Credential Dumping: SAM

In this article, were learn how passwords are stored in windows and out of the methods used to hash passwords in SAM, we will focus on LM and NTLM authentications. And then we learn how to dump these credential hashes from SAM.

Table of Content

  • Introduction to SAM
  • How passwords are stored?
  • LM Authentication
  • NTLM Authentication
  • Mimikatz
  • PwDump7
  • SamDump2
  • Impacket
  • Metasploit Framework
    • HashDump
    • Credential_collector
    • Load_kiwi (Mimikatz)
    • Invoke-PowerDump.ps1
    • Get-PassHashes.ps1
  • Kodiac
  • PowerShell Empire
    • Mimikatz/sam
    • Credential/powerdump
  • Powershell
  • LaZagne
  • Decrypting hash: John The Ripper

Introduction to SAM

SAM is short for Security Account manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the windows startup. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can finding registry, just go to the registry and navigate yourself to HKEY_LOCAL_MACHINE\SAM               

How are Passwords stored in Windows?

To know how passwords are saved in windows, we will first need to understand what are LM, NTLM v1 & v2, Kerberos.

LM authentication

LAN Manager (LM) authentication was developed by IBM for Microsoft’s Windows Operating Systems. The security it provides is considered hackable today. It converts your password into a hash by breaking it in two chunks of seven characters. And then further encrypting each chunk. It is not case sensitive either, which is a huge drawback. As this method coverts the whole thing into uppercase, so when the attacker is applying any attack like brute force or dictionary; they can altogether avoid the possibility of lowercase. The key it is using to encrypt is 56-bit DES which now can be easily hacked.

NTLM authentication

NTLM authentication was developed to secure your systems as LM proved to be insecure in time. NTLM’s base is a challenge-response mechanism. It uses three components – nonce (challenge), response and authentication.

When any password is stored in windows, NTLM starts working by encrypting the password and the storing the hash of the said password while it disposes of the actual password. And it further sends the username to the server, then the server creates a 16-byte numeric string, which is random, namely nonce and sends it to the client. Now, the client will encrypt the nonce using the hash string of the password and send the result back to the server. This process is called a response. These three components (nonce, username and response) will be sent to Domain Controller. The Domain Controller will recover the password using hash from the Security Account Manager (SAM) database. Furthermore, the domain controller will check if the nonce and response in case they match, Authentication turns out to be successful.

Working of NTLM v1 and NTML v2 is same, although there are few differences such as NTML v1 is MD4 and v2 is MD5 and in v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it comes to C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1 C/R Value Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.

Now as we have understood these hashing systems, let’s focus on how to dump them. The methods we will focus on are best suited for both internal and external pen-testing. Let’s begin!

Mimikatz

There is a good enough method to dump the hashes of SAM file using mimikatz. The method is pretty easy and best suited for internal penetration testing. In one of our previous article we have covered mimikatz, to read that article click here. So in this method we will use token::elevate command. This command is responsible for allowing mimikatz to access SAM file in order to dump hashes. Now, to use this method use the following set of commands:

PwDump7

This tool is developed by Tarasco and you can download it from here. This tool extracts the SAM file from the system and dumps its credentials. To execute this tool just run the following command in command prompt after downloading:

And as a result, it will dump all the hashes stored in SAM file as shown in the image above.

Now, we will save the registry values of the SAM file and system file in a file in the system by using the following commands:

We saved the values with the above command to retrieve the data from the SAM file.

SamDump2

Once you have retrieved the data from SAM, you can use SamDump2 tool to dump its hashes with the following command:

Impacket

Impacket tool can also extract all the hashes for you from the SAM file with the following command:

Metasploit Framework: HashDump

When you have a meterpreter session of a target, just run hashdump command and it will dump all the hashes from SAM file of the target system. The same is shown in the image below:

Another way to dump hashes through hashdump module is through a post exploit that Metasploit offers. To use the said exploit, use the following set of commands:

Metasploit Framework: credential_collector

Another way to dump credentials by using Metasploit is via another in-built post exploit. To use this exploit, simply background your session and run the following command:

Metasploit Framework: load kiwi

The next method that Metasploit offers are by firing up the mimikatz module. To load mimikatz, use the load kiwi command and then use the following command to dump the whole SAM file using mimikatz.

