Password Dumping Cheatsheet: Windows

Introduction

Password storing mechanism, ever since the genesis of Windows, has been an angle of interest from security researcher’s point of view and its implementation has often been criticized. However, newer versions of Windows seem to have tried and tackled this problem in many parameters, but we still can’t say that Windows’ password storage mechanism is one of the best out there. In this article, which is the first instalment in a three-article series, we’ll look for various mechanisms by which we can dump passwords of various default applications in Windows if the system is part of a local workgroup. Further parts in the series will focus on domain and active directory. The purpose of this article is to serve as a quick reference guide for all the dumping mechanisms in brief (like a cheat sheet) and detailed article’s reference covering in-depth options will be given for reader’s knowledge. Before beginning, it must be noted that many other tools are also available in the market but we’ll be only covering traditional tools. Here is what all you can find in the article:

Table of Content:

  1. Dumping Windows logon passwords from SAM file
  2. Dumping Windows network, RDP and browser passwords from Windows Credential Manager
  3. Dumping Windows auto-login passwords
  4. Dumping Windows passwords from LSASS process (by creating LSA dump)
  5. Dumping Windows passwords using WDigest protocol
  6. Dumping Windows Wi-Fi passwords using netsh

Dumping Windows logon passwords from SAM file

SAM file – Security Account Manager (SAM) is a database file in Windows XP and above that store’s user’s password. It can be used to authenticate local and remote users. The user passwords are stored in a hashed format in a registry hive either as an LM hash or as an NTLM hash. This is present in %SystemRoot%/system32/config/SAM and LM protocol is disabled in Windows Vista and above because it was proved to be a compromised protocol. Technically, Sam cannot be copied or moved while Windows is running since Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file and will not release the lock till it has been shut down, however, an in-memory copy of the SAM can be dumped using various techniques which are covered in detail in the article

Credential Dumping: SAM

We’ll be using mimikatz to dump SAM file. You can download mimikatz here. Run it as administrator and then the commands are as follows:

We’ll see that various hashes are now dumped among which our user credentials are given too.

In this case, my user is raj and the windows password is 123. We have successfully obtained an NTLM hash and can crack it using various password cracking tools like john or hashcat.

Heading over to crackstation.net’s online NTLM cracker we are successfully able to crack the NTLM hash we just obtained.

It is to be noted that the passwords even after they are hashed, are not stored as it is. They are first double encrypted with the SAM registry hive, with parts of encryption keys in the SYSTEM registry hive.

In Windows 7, RC4 encryption was used which is an obsolete algorithm and hence Mimikatz used to dump hashes in cleartext but ever since Windows 10 Anniversary Update v1607 has been out, Microsoft uses the AES-128 cipher for encryption and hence, this made many password dumping tools obsolete. Many tools were updated to tackle this issue and so did Mimikatz but this had the disadvantage of Mimikatz sometimes not being able to give clear text password dump and rather hashes.

Dumping Windows network, RDP and browser passwords from Windows Credential Manager

Windows credential manager is the place where Edge and Windows passwords are stored.  Any network protocol, OneDrive, RDP, login etc passwords are stored here. What’s more is that the passwords are easy to crack. You can check out the full article with other tools and methods. but we’ll be sticking to mimikatz here. You can access credential manager in Control Panel→User Accounts→ Credential Manager. Below, you can find that Facebook’s credentials are stored in my system which is visible.

Credential Dumping: Windows Credential Manager

Similarly, logon passwords stored would be visible like this:

We can dump these credentials with the help of mimikatz command:

And just like that, we see a user “harshit” has a password “1234

Similarly, we can also use lazagne, another handy tool that you can download from here.

To run lazagne, we type in:

A terminal might also have RDP password stored. To view stored RDP passwords like in the following screenshot:

To dump RDP passwords we’d use NirSoft’s Network Password Recovery which can be downloaded here

And just like that, we have successfully dumped RDP password as well.

