SANS Penetration Testing

I don't normally create new accounts on Windows systems, but when I do I use a long passphrase

[Editor's Note: Here's a nice little trick by Tim Medin on setting long Windows account passwords at the command line. Very useful stuff, especially in environments which mandate and enforce passwords longer than 14 characters. -Ed.]

by Tim Medin

Ever have a Meterpreter session with shell access on a Windows system and try to create an account with long password/passphase? We have this same problem with any sort of command injection or a netcat shell. It goes something like this...

C:\> net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters. Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

At this point you can't hit Y to continue, due to limits of the shell itself. NOOO!!! Are we stuck with a password with 14 (or fewer) characters? Even worse, if the system is config'ed with a policy requiring passwords to be longer, you are kinda outta luck with setting up a password at the command line. This can't be! There must be a way.

The "net user" command help (net user /?) and online documentation reveal nothing helpful (Gee... that's a huge shocker). But, we won't give up that easily. Let's try a few things. First, let's try to pipe the "Y" response into the command.

C:\> echo Y | net user tim 15CharacterP@ss /add
The password entered is longer than 14 characters. Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

No luck, but maybe we can pipe the password into the command.

C:\> echo 15CharacterP@ss | net user tim /add
Type a password for the user:
Retype the password to confirm:
The command completed successfully.

At first it appears this works, but it actually creates the user with a blank password. NOT GOOD!

Let's try something else. Maybe there is a hidden option.

C:\> net user tim 15CharacterP@ss /add /y
The command completed successfully.

Nailed it! There is a hidden option with the "net use" command, and several of the other "net" command options that change things. A "/y" will accept the prompt and we can use a long password/passphrase. Nice!

We can now create passwords that are impossible to store in the terrible LM format. These long passpharases should be very hard to crack.

Passwords are dead! All hail passphrases!

-Tim Medin
Counter Hack
@timmedin

Join me for the brand new SEC561: Intense Hands-on Pen Testing Skill Development in Orlando April 5-14
or
SEC560: Network Penetration Testing and Ethical Hacking in San Francisco Dec 16-21.

3 Comments

Posted November 19, 2013 at 10:17 PM | Permalink | Reply

Meatballs

Another hidden one of interest:
net user bob /add /random

Posted November 21, 2013 at 8:33 PM | Permalink | Reply

anon

Cool! Turns out "/random" will take a length field.
net user foo /add /random:30

Posted November 21, 2013 at 8:50 PM | Permalink | Reply

Ed Skoudis

Nice input, Meatballs and anon. Thanks a ton!

Post a Comment






Captcha


* Indicates a required field.