Hence, you have your passwords as you can see in the image above.

Metasploit Framework: Invoke-Powerdump.ps1

Download Invoke-Powerdump Script

The method of Metasploit involves PowerShell. After getting the meterpreter session, access windows PowerShell by using the command load PowerShell. And then use the following set of commands to run the Invoke-PowerDump.ps1 script.

Once the above commands execute the script, you will have the dumped passwords just as in the image above.

Metasploit Framework: Get-PassHashes.ps1

Download Get-PassHashes Script

Again, via meterpreter, access the windows PowerShell using the command load PowerShell. And the just like in the previous method, use the following commands to execute the scripts to retrieve the passwords.

And VOILA! All the passwords have been retrieved.

Kodiac

Once you have the session by Kodiac C2, use the hashdump_sam module to get passwords as shown below:

All the hashes from the SAM file will be dumped as shown in the above image.

Powershell Empire: mimikatz/sam

Once you have the session through the empire, interact with the session and use the mimikatz/sam module to dump the credentials with help of following commands:

This exploit will run mimikatz and will get you all the passwords you desire by dumping SAM file.

Powershell Empire: credentials/powerdump

Empire offers us with yet another exploit that dumps the credentials from the victim’s system. This module does not invoke mimikatz like the previous method. To uses this exploit, type:

Yes!! You will have the hashes.

PowerShell

Download Invoke-Powerdump Script

This method is an excellent one for local testing, AKA internal testing. To use this method, simply type the following in the Powershell:

And, it will dump all the credentials for you.

LaZAgne

LaZage is an amazing tool for dumping all kinds of passwords. We have dedicatedly covered LaZagne in our previous article. To visit the said article, click here. Now, to dump SAM hashes with LaZagne, just use the following command:

Yay!!! All the credentials have been dumped.

Decrypting Hash: John The Ripper

John The Ripper is an amazing hash cracking tool. We have dedicated two articles on this tool. To learn more about John The Ripper, click here – part 1, part 2. Once you have dumped all the hashes from SAM file by using any of method given above, then you just need John The Ripper tool to crack the hashes by using the following command:

And as you can see, it will reveal the password by cracking the given hash.

The article focuses on dumping credentials from windows SAM file. Various methods have been shown using multiple platforms to successfully dump the credentials. To secure yourself you first must learn how a vulnerability can be exploited and to what extent. Therefore, such knowing such methods and what they can do is important.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Credential Dumping: Security Support Provider (SSP)

In this article, we will dump the windows login credentials by exploiting SSP. This is our fourth article in the series of credential dumping. Both local and remote method is used in this article to cover every aspect of pentesting.

Table of content:

  • Introduction to Security Support Provider (SSP)
  • Manual
  • Mimikatz
  • Metasploit Framework
  • Koadic
  • Powershell Empire

Introduction to Security Support Provider

Security Support Provider (SSP) is an API used by windows to carry out authentications of windows login. it’s DLL file that provides security packages to other applications. This DLL stack itself up in LSA when the system starts; making it a start-up process. After it is loaded in LSA, it can access all of the window’s credentials. The configurations of this file are stored in two different registry keys and you find them in the following locations:

Manual

The first method that we are going to use to exploit SSP is manual. Once the method is successfully carried out and the system reboots itself, it will dump the credentials for us. These credentials can be found in a file that will be created upon user login with the name of kiwissp. This file can find in registry inside hklm\system\currentcontrolset\control\lsa.

The first step in this method is to copy the mimilib.dll file from mimikatz folder to the system32 folder. This file is responsible for creating kiwissp file which stores credentials in plaintext for us.

