 2003 SBS server and did not have the current password for the Administrator user. We used several methods to try and crack the existing password and they were all failing. I even used a method to remove the SAM and system registry to begin to crack it offline (a process that took almost 8 hours to setup). After an hour or two of running a tool to try and brute force the password I thought I would try to ‘pass the hash’ (a method that windows uses when a password is used to access resources across the network on remote shares).


Mimikatz in action

Mimikatz is a tool written by Benjamin DELPY who also goes by Gentle Kiwi ( and this tool can setup and impersonate a session that can be used to authenticate to your system. All you need is the ntlm hash, the domain (which is found on the login screen) and the username (also found in the hash – usually ‘Administrator’). When used correctly it can setup a session that will impersonate the user and the password without knowing what the password is!


PsExec in action

Once you open a new command prompt you can use another fantastic tool from Mark Russinovich called PsExec ( to connect using the authenticated command window to your target machine as if you have a local login with those credentials and run a remote command window on your target – viola.

Now we have a remote shell on the target we can add a new user and make them administrator.

We have installed our remote software and all completed before the second hour of cracking the password has begun.

Giac Certifications are very difficult

Hi Everyone;

I wanted to share my experience recently regarding the GIAC Incident Handlers course (SEC-504). After almost 20 years in this business and years of experience with both Linux and Windows based systems it was some of the hardest studying I have done in a long while. It tested all of my fundamental knowledge – some gleaned from those years and years in the field. Most of the kudos goes to the course material – the books are the only thing you are allowed into the exam room with but the podcasts and the online slides and audio really helped me fit all of this educational curricula into what is already a challenging field. I hope to utilize a lot of this practical knowledge in the not to distant future using honey pots in my own lab. I sincerely hope that none of you get ‘pwned’ anytime soon but if you know of anyone in the GTA that has need for a certified incident handler – I would like to hang out my shingle.