560.4

560.4
- Day 4: Password attacks
- (back to top)
- about
  - Passwords are powerful
- cab calloway
- announcements
  - Novak in Holiday 1 from 6-9 tonight
  - dojosec - Marcus Carey
- Running commands on a remote Windows machine
  - psexec
    - Sysinternals
    - net use \\10.10.10.10 /u:falken
      - or set up null sesson?
        
        net use \\10.10.10.10 "" /u:""
      - prevents you from having to supply credentials on every psexec command
    - psexec \\10.10.10.10 ipconfig
    - psexec \\10.10.10.10 cmd.exe
    - psexec used to send credentials in cleartext
  - scheduled task
    - at
      - simpler syntax
      - at \\10.10.10.10 hh:mm a|p command
    - schtasks
      - more flexible
      - schtasks /lots /of /parms
      - starttime in HH:MM:SS
      - to run as SYSTEM, replace /u /p with '/ru SYSTEM'
    - check status
      - at \\10.10.10.10
      - schtasks /query /s 10.10.10.10
    - to make sure scheduler is running
      - net use \\10.10.10.10 pwd /u:adminuser
      - sc \\10.10.10.10 query schedule
  - sc
    - create as a service
    - net use setup
    - sc \\10.10.10.10 create evilsvr binpath= [command]
    - sc \\10.10.10.10 start evilsvr
    - runs as SYSTEM
    - will die after 30 seconds
      - servifythis util will fix
        
        from inguardians.com
        
        throws the API call to indicate successful service start
      - or run detached:
        
        "cmd.exe /k [command]"
      - sc \\10.10.10.10 create evilthing binpath= "cmd.exe /k [command]"
  - wmic
    - can create, start, kill processes
    - run net view to get system list
    - use wmic /node: to run a command on every system
    - wmic /node:1.2.3.4 /user:admin /password:1234 process call create [command]
    - example: use wmic to kill HIPS and AV at the start
    - use to list what is running, to spot developers or admins
  - exercise slide 15
    - set up persistent nc backdoor using sc
      - runs with SYSTEM privs
    - use wmic to run nc
      - run nc detached with -d to avoid window popup
      - runs with admin privs
    - note: sometimes when you kill a process, port is not freed up
      - will free in 10-15 minutes
      - is there a cmd to free immediately?
- password attack
  - exact same passwords often are used on multiple systems
    - "sync'd passwords"
  - note: half the class uses IRC regularly
    - register with nicserv
  - widgets on your facebook page
    - Kevin Johnson's profile
    - questionnaire widget
  - gaining access
  - pentester named Atlas
    - helped write parts of this course
  - same passwords as each other too
    - local sports teams, as leetspeak
      - c0l0rad0
      - colorado1
    - company name as password
  - pick just one password, try against all users
    - prevents locking out accounts
    - FOIA gets you list of e'ees in any goverment agency
  - formats
    - LANMAN
      - case is always upper
  - dictionaries
    - custom wordlist: put in likely local passwords
    - if no account lockout
      - web applications
        
        lockout turned off to prevent DoS
    - dictionary generator tool
      - www.fonlok.com/zijianhuang/kpa
    - generate wordlist from company website
      - see slide 32
      - do wget on entire website
      - mkdir /tmp/source
      - cd /tmp/source
      - wget -r -l 5 http://www.example.com/
      - pipe through tr to translate space to a newline
      - cd ..
      - grep -h -r "" source | tr '[:space:]' '\n' | sort | uniq > wordlist.lst
      - grep -v '<' wordlist.lst > newlist.lst
  - cracking
    - always crack passwords for every system accessed
    - always add any cracked passwords into dictionary
      - be careful to clean up after the pentest is over
    - improving cracking speed
      - rainbow tables
        
        all possible LANMAN passwords would be 140GB or so
        
        ophcrack uses them
      - distributed john: djohn
      - use real machines, not VMs
        
        pricewatch.com
        
        for cheap computer prices
        
        buy many cheap computers, build as crackers
    - record how long it took to crack passwords (you may be asked)
    - beware info leakage
      - copies of pwd files
        