Dumping Windows auto-login passwords

Windows has a special feature of automatic login which enables users to login to the windows system faster. While this feature is handy, one setback is that it can be dumped as well. Let’s first set up auto login in windows and then try to dump it. To reach to the menu which sets this up, we’ll type in the following in run prompt;

We’ll see the following window upon successful completion of the command:

To enable an account to auto-login, we’ll simply uncheck the first option which is by default checked.

While we click apply, we’ll see a prompt that will ask us for the password once more. After filling it up we’ll restart it to make sure the auto login is now applied.

Now, to dump auto-login password, we’ll be using a small application developed by NirSoft called Network Password Recovery which can be download from here.

Just run the application and we’re good to go

Note that it has only dumped the credential of the current user because at a time only one user can be auto-logged in.

Dumping Windows passwords from LSASS process

LSASS process: Local Security Authority Subsystem Service is a process in  Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. When a user attempts to log on locally to the system by entering username and password in the logon dialog box, the logon process invokes the LSA, which passes the user’s credentials to the Security Accounts Manager (SAM), which manages the account information stored in the local SAM database.

The SAM compares the user’s credentials with the account information in the SAM database to determine whether the user is authorized to access the system. If it finds the user account information in the SAM database, the SAM authenticates the user by creating a logon session and returning the security identifier (SID) of the user and the SIDs of global groups of which the user is a member to the LSA.

The LSA then grants the user an access token that contains the user’s individual and group SIDs and their rights; these enable the user to access resources for which he or she has permissions.

What’s interesting is that LSA can be dumped and passwords can be retrieved from a current session. To demonstrate this we first will learn how to create an LSA dump manually.

Go to task manager and find lsass.exe file and right-click to create a dump file.

Credential Dumping: Local Security Authority (LSA|LSASS.EXE)

Store this dump file in any location. Currently, we stored it in Temp directory but while we run the command, we’ll copy it in C:\users\raj\Desktop\lsass.DMP

Now, we’ll fire up Mimikatz and type in the following commands:

And sure enough we see a hashed password being dumped from the LSA dump file

Another method to dump hashes from LSA is the patch method. To perform this, we type in the following commands:

This hash is the same as previously obtained in method 1. Hence, the password is 123.

Dumping Windows passwords using WDigest protocol

WDigest: It is a digest authentication challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilized HTTP and SASL exchange to authenticate. It worked as follows:

Client→(requests access)→Authentication Server

Authentication Server→(challenges)→ Client

Client→(encrypts its reponse with key derived from password)→ Authenticating Server

Authenticating Server→ (compares response to a stored response)→ Determines if client has correct password or not

To dump passwords using this method fire up Mimikatz as administrator and type in following commands:

It is to be noted that WDigest used to be enabled in Windows 7 and is by default disabled in Windows 10 but is not removed. So, to perform this practical on Windows 10 machine we’ll first have to enable WDigest. We can do so by following two methods:

Command-line method:

Manual Method:

To do this, we’ll have to traverse to the following path in our registry hive:

Then, right-click→new→>add D-word→ name it: UseLogonCredential

Then modify the key and set its value as 1

After this, it is absolutely essential to update group policy:

Restart your PC now.

After the successful restart, upon running Mimikatz and the following commands we’d see a different result:

Dumping Windows Wi-Fi passwords using netsh

All the wireless passwords with their respective SSID are stored in an XML file in the location:

netsh: It is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Netsh commands can be run by typing commands at the netsh prompt and they can be used in batch files or scripts. Wireless Password can be dumped using various techniques which are covered in detail in the article

Credential Dumping: Wireless

To get the list of the SSIDs that the device has been connected to use the following command:

And as a result of the above command, you can see the names of the Wi-Fi networks that the system was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been demonstrated in the image above.

