I am an awesome hacker. Perhaps the worlds greatest hacker. Dont believe me? Check out this video where I prove I know the administrator password for some really important sites!
(Watching it full screen is a little easier on the eyes.)
http://www.youtube.com/watch?v=v2IVRcktKZs
OK. I lied. Im a fraud and Ill concede the title of greatest hacker to those listed at attrition.orgs charlatans page. I didnt really hack those sites. But I certainly did enter a username and password for those domains and my machine accepted it and launched a process with those credentials! Is that just a cool party trick or perhaps something more useful? What happened to those passwords I entered?
The /netonly option for the runas command is used to launch a program as a user that exists on a remote machine. The system will accept the username and password for that remote user and create an authentication token in the memory of your LSASS process without any interaction with the remote host. With this option I can run commands on my host as the administrator of the microsoft.com domain without having to actually know the password for that account. Sounds dangerous? Well, it is not really. The command that you run doesnt really have any elevated access on your machine and with an invalid password it is not a threat to Microsoft. Windows doesnt try to authenticate to the Microsoft.com domain to launch the process. It assumes that the credentials are correct, calculates the hashes and stores them in memory for future use. At some point in the future, if you try to access a resource on that domain it will automatically use windows single sign on capabilities to PASS THE HASH to the remote system and log you in. But until you try to access the remote network, the passwords just sit there in memory.
The result is a really cool party trick and an even cooler way we can detect stolen password hashes being used in our environment. You see, those fake credentials are stored in the exact same location as the real credentials. So, when an attacker uses mimikatz, windows credential editor, meterpreter, procdump.exe or some other system to steal those passwords from your system they will find your staged Honey Hash Tokens in memory. It is worth noting that they will not see those hashes if they use run hashdump, hashdump or any of the other commands that steal password hashes from disk rather than memory. However, that is not uncommon unless the attacker is on the Domain Controller and it will not raise suspicion.
Lets try it out and see how this deception might look to an attacker.”>Then, when prompted for the microsoft.com administrator I can provide any password that I want. In this example I typed superpass. Now, lets create an account for root on the domain linux.org. Yes, I know that is absurd. The absurdity demonstrates that you can put anything in LSASS you want. You can even use this to post snarky messages taunting the attackers if you want to live dangerously. (Not Recommended)”>runas /user:linux.orgroot /netonly cmd.exe