        /etc/passwd, /etc/shadow
        
        SAM backup file
        
        Ntds.dit from AD
        
        john.pot
      - Googling for hashes
      - clean up cracked passwords: delete when done
      - encrypt passwords when in motion across network
    - don't crack on target system
  - pwds witout cracking
    - keylogger
      - core has an agent
      - make sure allowed by Rules of Engagement
      - make sure you remove it !!!
    - sniff in cleartext
    - Google is good for password cracking: search for the hash
      - be careful
      - don't do from customer's IP: too revealing
  - password reset policy
    - dates from when it took over a month to crack a password
- account lockout
  - dangerous
  - take into account before any password guessing attempt
  - not an issue with cracking, only with guessing
  - alockout.dll tool to audit what apps may be locking out accounts
  - Windows
    - to show the lockout settings
      - net accounts
      - net accounts /domain
    - administrator account cannot be locked out
      - therefore, excellent target
      - use user2sid to find out name assoc with SID 500
  - UNIX
    - less likely for lockout to be configured
    - if done, often done using PAM
    - see PAM documentation on Linux
    - grep tally /etc/pam.d/*
    - see slide 44
  - get a test account, try pwd guessing to observe lockout
    - or use the point of contact's account
  - go against cached passwords on Windows systems
    - HKLM\SECURITY\CACHE\NL$[1-10]
    - readable only with local SYSTEM privs
    - cry using the LSA key, different for every machine
    - encrypted and salted form of the LANMAN and NT hashes
  - morning break
    - assorted turnovers
    - apples and bananas
    - cider and orange juice
    - it's raining outside
- THC-hydra
  - password attack tool
    - get username with enumeration techniques first
  - runs on Linux
  - not configured right on Backtrack (no ssh, etc.)
  - pw-inspector tool comes with hydra
    - run against your dictionary file to generate smaller list
    - trim out passwords that don't meet organization's password policy
    - not sure if or why this is good to do
  - by default, Hydra spawns 36 child processes
    - may work better if you limit number, even to 1
    - too many may overwhelm the target service
  - exercise: THC-hydra slide 560.4p52
  - running hydra
    - # xhydra
    - set target IP or list
    - choose protocol
      - smb
        
        port 139
        
        smb over netbios over TCP
      - smbnt
        
        port 445
        
        smb over tcp
        
        pure windows2000+
      - ssh2
    - choose port (0 = use default)
    - pick username(s) and password(s) to try
    - note that xhydra is conscructing a cmdline for hydra
- pwd representation formats
  - Windows SAM
    - LANMAN hash
      - idiotic
      - pad to 14 chars if less
      - convert to UPPERCASE
      - split into two 7 char pieces
      - use each piece as a DES key to encrypt KGS!@#$%
        
        this was discovered, led to Samba
      - concatenate the two pieces
      - not salted
      - AAD3B435B51404EE = hash of blank
    - NT hash
      - better in some ways, worse in others
      - pwd up to 256 chars
      - case is preserved
      - full pwd hashed using MD4
      - not salted
    - both get stored by default in NT, 2000, XP, 2003
    - no LANMAN stored in Vista, but still used
    - admin can dump entire database
    - user can only dump own
  - AD
    - %systemroot%\ntds\ntds.dit
    - encase or FTK would dump directly from there
    - we use tools to access the accounts, and pull the hashes out or registry
  - challenge/response on network
    - not same as pwd representation
    - LANMAN challenge/response
      - client initiates auth
      - server sends challenge
      - client responds
        
        pad LANMAN hash to 21 bytes
        
        split into 3 seven byte pieces
        
        Use each piece as DES key to encryhpt challenge
        
        (NTLMv1 does same, except uses NT hash as strating point)
      - server does not auth to client
      - replay is possible
        
        no timestamp
      - attack
        
        sniff both the challenge and the response
        
        guess, cry, and compare which pwds would yield the observed response
    - NTLMv1
      - same as LANMAN challenge/response
      - only difference is which hash is used
    - NTLMv2
      - much harder to crack
      - client initiates auth
      - server sends challenge
      - client responds
        
        use NT hash as HMAC-MD5 key to hash the username and domainname
        
        result is called the NTLMv2 OneWay Function (OWF)
        
        response = HMAC-MD5(key=OWF,f(server challenge, timestamp, client challenge, other items))
      - server also auths to client: bidirectional authentication
      - see slide 70 ff.
      - there is a timestamp
      - we aren't sending username and pwd, just sending the (challenge/response based on the) hash to see if it matches
      - "the open specification promise" site on MS european disclosures (?)
      - still possible to crack using sniffed challenge/response, but much harder than NTLMv1
    - MS Kerberos
  - UNIX representations
    - rely on crypt(3) function
    - input: pwd, salt
    - crypt routing varies according to version, distro
      - see slide 72 for table
      - trad. DES
      - $1$ means MD5
      - _ means BSDi extended DES
      - $2$ or $2a$ means Blowfish
      - $5$ means SHA-256 (linux)
      - $6$ means SHA-512 (linux)
    - DES password scheme
      - truncate pwd to 8 chars
      - shrink to 7 bits/char
      - use this as 56-bit key to DES encrypt
      - etc.
      - slide 73
    - MD5-based
      - does 1000 MD5 hashing iterations
      - salt prevents you from building rainbow tables because you'd need a table for every possible salt
- obtaining pwd hashes
  - obtaining *NIX hashes
    - not usually in /etc/passwd
    - usually in /etc/shadow
    - get both, use John's unshadow tool to recombine
  - obtaining Windows hashes
    - pwdump family
      - leaves memory artifacts
      - can crash, because DLL injection into LSASS
        
