Pass the Hash -Fpipe and Msfmap


Password hashes, metasploit, fpipe, msfmap and access to a large network Wink

Ok so we are going to switch gears a bit here and talk about something that will be new to some of you, and others, well this is a standard technique in the pentesting world for password audits.

Here's the scenario:
You have gained access to a large network through one of the externally facing servers (internal ip of with metasploit. While on the server you obtained a password hash dump and started cracking. All passwords were cracked except for one, the administrator password. Not to fear there is hope.
Let's begin.

So your on the server, now what? Simple, pivot into the network through whatever means you have available. This could be through the metasploit autoroute module, or through the use of fpipe, redirecting your traffic on a specific port to another machine on the inside. For our purpose we will use fpipe. First we want to scan the network for machines with open ports though. We will use a meterpreter script called msfmap to perform the port scan, it can be found here: We are looking for machines with open port numbers 445 or 139 since this attack only works on open smb ports.
Document the ip addresses with these open ports and open another version of metasploit.

In the Meterpreter session:
Use the upload command to upload fpipe, then drop to a command line from meterpreter. Run the following command to set up the port forward, we will use the ip address and port 445:
fpipe.exe -l 1337 -s 443 -r 445

Note: Do not kill the session as it will kill our port forwarding and we may want to use it later to redirect to other machines.

In the new Metasploit instance:
PSexec Module
This feature makes life much easier than the pass the hash toolkit. The run down is very basic and I will discuss basic interaction. The command we use to load the psexec module is the normal syntax:
msfconsole>use exploit/windows/smb/psexec

Next we will run through the rest of the options setting our payload to that of our choice, the target ip should be that of the servers address running fpipe (external facing ip address), and the port should be the listening port used with fpipe in this case it is 1337.
Now, if you type in:
msfconsole>show options
you will see options that say smbuser and smbpass. The smbuser option should be set to the Administrator name, and the smbpass is where we will use the password hash for the Administrator that we obtained earlier. Next we fire off the exploit and hope that the admin password is the same as the one on the server. If it is, then we have successfully gained access.

This tutorial is based on a scenario that does not have a hardware firewall, or security appliance. The port 1337 was used as the listening port for demo purposes and should be adjusted to whatever port the firewall allows inbound traffic on that is directed at the exploited server.