script returns hash instead of password

aas-n / spraykatz

Credentials gathering tool automating remote procdump and parse of lsass process.

https://twitter.com/aas_s3curity

MIT License

748 stars 122 forks source link

script returns hash instead of password #8

Closed suntop250ml closed 4 years ago

suntop250ml commented 4 years ago

Hello The script is returning a hash where password is expected (see screenshot below), why is this ?

aas-n commented 4 years ago

Hi,

Does the username end with a $ ?
Is the "password" only [a-f] and [0-9] or are there special chars too?

suntop250ml commented 4 years ago

Hello,

attacker username does not contain special characters
attacker password contains one special character ( $ ) at the beginning, but as was mentioned in issue #7 I escaped the ( $ ) character and put the password in double quotes "\$password"
victim username does not contain any special characters
victim password contains a semicolon ( ; ) at the middle of the password

aas-n commented 4 years ago

Hi,

Do you try the username and password found against the machine with cme for example?

cme smb <machine> -u <username> -p '<weirdPassword>'

I would not be surprised this is indeed a valid password generated by something.

suntop250ml commented 4 years ago

Hello, It is not a valid password, I know this because I know the victim's password, I am testing the tool on a machine that I know the password for.

aas-n commented 4 years ago

So it looks like a bug. Thank you for reporting this.

Do you think possible to parse the problematic dump locally to see if this weird thing occurs too with Pypykatz?

pypykatz lsa minidump <yourDump.dmp>

It is complicated for me to investigate more without the problematic dump, so I keep this thread open until I face the same problem as you.

suntop250ml commented 4 years ago

I would be very glad to assist in resolving this bug, but you would have to give me a more elaborate instructions, I am not really a developer, I am just a security enthusiast, you can start with telling me how to create a dump of the machine in order to run the pypykatz tool on it.

aas-n commented 4 years ago

On the target machine:

Simply download ProcDump64.exe.

"Run as administrator" a cmd prompt and type:

procdump64.exe -accepteula -ma lsass.exe C:\lsass.dmp

Then, retrieve lsass.dmp on your attacker machine

On the attacker machine:

install Pypykatz
```
pip3 install pypykatz
```
run Pypykatz on the dump:
```
pypykatz lsa minidump dump.dmp
```
And try to find your weird password in the output.

suntop250ml commented 4 years ago

So I went and parsed the dump locally using Pypykatz as per the instructions above and searched for the password in the output and found exactly the same long string of letters and numbers that the Spraykatz tool generated.

Just to make sure I parsed the dump for another 3 machines and got another long string of letters and numbers.

aas-n commented 4 years ago

Ok, so it is not a Spraykatz problem as Spraykatz only prints what Pypykatz has parsed. But to understand this behavior, you can download Mimikatz on your Windows machine.

"Run as administrator" a command prompt and run mimikatz. When in the mimikatz command shell, type:

sekurlsa::minidump dump.dmp
sekurlsa::logonpasswords

If you cannot find the long string with Mimikatz, it should be a Pypykatz related problem.
If you can find the same password with mimikatz (pretty sure it will be the case), if it is a password, and if you are sure this is not the real user's password, I am not able to explain this.