Further, to know the passwords of any one of the mentioned SSIDs use the following command :

And just like it is shown in the image above, the result of the above command will give you the password

Conclusion

In this article, we demonstrated credential dumping methods of various default files/ directories present in Windows that contains passwords stored of many services in Windows when the system is part of a local workgroup. Next article would demonstrate to further dump passwords from a domain. Thanks for reading.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here

Linux For Beginners: A Small Guide

More often than not, certain operating systems tend to get tied to certain tasks. When it comes to penetration testing, Linux based operating systems are always mapped to it. This article will help you get comfortable with the fundamentals of Linux. So let’s start.

Table of Content:

  • Why use Linux for pentesting?
  • The Basic Linux Commands
  • Text Manipulation
  • Installing and Removing Softwares
  • Playing with permissions
  • Conclusion

Why use Linux for pentesting?

Linux offers a far higher level of control of the operating system, not to mention that it is open source. This also makes Linux transparent and easier to understand. Before we try to “hack” anything, it is a must to know how it works, this is why transparency in Linux is a huge plus.

Because Linux is very popular amongst the pen-testing community, most of the used penetration testing tools and frameworks are also then built for Linux.

Maintenance is also comparatively easy as the software can be easily installed up from its repository. It is also very stable when compared to traditional operating systems like Windows.

Basic Linux Commands              

Just like how we use Windows on a daily basis, creating folders, moving files, copying things, we’re going to learn these everyday operations for Linux.

We’ll be spending most of our time in the terminal, which is the command-line interface of our operating system. This is where we type out commands to perform the operations we want.

The “pwd” Command

Before we begin, we should know which directory we are working in, and where are the files we create going to be stored. The pwd command is one way to identify the directory we’re in.

So as we did it in our case, we found that we’re in the /root directory.

The “whoami” Command

Using the whoami command we see which user we’re logged in as. Here, we’re logged in as root (which translates to an administrator in the windows terms)

cd: Changing directories

To change directories via the terminal, we use the cd command. Let’s change our current directory to Desktop.

ls: Listing the Contents

To see the contents of a directory we use the  “ls” command, (very similar to the dir command in windows)

The “Help” Command

Nearly every command, application and or utility in Linux has a dedicated help file which guides its usage. If you want to learn more regarding a specific command or if you’re stuck, help (-h, –help) will be your best friend.

Let’s find out more about volatility framework.

man: The Manual Pages

In addition to the help file, most commands and applications also have a manual page, which can be accessed via typing man before the command.

As seen below, it provides a description and all the tags that can be used with the ls command.

locate: Searching keywords

When searching for a specific keyword, one of the easiest ways to do so is using locate. Type locate and then the keyword on the terminal and it will search the entire file system for the occurrence of it.

Though a few drawbacks of using locate as it provides too much information and the database it uses is updated once a day, so you can’t find files created minutes or hours ago.

Let’s search for the keyword: CTF with

whereis: Finding binaries

Let’s begin this section with what are binaries?

Files that can be executed, similar to .exe’s in Windows are referred to as binaries. These files generally reside in the /usr/bin or /user/sbin directories.

Utilities like ls, cd, cat, ps (we’ll cover some of these later in the article) are stored in these directories too.

When looking for a binary file, we can use the whereis command. It returns the path of the binary as well it’s man page. Finding the binary file: git.

which: Finding binaries

The which command is more specific and only return the location of the binary in the PATH variable in Linux. Finding the binary file: git.

Filtering with grep

Very often when using the command line, you’ll want to search for a particular keyword, this is where grep comes in.

Let’s search for the word: echo, in the simple_bash.sh file by typing

Thought the most common use case of grep it to pipe the output into it with the keywords to filter the output.

Here we use grep just to get the IP address of our machine, instead of all the other information that comes when running the ifconfig command. (We’ll touch on the ifconfig common in the later section)

Searching with the “find” command

The find command is the most powerful and flexible of the searching utilities. It is capable of different parameters, including, the filename (obviously), date of creation and or modification, the owner, the group, permission and the size.

Here we use -type and -name tag which tells find the type of file we are looking for as well as its name. The backslash (/) indicates the root directory, which is where we want to search the file in.