        DEP often makes it crash
      - pwdump2
      - pwdump3
      - pwdump3e
      - pwdump6
    - fgdump
      - leaves memory artifacts
      - used to be a wrapper for pwdump, to shut off AV
      - from "the fizzgig" of the Foofus group
        
        get on their mailing list
      - doesn't just dump passwords
        
        also pwd history
        
        check history for similarity (incrementing a number?)
      - see slide 80: missed something?
    - meterpreter
      - no file and print sharing is needed
      - no memory artifacts
      - priv module
      - smb_relay tool to sniff hash off network, schedule a job to shell in
    - sniff chall/resp off network
      - easiest way
    - fgdump exercise slide 84
      - against local
      - against falken on 10.10.10.10
      - see slide 86 on bouncing fgdump off netcat relay
        
        linux: 445 in, 80 out to Windows
        
        windows attack on port 80: will IDS detect?
        
        IDS should:
        
        detect port 80 use
        
        run through all app signatures
    - lunch break
- John the Ripper
  - by Solar Designer
  - designed (only) for speed
  - www.openwall.com/john
    - pro version is $40
    - recommend: spend the $40
  - cracks other types
    - linux/unix
    - windows
      - LANMAN
      - NT (with patch)
      - LANMAN chall/response (with patch and OpenSSL)
      - NTLMv1
    - others
  - includes keyweighting
    - in brute force mode
    - prefers certain keys on keyboard that are more likely
  - cracking modes
    - single crack
      - use login and GECOS info
    - wordlist
      - for dictionary use
      - including mangling
        
        leetspeak substitution
        
        etc.
    - external
      - write your own code
      - never used?
  - john.pot
    - Avian transfer protocol
      - IP over carrier pigeon
    - not a Powerpoint file!
    - john will not load passwords already in john.pot
    - slide 94
  - john.rec
    - pointer to where john is at
    - written when john crashes or every 10 minutes
    - hit Ctrl-C twice fast to terminate john without updating john.rec
  - remove john.pot and john.rec if you want to start fresh
  - john console
    - hit spacebar for status
    - c/s = "combinations per second"
  - speed
    - can be compiled to support specific processor types
    - $ ./john --test
      - checks speed
      - real = system without load
  - distributed cracking
    - not officially supported
    - have diffrerent ones do different accounts (but do same salt on same system)
    - have different ones do different lengths
    - have each instance write john.pot incl --session=[name]
  - exercise slide 99 ff.
    - normal compilation: make linux-x86-any
    - v 1.7.2
    - copy src
    - copy patches
    - patch -p0 < john-1.7.2-ntlm-alainesp-6.1.diff
    - move windows pwds to linux using netcat
  - sherri davidoff
    - "alien"
    - philosecurity
    - daisy duke
      - runs strings on a memdump
      - use every string in password list for john
- Cain
  - cracks most password types
    - many oddball interesting ones
    - ike-psk
      - only for aggressive mode, because then pwd is cleartext
    - website: cifvicious
      - VoIP cracking tools
  - Cain sniffer
    - SIP/RTP
      - CIF/VoIP string
      - can play back audio
      - wireshark can do that too
    - VNC
    - RDP
    - adrian crenshaw
      - irongeek
      - see video on how to use Cain to capture RDP keystrokes
      - he has scripts to make them readable
  - Wireless scanner
    - like netstumbler
  - SecureID token generator
  - Box revealer
  - syskey decoder
  - double arp cache poisoning
    - both directions
    - pretend to be gateway to victim
    - pretend to be victim to gateway
    - just click on the IP addresses and "start"
  - Cain exercise slide 117 ff.
  - Afternoon break
    - warm giant pretzels
  - announcements
    - food at SANS launch party, Key 9, 7 PM
    - idiocracy
      - q.v.
      - movie I think
      - same guy who did office space
- Rainbow table attacks
  - idea: pre-create all possible hashes
  - but doesn't work that way
  - tahe advantage of "time-memory tradeoff"
    - Paper by Matin Hellmann
    - www-ee.stanford.edu/~hellman/publications/36.pdf
  - see slide 132
  - many pentesters carry
    - carry 160GB of high quality rainbow tables for LANMAN
      - some are more efficient than others
  - requirements
    - tables
    - tool that is compatible with the table you have
    - need the non-salted hashes
  - getting tables
    - generate our own
      - rtgen
        
