"Pass the hash, man!"

Whilst working my way through offensive security's excellent OCSP course, I found myself accumulating a fair amount of dumped hashes from some of the servers in the lab network. Most of the hashes were easy work for ophcrack, thanks to them being stored in LanMan format. However, most of the admin level passwords were over 14 characters, so were stored  in the much more secure NThash form.

There was no way of getting a hold of a rainbow table that holds passwords of this length, and all the dictionaries I had failed miserably.

Time to try another way....

First off, Metasploit provides a pass-the-hash method by way of the psexec module. This works well, but unfortunately only allows a single hash to be inputted.

Then I found Keimpx available here. http://code.google.com/p/keimpx/

This tool proved to be a godsend. Simply paste all your hashes in the default pwdump friendly format, plus any username passwords combinations (format is username<single_space>password) into a txt file and enter the following command:-                                             
./keimpx -c hashes.txt -l targets.txt -v 2

This tool will then try all the passwords and un-cracked hashes against the targets and provide a simple output explaining which passwords worked on which machines. Fantastic!

Even better, it goes on to ask you which of the cracked machines you would like keimpx to open up a shell on!

So..... I urge you all to give it a try. The example pages on the link give you all the info you will need.