If your result looks like this:

It is because the find command is also searching through directories your account doesn’t have the permission to access to. Hence, for a cleaner result, we use 2>&1 which sends all the permission denied errors to /dev/null (into nothing) and then using grep filters them out of the output)

 

 The “cat” command

We use the cat command to output the contents of a file on the terminal. Let’s use the cat command on “hacking-articles.txt”.

Creating files with “touch”

The touch command allows you to create a new file. Simply specifying the filename after the touch command will result in the creation of that file.

Let’s create a text file and name it “hacking-articles-2.txt”

mkdir: Creating a directory

In order to make a directory or mkdir for short, we just need to specify the directory name after the mkdir command.

Let’s create a directory: ignite

cp: Copying files

To copy files we use cp, which creates a duplicate of the file in the specified location. Let’s copy the text file we created earlier into the directory we just created above. We then list the contents of the directory to ensure that the file has been copied.

To copy a file we type, cp <the file we want to copy> <the destination of the “copied” file>

mv: Moving/Renaming files

We can use the move command: mv not only to move files in the specified location but to also rename them. Now let’s try to move the file we copied into the ignite folder, outside of it.

rm: Removing files

To remove a file, you can simply use the rm command. Let’s remove the “hacking-articles-2.txt” file.

As you can see from ls, the file no longer exists.

rmdir: Removing a directory

In order to remove a directory, we use the rmdir command which stands for “remove directory”. Let’s remove the “ignite_screenshots” directory.

(Use rm -r for directories with content inside them, r stands for recursive)

Text manipulation

In Linux, almost everything you are going to deal with is going to be a file, more often a text file; for instances, configuration files. Hence, learning how to manipulate text becomes crucial while managing Linux and its applications.

Grabbing the head of a file

When dealing with large files, we can use the head command, which by default displays the first 10 lines of a file. Let’s view the first 10 lines of the etter.dns file.

(etter.dns is a file configuration of file of a tool called Ettercap which is used to in DNS spoofing and ARP attacks)

Grabbing the tail of a file

Similar to the head command, the tail command is used to view the last lines of file. Let’s view the bottom lines of the etter.dns file.

nl: Numbering the lines

We can use the nl command to number the lines while it outputs them on the terminal window. Again using the etter.dns let’s number all of the lines this time.

sed: To find & Replace the Text

The sed command lets you search for the occurrence of a word or a text pattern and then perform some action on it. Here we are going to use the /s tag to search for the occurrence of WWW and /g for global replacement with www.

more: Controlling the display of a file

The more command displays a page of a file at a time and lets you scroll down using the ENTER key. Opening the etter.dns file using more.

Less: Displaying and filtering a file

The less command is very similar to more, but it comes with the added functionality of being able to filter keywords. Let’s open the etter.dns file using less. We can further press the backward slash (/) on the keyboard and then enter the keyword we want to search for, here I’ve searched my own IP Address.

Installing and Removing Softwares

We often need to install software that didn’t come with your distribution of Linux or later down the lane even remove the unwanted software.

In Debian based Linux distributions, like Kali Linux (the one I am using), the default software manager is the Advance Packaging Tool or apt for short. Just how we would go to the Appstore to download an app, we have repositories in Linux. We’ll learn how to access this repository, search in it and download from it. 

Searching for a package to install

Before we download any software package, let’s check whether it is available in the repository, which is where our Linux operating stores information. We’ll be using the apt tool.

Type apt-cache search and then the package that you want to search for, let’s search for Hydra which is login cracking tool.

Highlighted is the tool we are talking about.

Installing packages

Now let’s install the packages we want. This time we’ll be using the apt-get command followed by install and the package name.

Let’s install git, which will later allow us to pull repositories from Github to install furthermore tools.

Removing packages

To remove any package from your machine, simply type remove after apt-get with the package name.

Let’s remove the git package. (I recommend to Press n to abort this step)

Purging packages

Sometimes the package we just removed leaves residual files behind (an example would configuration files) In order to completely wipe out everything clean, we use the purge option with apt-get.

