Tenable Network Security's Research staff recently added the ability to use LanMan/NTLM hashes as a form of credentials for Windows audits. If you use Nessus as a penetration testing tool, this allows you to take the hashes you have obtained with pwdump, lsadump, Cain, .etc, and use them to perform Nessus audits.
Leveraging Hashes and Nessus for Penetration Testing
Below is a screen shot of adding a hash to a Nessus scan policy:
Hashes are long strings of ASCII codes. The hash should be placed in the password field of the Windows credentials scan policy.
If the obtained hash has the correct credentials, you will be able to perform an audit of the Windows host and possibly other hosts on the network that would accept the same credentials. Ideally, the hash should be for the local 'Administrator' account, but depending on the security policies of your Windows system and domain, you may be able to perform audits and obtain various levels of information with a non-administrator account. Keep in mind that Tenable's best practice guide for performing remote audits is to use an Administrator account.
Nessus can audit Windows systems for a wide variety of information that can add value to penetration tests. Some items that credentialed Nessus scans can find on Windows systems include:
- Patch Auditing
- Enumeration of USB drives
- List of installed software
- User account security settings
- Anti-virus status
- DEP status
Also, if your Nessus scanner is subscribed to the Direct Feed, you can perform searches of the target disk drive for sensitive data such as Credit Card Numbers, Social Security Numbers or custom searches that you develop based on what is sensitive for the local environment. Similarly, you can also perform audits of the compromised systems to see if they are hardened against CIS, NSA or NIST policies.
This allows you to not only tell your client that you've been able to penetrate one or more systems, but to also show that the systems had a variety of other vulnerability, configuration and content issues that a malicious hacker or insider could have exploited.
Why Support Hashes?
If you are not familiar with how Windows security authentication works, once a user authenticates, the system will store a hash of these credentials and then make use of these to access resources.
If during a penetration test, these hashes can be obtained from the disk (or even memory) then they can be used with Nessus to perform any type of Windows audit that Nessus offers. Using Nessus's automated scanning, the same hash can be used on multiple Windows systems to audit an entire network.
Also Works with "SMB Shell" too!
This authentication mechanism also works with the SMB Shell script. To invoke it, perform a Nessus scan that leverages an available NTLM hash and also saves the results to the knowledge base. There is a blog entry dedicated to using the nasl binary and KB here, as well as the SMB Shell tool. Below is an example invocation of the SMB Shell script using NTLM hashes.
--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 220.127.116.11...
[*] Authenticating to 18.104.22.168...
[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (22.214.171.124:61700 -> 126.96.36.199:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
The underlying changes to the SMB APIs have been updated in both the Nessus Direct and Registered feeds. After your next plugin update, you will see NTLM hashes available as a new form of Windows authentication. This feature is not available in the Nessus 3 Windows client but is supported in all Nessus 3 scanners.