0

I am trying to do some pentest training on my local labs. I created a lab has 3 Windows 2012 r2 servers and 2 Windows 7 + 8 PCS. All machines protected via passwords. I added both to the domain controller then I tried to use psexec tool to connect to both via this command:

PsExec.exe \\192.168.1.22 cmd

It connected without password or user name.

Can anyone explain why this happened and why I can log in to pc's on my domain without passwords?

schroeder
  • 123,438
  • 55
  • 284
  • 319
evilcode1
  • 83
  • 6
  • 1
    that command does not perform pass-the-hash ... – schroeder Oct 16 '17 at 18:12
  • I think that you are missing a lot of details in your question - also, using psexec to perform pass-the-hash attacks is well documented – schroeder Oct 16 '17 at 18:14
  • you can connect to that machine using Windows Explorer too - I think you need to understand how Windows network and domain authentication works – schroeder Oct 16 '17 at 20:48

1 Answers1

1

The command is being run in a shell under an account that has administrative privileges to 192.168.1.22. This allows you to run PSExec on that device without the password, because the shell session is already authenticated. It's like how when you're already authenticated to Google, you don't need to login again to access youtube because of cookies.

This is also how token hijacking works. By hijacking an existing privileged process, no password or username is needed, similar to stealing cookies. Thus, using this method, 2FA is bypassed completely.

Daniel Grover
  • 872
  • 5
  • 10