Let’s try to purge git (again you can press n to abort)

Updating the repository

It is good practice to update the repository as they are usually updated with new software or newer versions of existing software. These updates have to be requested and can be done by typing update after apt-get.

Let’s update our repository. (Note: update doesn’t apply these changes only downloads them)

Upgrading the repository

In order to apply the changes from the command we run above: update, we have to run the apt-get with the upgrade tag. This then installs or rather upgrades all the new updates that were downloaded to the system.

(Note: Upgrading can be time-consuming, so you might not be able to use your system for a while)

Adding repositories to the sources.list file

The server that holds the information of the software for particular distributions of Linux are known as repositories. We can nano into the file at /etc/apt/sources.list and add repositories here.

(I recommend not to add any experimental repositories in your sources.list because they can download problematic software and cause things to break. )

Highlighted is the repository my Kali Linux is using.

Playing with Permissions

Before we start learning the Linux commands to play with permissions, let’s learn about file/directory permission in Linux first.

As you know by now, in Linux the root user is all-powerful, the root user can do anything on the system. The other users have limited capabilities, and are usually collected into groups that generally share a similar function.

For example, a different group for the developer team, deployment team and administrators to initiate different levels of access and permission.

All the files and directories in Linux are allocated with three of levels of permission:

                r permission:     This allows the user access to open and view a file

                w permission:   This allows the user to view and edit the file

                x permission:    This allows the user to execute the file (not necessarily view or edit it tho)

Granting ownership to an individual user

We change the ownership of the file so that the new user who owns can have the ability to control its permissions. Here we’ll use the chown command to change the owner.

Let’s change the owner of hacking-artciles.txt from root to Raj

Granting ownership to a group

To transfer ownership of a file to a group we use the chgrp command. To ensure only the ignite team member can have the ownership, let’s change the group to ignite.

Checking ownership

As you can see in the screenshots above, we are using the ls command with the l tag to view the permissions granted to the files and directories.

This out represent,

  • The type of file (- representing a file, while d representing a directory)
  • The permissions of the file for the owner, group and users, respectively
  • The number of links
  • The owner of the file, user and then group
  • The size of the file in bytes
  • When the file was last created or last modified
  • The name of the file

Highlighted are the ownership section of the file.

Changing permissions

We use the chmod command to change the permissions of a file. This table will help you in deciding the permissions you want to give the file:

0
1 –x
2 -w-
3 -wx
4 r–
5 r-x
6 rw-
7 rwx

We could run, chmod 777 $filename to give the file ALL the permissions,

or simply chmod 111 $filename to give it executable permission.

Another way of doing so, is chmod +x $filename, as seen below.

We can see the colour of the file change, indicating that it is executable.

Granting permissions with SUID

SUID bit says that any user can execute the file with the permissions of the owner but those permissions don’t extend beyond the use of that particular file.

To set the SUID bit, we need to enter 4 before the regular permissions, so the new resulting permission of 644 will become: 4644.

Let’s set the SUID bit for “hacking-articles.txt”.

Granting the root User’s Group Permission SGID

Similar, SGID also grants temporary elevated permission but for the file owner’s group.

To set SGID permission, we need to enter 2 before the regular permission.

Let’s set the SGID bit for “hacking-artivcles.txt”.

Conclusion

Hope this article has helped you understand the Linux operating system and kickstart your journey as a penetration tester. Practise these commands, try them out on your own, get comfortable with the command-line interface. Also be sure to check out the part 2 of this article, where we dig deeper into more advanced Linux concepts like managing networks, process management, scripting & automation and much more!

Author: Karan Bhandari is a Certified Ethical Hacker, he is passionate about security and forensics innovation and industry. Contact LinkedIn.

