New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Windows User Password Hint Decoding to Hashdump Tools #706

Merged
merged 3 commits into from Aug 21, 2012

Conversation

Projects
None yet
5 participants
@claudijd
Contributor

claudijd commented Aug 20, 2012

  • UserPasswordHint, a key that is used to store the users password
    hint, can be easily decoded to clear-text to get the users hint
    (Example: "My Favorite Color")
  • Added decode_windows_hint() method to perform the decode process
  • Added decoded hint output for hashdump.rb and smart_hashdump.rb

Heres an example of how the output would change...

http://postimage.org/image/k2ul69z2v/

Adding Windows User Password Hint Decoding to Hashdump Tools
* UserPasswordHint, a key that is used to store the users password
hint, can be easily decoded to clear-text to get the users hint
(Example: "My Favorite Color")
* Added decode_windows_hint() method to perform the decode process
* Added decoded hint output for hashdump.rb and smart_hashdump.rb
@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 20, 2012

I'm testing it on XP... so I have a password hint on one of the accounts (can see it when I login and all that), but users[rid][:UserPasswordHint] never sees it (value is always nil for that particular account)... is there something specific I must do as a victim?

@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 20, 2012

I've only seen this behavior on Win7 and Win8 when hints are used.

I've not tested this on WinXP, but I built in some exception handling for cases where the key is not present so hashdump (specifically Rex) doesn't die on a failed read. It's possible that XP stores this info in the same or a different location in the registry, which could also be grabbed, decoded and presented in hashdump output.

Let me know if you have any questions and/or if you need a live example.

-JC

Sent from my iPhone

On Aug 20, 2012, at 3:11 AM, sinn3r notifications@github.com wrote:

I'm testing it on XP... so I have a password hint on one of the accounts (can see it when I login and all that), but users[rid][:UserPasswordHint] never sees it (value is always nil for that particular account)... is there something specific I must do as a victim?


Reply to this email directly or view it on GitHub.

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 20, 2012

Nothing dies, it's just it's not being read on XP.

@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 20, 2012

Is it that the key is not being read or that the key doesn't exist?

I'm assuming the later based on my limited testing w/ XP.

As for Win7 and Win8, this code should extract and decode hints properly.

@thelightcosine

This comment has been minimized.

thelightcosine commented Aug 20, 2012

I think this is a nice addition but is there a better way we can output it? If you need to copy/paste those hashes into another tool for cracking, you have to go and manually strip those bits off the end of each line.

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 20, 2012

While retrieving UserPasswordHint, you hit this error on XP: "stdapi_registry_query_value: Operation failed: The system cannot find the file specified." The hint is stored in this location instead:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints[username]

@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 20, 2012

@dmaloney-r7 - Yeah, I figured that was going to come up, but couldn't think of a better way. Was thinking maybe command-line opts, but I'm open suggestions. What about having a section afterwards that spits out hints for users we got them from?

@wchen-r7 - Good find! That should be pretty easy to implement. Let me know if you'd prefer I add it or whether you want to.

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 20, 2012

You can add it. I'm working on something else atm...

@thelightcosine

This comment has been minimized.

thelightcosine commented Aug 20, 2012

@claudijd I think having the after-section with the hints would probably be better. Normally I would say the way you have it is great but the copy-paste scenario is going to be fairly common and so I don't want to add any frustration around that for users.

Added XP Support and Changed Output Method for User Password Hints
1.) Now grabs clear-text user hint from XP systems in addition to
Win7/Win8 systems
2.) Changes output so it's no longer inline with hashes as not to
affect copy/paste of hashes output
3.) Adding alternate text in cases when no user hints are available
@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 21, 2012

I ended up putting the hint output before the hashdump output because to me it seemed less intrusive to a hashdump operation. Let me know if you'd prefer it after the hash dump like we discussed originally and I can move it down.

This pull now includes support for WinXP (tested) and Win8 (tested), but I'm assuming this will work for both Win7 (untested) and Vista (untested).

Heres an example of how the output would change with these recent mods between ((WinXP|Win8) && (Hints|NoHints)) test cases...

http://postimage.org/image/azp28xj6x/full/

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 21, 2012

Thanks, I'll do more testing, and then merge it if good to go.

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 21, 2012

Blah, bug:

[*] Obtaining the user list and keys...
[-] Post failed: NoMethodError undefined method `sys' for nil:NilClass
[-] Call stack:
[-]   /r7_msf/modules/post/windows/gather/hashdump.rb:204:in `block in capture_user_keys'
[-]   /r7_msf/modules/post/windows/gather/hashdump.rb:194:in `each'
[-]   /r7_msf/modules/post/windows/gather/hashdump.rb:194:in `capture_user_keys'
[-]   /r7_msf/modules/post/windows/gather/hashdump.rb:72:in `run'
@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Aug 21, 2012

Same error in smart_hashdump.rb

@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 21, 2012

Yeah, I'm a dummy...

I didn't realize the variable nuances between the script and module routines.

@client != session

I'll get that cleaned up today/tonight.

Thanks!

Sent from my iPhone

On Aug 21, 2012, at 1:54 AM, sinn3r notifications@github.com wrote:

Blah, bug:

[*] Obtaining the user list and keys...
[-] Post failed: NoMethodError undefined method sys' for nil:NilClass [-] Call stack: [-] /r7_msf/modules/post/windows/gather/hashdump.rb:204:inblock in capture_user_keys'
[-] /r7_msf/modules/post/windows/gather/hashdump.rb:194:in each' [-] /r7_msf/modules/post/windows/gather/hashdump.rb:194:incapture_user_keys'
[-] /r7_msf/modules/post/windows/gather/hashdump.rb:72:in `run'

Reply to this email directly or view it on GitHub.

Fixing Bug w/ XP Method & Improving formatting for smart_hashdump
1.) Addressed obvious bug in registry read for XP hint gathering code
2.) Cleaned up the formatting for smart_hashdump which needed
additional tabs
@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 21, 2012

Fixed and tested. Let me know if you find anymore turds.

@wchen-r7 wchen-r7 merged commit c5623ca into rapid7:master Aug 21, 2012

@ashb

This comment has been minimized.

ashb commented Aug 22, 2012

Your decode_windows_hint is doing far more than it needs to. The hint data is stored in UTF16 (or UCS-2 - I forget the exact details. A lot of windows internals have wide char support.)

The following should work on Ruby 1.9

# decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
uk.query_value("UserPasswordHint").data.encode('utf-8', 'utf-16le')
@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 23, 2012

@ashb thanks, I'll probably send in a pull request for tightening up that code when I chance.

@hdm

This comment has been minimized.

Contributor

hdm commented Aug 23, 2012

The encode/decode method is not acceptable since this code must work on both 1.8 and 1.9 versions of ruby

@claudijd

This comment has been minimized.

Contributor

claudijd commented Aug 24, 2012

@hmoore-r7 thanks for saving me some work ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment