1 / 20

WARNING! Sample chapter

WARNING! Sample chapter. Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com We hope you enjoy it ! . Obtaining Windows Passwords . Now you know about pass the hash and how windows hashing works lets look at some attack scenario

barr
Download Presentation

WARNING! Sample chapter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WARNING! Sample chapter • Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com • We hope you enjoy it !

  2. Obtaining Windows Passwords • Now you know about pass the hash and how windows hashing works lets look at some attack scenario • Let’s assume that we are within a network that using domain controller for managing resources and users .

  3. Obtaining Windows Passwords • For your remember let’s take a quick look at how Active directory works again

  4. Obtaining Windows Passwords • Ok now let’s go for scenarios that we can use to obtain NT and LM hashes for doing pass the hash attacks. • 1- Physical attack and password bypass • 2- Dumping NT and LM hashes using SAM database • 3- Dumping Windows passwords from password history • 4- Dumping passwords and hashes from logon sessions • 5- Dumping hashed password from Domain Controller

  5. Physical attack and password bypass • In first scenario we have physical access to the system so how we can login into password protected system ? • the answer is very easy windows do not offer any protection for physical access attacks • You can use any live disk to modify SAM database in /system32/config • You can boot using both USB and CD • But there is problem in this method the user will informed it when you modified her/his password or added totally new user • So what is solution now ?

  6. Physical attack and password bypass • Using Kon-Boot to win • You can buy it for 15$ • http://www.piotrbania.com/all/kon-boot/ • Kon-Boot will doing temporary patch on kernel • So you can login with any user without the pass • Do your jobs and restart the system • The original password will still work • So you did full stealth attack !

  7. Dumping NT and LM hashes using SAM database • Second scenario is using • You need copy of protected SAM file and by default not possible • Using hobocopy or Fast RAW file copier make it possible

  8. Dumping NT and LM hashes using SAM database • Now you can use creddump in your BT/Kali to extract hashes • You need copy of protected SAM file and by default not possible • Using hobocopy or Fast RAW file copier make it possible • you can see the SYSTEM file here this file is called system hive and syskey too and used for offering more securing password mechanism

  9. Dumping Windows passwords from password history • In the networks with more than 10 user maybe you are out of luck if you look at SAM file • But refer to how DC is configured we may can use some situation to find attacks on host machine • One of main situations here is using Password history feature

  10. Dumping Windows passwords from password history • This policy will not let user use same password they used in X period • For example if your password was 12345 your next password after expire can’t be same as 12345 • A very cool tool called QuarckspwDump can help you to dump hashes in these situations

  11. Dumping passwords and hashes from logon sessions • We are still not down ! We have a more very cool methods to obtaining windows passwords • Windows will keep every single success login in memory and call this logon session • The info in memory includes username , workgroup and NT:LM hashed password • And this memory storage is not only about GUI login it can be happen from : • RDP login • Using RunAS feature • Using every API call that needs login like CreateProcessWithLogon • Etc.

  12. Dumping passwords and hashes from logon sessions • For extracting logon session as you know you need privileged user • For this task we will use french tool called mimikatz • http://blog.gentilkiwi.com • This tool will extract passwords by injection a DLL called securlsa.dll into lsass.exe process • You can follow next slide method to dump windows passwords in clear text ! • Please note you should write every command after # sign .

  13. Dumping passwords and hashes from logon sessions

  14. Dumping passwords and hashes from logon sessions • Ok so we can clear-text password why ? • In Windows after Vista there is new (SSP) Security Support Provider for RDP shortly called Tspkg . This feature will add single sing-on (remember me !) to this protocol. • And in almost all Windows we have another feature called WDigest and this is another SSP implementation for authentication and due to logical flow in it, for responding to challenges it will keep clear-text version of password in memory.

  15. Dumping passwords and hashes from logon sessions • Using Kerberos protocol or msv1_0 authentication that used by lsass for connecting to domains, will force the windows to keep passwords in clear-text . • In following figure you can see SSP settings for windows 7 machine .

  16. Dumping hashed password from Domain Controller • Ok we are at last method in our dumping windows password journey • To now you should can understand it easily you can find your DC manager password from your host memory . • So you will connect to your DC using RDP and will look at the SAM file and all you will get is the users for DC machine not all users domain users. • For getting all users password you should head on to \windows\NTDS

  17. Dumping hashed password from Domain Controller • For accomplishing this task we need two tool one is called libesedb and our previously used creddump • http://sourceforge.net/projects/libesedb/ • http://code.google.com/p/creddump/ • So you can have to compile libesedb and put your hash table you got from NTDS in NTDS.export directory

  18. End of sample • Using these simple tools and tricks you can successfully completely compromise a lot of windows network during your penetration tests. I hope you enjoyed the sample and see you in full course !!!

More Related