Thursday, July 26, 2012

Yup. That just happened...

It's 1115 BlackHat Standard Time and our talk just concluded.  Here's the high points:

  • WCE with password hashes can be used with pretty much any native windows app (IE / Outlook /  MSSQL studio, command line apps, AD management consoles, etc) from a Windows computer NOT IN THE DOMAIN to authenticate to windows services.  Just the way Bill intended...
  • We extented and enhanced JMK@foofus's  patch for Samba to allow password hashes to be passed on the command line in either "LM:NT" or "LM:NT:::" format to make it easier to script attacks.  This also made it so that when we patched Firefox, you wouldn't have to quit Firefox to reset the environmental variable.  You can just change the password after logging out.
  • We are releassing a suite of utilities where we patched in PTH support.  These packages include Firefox 10.0.5ESR, FreeTDS, Openchange, samba, winexe, and rudimentary WMI functionality including a blind command execution via WMI.
  • Patches to the actual packages and build scripts as well as precompiled binaries in .deb format for BackTrack R2 will be posted to the google code page within a day or so, or as soon as I can get a decent internet connection to upload the stuff.
Now, our surprise... Thanks to the tireless work of Pure_Hate (Martin Bos), our PTH suite will be available as a Backtrack repository package VERY soon..... "apt get install  pth-suite-1.0.0" FTW!

We will be posting blog entries talking about how to use the various utilities as well as instructions for building and installing the packages.

We will also be releasing our "Pass the Hash Rosetta Stone" with the various windows command lines and their associated samba command lines very soon....  Stay tuned to twitter and the blog for all the updates.


  1. Great presentation! Plans to post the demo videos?

    1. The videos will be released hopefully in the next week or so. I want to add voiceovers for a talk-through of what's going on. Just a matter of getting it done in a quiet environment. I'll post on our twitter feed when they're ready...