Friday, February 4, 2011

OpenDLP Pass-The-Hash

OpenDLP is a great time saving tool when looking for sensitive data on windows machines but one pain with using it is that it requires a username and password for the target machine. Passwords are not always a luxury provided when conducting a pentest, but password hashes are usually plentiful in a windows environment and time crack passwords is not always feasible. The details of obtaining windows password hashes is out of scope for this guide and it will be assumed the reader is familiar with "passing the hash". This guide also assumes that you have already patched your systems samba install to allow for "passing the hash" and have also patched "winexe" - further information about this can be found at the following page:
http://www.foofus.net/~jmk/passhash.html

With that out of the way.....

The OpenDLP database will need to be modified in order to hold our hash. If you already have OpenDLP installed or you are creating a new install you will need to run the following command after the database has been setup -

alter table profiles add column hash varchar(65);
Patching OpenDLP -

The provided patch is targeted for OpenDLP 0.2.5 - I cannot promise that it will work against any other version -

OpenDLP - http://code.google.com/p/opendlp/downloads/detail?name=OpenDLP-0.2.5.tar.bz2&can=2&q=

PTH-Patch - pth_mod.patch

If you are patching a new install move "pth_mod.patch" into the OpenDLP directory (OpenDLP-0.2.5) and apply -

tar -xjf OpenDLP-0.2.5.tar.bz2
mv pth_mod.patch OpenDLP-0.2.5
cd OpenDLP-0.2.5
patch -p1 -i pth_mod.patch
patching file OpenDLP/web/bin/control.html
patching file OpenDLP/web/bin/download_file.html
patching file OpenDLP/web/bin/profiles.html
patching file OpenDLP/web/bin/profiles-new.html
patching file OpenDLP/web/bin/results/results.html
patching file OpenDLP/web/bin/start-verify.html



If you are patching an existing install (OpenDLP-0.2.5) move the "pth_mod.patch" into the directory where OpenDLP is installed (default is - /var/www/localhost/OpenDLP/ ) and apply -

mv pth_mod.patch /var/www/localhost/OpenDLP/
patch -p2 -i pth_mod.patch
patching file web/bin/control.html
patching file web/bin/download_file.html
patching file web/bin/profiles.html
patching file web/bin/profiles-new.html
patching file web/bin/results/results.html
patching file web/bin/start-verify.html



Confirm that your OpenDLP install is still working by accessing the application.


Create a new profile, as you can see "SMBHash" is now an available option -



Enter in your information, as you can see in my example I have entered in a hash but no password -



Just to show here is the database entry for this profile -



Create a new scan using our new profile -





View the scan results, in the following screen shot I have clicked on the flagged file and opened it in gedit -



No comments:

Post a Comment

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...