        www.antsight.com/zsl/rainbowcrack
      - precomp
        
        part of Ophcrack
      - shg
        
        SMB Hash Generator
        
        see slide 135 for URL
    - pre-generated set
      - free rainbow tables project
        
        www.freerainbowtables.com
      - Shmoo group
        
        rainbowtables.shmoo.com
      - Ophcrack has smaller sets for free
    - Commercial set
      - Objectif-Securite
        
        creators of Ophcrack
      - Astalvista.net
  - Table storage
    - would need 120TB to start all hashes
    - Rainbow Tables ignore 99% of hashes that they create
    - Create a chain (1000s or 1000000s of iterations long)
      - password hash
      - reduction function
        
        tweaks a hash to create a new possible password
        
        there are many possible reduction functions
      - how
        
        start with initial pwd
        
        hash it
        
        perform reduction function to get (nonsensical) pwd 2
        
        say, first 7 of hash is next pwd
        
        hash pwd2
        
        reduction yields pwd 3
        
        Then make lots of chains with different initial passwords
        
        Compare the chains to look for a little overlap as possible
    - store chains as rainbow tables
    - use different reduction functions 1,2,3,4 in subsequent steps to limit overlap
  - To use
    - get your hash
    - run a chain based on your hash
    - compare your chain members with the end pwd of every chain, trying each reduction function on it
    - if match, pwd is in that chain
    - reinflate that chain again to find real pwd
  - tools
    - Ophcrack
    - Rainbowcrack
      - interesting video demos
      - see slide 144
  - Ophcrack exercise slide 145
    - if you have a computer with a lot of RAM, give Ophcrack more memory
    - make the most powerful PC the password cracking system
    - use nc to get the sam.txt to the Ophcrack VM
- Pass-the-hash attacks
  - how auth works
    - send pwd hash to target
    - target compares the hash with the hash it has
    - so this is the same as sending pwd in cleartext, except pwd is the hash
  - much faster than cracking; we are simply going to use the hash
  - pass-the-hash toolkit
    - Hernan Ochoa
      - of Core Security
    - http://oss.coresecurity.com/projects/pshtoolkit.html
      - oss.coresecurity.com > Projects > Pshtoolkit
    - uses Windows to attack Windows
    - also includes
      - whosthere.exe
        
        dumps current user's session info
        
        including hashes
        
        from lsass.exe process
        
        walk up to a running system and use
      - genhash.exe
        
        give it a cleartext password
        
        it generates LANMAN and NT hashes to screen
        
        if know user's password, use this to generate hashes to pass
      - iam.exe
        
        changes the current user's hash to one supplied on cmdline
        
        hunst through memory of lsass.exe process and changes hash
  - Samba cannot do pass-the-hash attack
    - JoMo-kun of Foofus
    - allows Linux to attack Windows
    - needs patching
    - have 2 versions of Samba, one stock, one patched
    - SAMBA patched to auth using env var SMBHASH with LANMAN:NT, if it is set
    - $ export SMBHASH="46F25...625AC25265:3FE465...76546"
    - now use winexe.exe
      - mount shares
      - add users
      - change group memberships
      - run a program on target
        
        like psexec
        
        pass a hash from an account in the admin group
  - Use meterpreter to dump the pwd hashes from target
    - exit technique
      - seh
        
        structured exception handler
      - thread
        
        literally kills the thread
      - process
        
        kills the process meterpreter is in
        
        may bomb the entire box
    - use exploit, set payload, etc.
    - set payload of meterpreter, such as windows/meterpreter/bind_tcp
    - run the exploit
    - use priv
      - loads the priv metasploit module
      - can dump the SAM database of target
    - hashdump
    - look for hashes of SID 500 on screen, and use them to set envvar SMBHASH
    - echo $SMBHASH
      - to check if ok
  - export SMBHASH="lanmanhash:nthash"
  - compile Samba with --smbmount (?)
  - exercise slide 163
    - note: meterpreter's "hashdump" command is used to obtain hashes
    - # cd /home/tools/samba*/source/bin
    - # ./smbmount //1.1.1.1/c$ /mnt/target -o username=administrator
      - enter any pwd when prompted, because Foofus patch will substitiute the SMBHASH envvar
    - # ./net user ADD attacker password -r 1.1.1.1 -U administrator
    - # ./net rpc group ADDMEM administrators attacker -r 1.1.1.1 -U administrator
  - to detect: workstation should never SMB communicate with other workstations, only with servers
- WPAD
  - web proxy auto-detection