Then navigate yourself to hklm\system\currentcontrolset\control\lsa. And here you can find that there is no entry in Security Packages as shown in the image below:

The same can be checked with the following PowerShell command:

Just as shown in the image below, there is no entry. So, this needs to be changed if want to dump the credentials. We need to add all the services that helps SSP to manage credentials; such as Kerberos, wdigest etc. Therefore we will use the following command to make these entries:

And then to confirm whether the entry has been done or not, use the following command:

You can then again navigate yourself to hklm\system\currentcontrolset\control\lsa  to the enteries that you just made.

Now, whenever the user reboots their PC, a file with the name of kiwissp.log will be created in system32. Then this file will have your credentials stored in cleartext. Use the following command to read the credentials:

Mimikatz

Mimikatz provides us with a module that injects itself in the memory and when the user is signed out of the windows, then upon signing in the passwords are retrieved from the memory with the help of this module. For this method, just load mimikatz and type:

Running the above commands will create mimilsa.log file in system32 upon logging in by the user. To read this file use the following command;

Metasploit Framework

When dumping credentials remotely, Metasploit really comes handy. The ability of Metasploit providing us with kiwi extension allows us to dump credentials by manipulating SSP just like our previous method. Now when you have meterpreter session through Metasploit use load kiwi command to initiate kiwi extension. And then to inject the mimikatz module in memory use the following command:

Now the module has been successfully injected in the memory. As this module creates the file with clear text credential when the user logs in after the memory injection; we will force the lock screen on the victim so that after login we can have our credentials. For this run the following commands:

Now we have forced the user to logout the system. Whenever the user will log in our mimilsa file will be created in the system32 and to read the file use the following command:

Koadic

Just like Metasploit, Kodiac too provides us with similar mimikatz module; so, let’s get to dumping the credentials.

Once you have a session with kodiac, use the following exploit to inject the payload in the memory:

Once the above exploit has successfully executed itself, use the following commands to force the user to sign out of the windows and then run the dll command to read the mimilsa file:

As shown in the above image, you will have your credentials.

PowerShell Empire

Empire is an outstanding tool, we have covered the PowerShell empire in a series of article, to read the article click here. With the help of mimikatz, empire allows us to inject the payload in the memory which further allows us to retrieve windows logon credentials. Once to have a session through the empire, use the following post exploit to get your hands on the credentials:

After the exploit has executed itself successfully, all that is left to do is lock the user out of their system so that when they sign in, we can have the file that saves credentials in plaintext for us. And no to lock the user out of their system use the following exploit:

After the user logs in, the said file will be created. To read the contents of the file use the following command:

Powershell Empire: mimilib.dll

In the manual method, everything that w did can also be done remotely through empire which is useful in external penetration testing. The first step in this method is to send the mimilib.dll file from mimikatz folder to the system32 folder in the target system. To do so, simply go to the mimikatz folder where the mimilib.dll file is located and initiate the python server as shown in the following image:

After that, through your session, run the following set shell commands to do the deed:

From the above set of commands, the first command will download mimilib.dll from your previously made python server into the target PC and the rest of the two commands will edit the registry key value for you. As the commands have executed successfully, all now you have to do is wait for the target system to restart. And once that happens your file will be created. To access the file, use the following command:

And we have our credentials. Yay!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Credential Dumping: WDigest

This is our third article in the series of Credential Dumping. In this article, we will manipulate WDigest.dll in order to retrieve the system credentials. The methods used in this article are for both internal and external penetration testing.

Table of Content:

  • Introduction to WDigest
  • Working of WDigest.dll
  • Manual
  • PowerShell
  • Powershell via meterpreter
  • Metasploit Framework
  • PowerShell Empire
  • Mitigation
  • TL; DR

Introduction to Wdigest

WDigest.dll was launched through Windows XP was specifically crafted for HTTP and SASL authentication. Basically, it’s work was to send confirmation of secret keys in order to authenticate the said protocol. The security attributes of NTLM protocol were applied to this DLL file as it’s a challenge/response protocol too. WDigest protocol is enabled in Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012 by default, which allows credentials to be saved in clear text in LSAS file. Windows 10, Windows Server 2012 R2 and Windows Server 2016 doesn’t have this protocol active. And it also released a patch for earlier versions.

Working of WDigest.dll

As it is a challenge-response protocol, it important to understand how it works. Such protocols demand a validating server that creates a challenge for them. The said challenge has incalculable data. A is key is obtained from the user’s password which is further used to encrypt the challenge and to craft a response. A reliable service can then validate the user processes by comparing to the encrypted response that is received by the client and if the responses match, then the user is authenticated.

Now that we have understood what exactly a WDigest protocol is and how it works, let’s get to practical of how to exploit it.

Manual

Our first method to exploit WDigest in to dump the desired credentials is manual. Such a method comes handy in white box pentesting. In this method, download mimikatz and run the following commands :

As you can then see that the result of the above commands didn’t bear a fruit because WDigest protocol wasn’t active. To activate the said protocol, use the following command:

The above command will create a file called UseLogonCredetnial in the WDigest folder in the registry and simultaneously sets it binary value to 1 as you can in the image below:

The above step has just enabled WDigest in the system. Which will allow the password to be saved in memory that too in clear texts. And now these passwords can be retrieved sneakily as you will see further in this article.

For now, we need to update the policy that we just entered in the registry using the following command:

Now, if you launch mimikatz and run the following commands then you will have the credentials.

PowerShell

In this method, we will be invoking PowerShell scripts in the system. This script will further help us get our hands on the credentials.

Download WdigestDowngrade.ps1

Simply launch the PowerShell Command Prompt and run the following commands:

Once the above commands are executed successfully, run the following command to dump the credentials.

And as you can see, we got the credentials.

PowerShell via Meterpreter

In this method, we will be invoking PowerShell script in our meterpreter session. This script will further help us get our hands on the credentials. When you have a meterpreter session, run the following commands to create the UseLogonCredential file and make changes in the registry key.

After the above commands create the UseLogonCredential file as required and then you can launch mimikatz to dump the credentials using the following commands:

Download Invoke Mimikatz.ps1

Metasploit Framework

Our next method is an excellent method to dump the credentials remotely which often a requirement in grey box pentesting. Once you have your meterpreter session via Metasploit, remember to background the session and then you can execute wdigest_caching exploit to make the changes in WDigest folder which we just did manually in our previous method by using the following commands:

Then further use the load kiwi module to dump the credentials. For doing so, type :

And yes! We got our credentials.

PowerShell Empire

When you have a session through Empire, use the post exploit wdigest_downgrade to create the UseLogonCredential file in wdigest folder and its registry key value i.e. 1 with the help of following commands:

Once the above post exploit is executed successfully, you can use another build in post exploit to dump the credentials with the following set of commands:

And after the execution of the above command, you have the credentials.

Mitigation

Following are the steps one can take in order to secure themselves from this scenario:

  • Make sure the there is no UseLogonCredential file in your system
  • If you are using the older versions of windows then make sure that windows us updates with the patch
  • UseLogonCredential registry keys values should be set to 0 to completely disable this protocol.
  • Regularly check the registry key value to make sure that you have not been the victim. 

TL; DR

Understanding the very basics of your operating systems such as windows, allow you to be more secure in this cyber world. Knowing how endpoints are put together to work perfectly for your convenience is important as a seemingly minor change can make you vulnerable. Such as WDigest saves all the passwords in memory on the clear text which puts the credentials of the user at risk. And this thought made us take a stab on credential dumping by manipulating WDigest. So, through with mimikatz, Metasploit framework and other such tools that we have mentioned above can leverage your credentials both locally and remotely and can even allow the attacker to use them to their advantage. An attacker who is able to get administrator privileges of your system can modify the values in the registry and dump the credentials as shown in the article above using Mimikatz, Metasploit, Empire, and PowerShell scripts.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Credential Dumping: Windows Credential Manager

In this article, we learn about dumping system credentials by exploiting credential manager. We will talk about various methods today which can be used in both internal and external penetration testing.

Table of Content:

  • Introduction to credentials manager
  • Accessing credential manager
  • Metasploit
  • Empire
  • Credentialfileview
  • PowerShell
  • Mitigation
  • Conclusion

Introduction to Credential Manager

Credential Manager was introduced with Windows 7. It is like a digital vault to keep all of your credentials safe. All of the credentials are stored in a credentials folder which you will find at this location – %Systemdrive%\Users\<Username>\AppData\Local\Microsoft\Credentials and it is this folder that credential manager accesses. it also allows you to add, edit, delete, backup and even restore the passwords.

Credentials saved in credential manager are of two types:

  • Web credentials: As Edge and widows are the product of the same company, credentials manager has access to the stored information of Edge browser too, in order to increase safekeeping of saved credentials. It also stores the password of order application provided by Microsoft such as skype, Microsoft office, etc.
  • Windows credentials: Under this category, all the windows login credentials can be found. Along with any system that is connected in the network.

Applications which are run by windows and has your credentials saved will automatically be saved in credential manager. Even when you update them, change is noted by and updated in credential manager too.

Accessing Credential Manager

To access credential manager, you can simply search it up in the start menu or you can access it bu two of the following methods:

  • You can open control panel > user accounts > credential manager
  • You can also access it through the command line with the command vaultcmd and its parameters.

When you connect to another system in the network as using any method like in the following image:

And while connecting when you provide the password and store it for later use too then these credentials are saved in credential manager.

Irrespective of website and its security, when you save any password in the edge or any other application such as skype or outlook, it’s password too gets saved in credential manager. For instance, we have stored Gmail’s password in our practice as shown in the image below:

You can confirm from the following image that the password is indeed saved.

And now, when you access credential manager, using any method, you will find that in windows credentials tab all the system, network passwords are stored.

And under the web credentials tab there are will be application’s passwords and the passwords saved in edge will be saved.

Metasploit

Now all these credentials can be dumped with simple methods. Once you have a session through Metasploit, all you have to do is upload mimikatz and run it. Mimikatz is an amazing credential dumping tool. We have covered mimikatz in detail in one our previous articles, to read that article click here.

And to run mimikatz remotely through Metasploit session, use the following command:

And once the mimikats is executed successfully, you will get credentials from cred manager as shown in the image above.

Empire

Similarly, while using empire, you can dump the credentials by downloading Lazagne.exe directly in the target system and then manipulatinthe lagazne.exe file to get all the credentials. LaZange is on eof the best credential dumping tool. We have covered LaZagne in detail in one our previous articles, to read that article click here.

Use the following commands to dump the credentials with this method :

After the execution of commands, you can see that the passwords have been retrieved as shown in the following image:

CredentialsFileView

Our next method is using a third-party tool, i.e. credentialfileview. This tool is very effective when it comes to internal penetration testing. To use this tool, simply download it and launch it. After launching itself, it will ask you for the windows password.

Once you provide the password, it will give you all the credentials you need as shown in the image below:

Windows PowerShell

This method of password dumping can prove itself useful in both internal and external pentesting. In this method, you have to run a script in windows powershell. You will find the script here. And once you run the script you will have all the web credentials as shown in the image below:

You can also use powershell remotely to dump credentials with the help of Metasploit. It is very simple as you just have to run a combination of following commands after you have your session:

And just like that with the help of powershell commands, you will have the desired credentials.

Mitigation

Following are the measures you can use to keep your passwords safe:

  • DO NOT save passwords in your system, browser or any other application
  • Use different passwords for every account
  • If you have trouble remembering passwords then instead of keeping them in clear text in your system, use an online password manager to keep them safe.
  • Use the latest version of the operating system and applications.
  • Manually go to the login page instead of following a link.
  • Keep firewall/defender enabled
  • Keep you employees/employers aware

Conclusion  

As you have noticed from our article the even though this feature of credential manager that is provided by windows is convenient, it is not secure and once the attacker has the access of your system then these credentials are waiting to be theirs as there is no security layer added to credential manager. It is important to be aware of every feature your operating system is providing just so you can save yourself. Hence, it is important to know how to access the credential manager and how to operate it and how it can be exploited.

We live in a cyber active world and there are login credentials for everything, one can’t remember every credential ever. Though credential manager is utility makes it easy for us and takes the responsibility of saving the passwords, but at what expense?

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here