Router Penetration Testing

Introduction

Embedded devices are an essential part of a network. In corporate environment as well as small home networks there is at least one router/switch and gaining access to it means gaining access to the whole network and needless to say, people don’t like investing much money in these kinds of network devices and most home broadband routers are running old firmware whose exploits are already available publicly. Today, we’ll look at two tools: Routersploit for the exploitation of routers and switches and the other tool, nipper-ng, for auditing of routers’ and switches’ configuration files. Let’s begin

Table of Content

  1. Routersploit
    1. Installation
    2. Running routersploit
    3. Searching modules
    4. Exploitation
  2. Nipper-ng
    1. Installation
    2. Auditing a sample switch configuration file

Routersploit

The Routersploit Framework is an open-source exploitation framework dedicated to embedded devices.

It consists of various modules that aids penetration testing operations:

  • exploits – modules that take advantage of identified vulnerabilities
  • creds – modules designed to test credentials against network services
  • scanners – modules that check if a target is vulnerable to any exploit
  • payloads – modules that are responsible for generating payloads for various architectures and injection points
  • generic – modules that perform generic attacks

To install routersploit, we’d need to first install pip and then clone repository of routersploit.

Further, we’d need to install two more packages that will help with the overall operation of the framework:

After the successful installation of the requirements and the packages, to launch routersploit framework type in the following command:

Very well. In the main menu, we see the version number. Make sure the version is always up to date using the following commands:

To open a list of what all can be done type in help.

There would be a list of all the modules that we can use as explained above in the introduction. Let’s say we want to search the types of scanners and out of the list available we want to use the autopwn scanner so we type in the following commands:

We picked autopwn scanner to look for suitable exploits of my current router/switch and give out a list of it for further exploitation purposes.

There are other scanners available too for specific purposes like CCTV cameras.

To further run this exploit, we’ll first look at the options available in the exploit interface with the following command:

Now, we’ll just have to set some options in the exploit to run it.

Note: If you don’t want to conduct the experiment on your current hardware, you can install VyOS as well.

After running successfully, we see that the router is indeed vulnerable to remote code execution as marked below.

Now all that’s left to do is to select the exploit and run it. Follow the commands to do so:

And we have successfully exploited the router and see a command window opened! We execute a test command and see it worked. We can further perform many other actions by looking for additional payloads using the command:

Nipper-ng

Nipper-ng software is used to make observations about/ audit the security configurations of many different device types such as routers, firewalls, and switches of a network infrastructure. It was previously known as CiscoParse. To install and see what all commands can be run:

To view a detailed help window about a specific topic as shown in the image above we need to give the following command:

Now, as we know that SNMP is commonly used in many routers and switches so we’ll explore the SNMP options in nipper.

With this command, we see what all options for SNMP module can be delivered in the command. For example, it can:

  1. Retrieve current configuration from a router
  2. Audit/ review the device’s configuration from a *.conf file or a *.txt file that is stored locally

You can manually check the other commands as well.

We’d form a command to review the configuration of a Cisco IOS-based router but other devices can be selected from the command line parameters given below:

–ios-switch    Cisco IOS-based Switch

–ios-router    Cisco IOS-based Router (default)

–ios-catalyst  Cisco IOS-based Catalyst

–pix           Cisco PIX-based Firewall

–asa           Cisco ASA-based Firewall

–fwsm          Cisco FWSM-based Router

–catos         Cisco CatOS-based Catalyst

–nmp           Cisco NMP-based Catalyst

–css           Cisco Content Services Switch

–screenos      Juniper NetScreen Firewall

–passport      Nortel Passport Device

–sonicos       SonicWall SonicOS Firewall

–fw1           CheckPoint Firewall-1 Firewall

Now, we craft a command from a router configuration file. Follow the link here to see how to back up and restore a router configuration file in case of a cisco router. We’ll have to define three parameters in the following command:

ios-router: type of device

input: the router configuration file

output: destination of the audit report

The command is as follows:

And just like that, it is done after a few moments! To review the report as HTML we open it in firefox and we can see a detailed security report of the network device we just audited!

Conclusion

We covered two tools in this article: Routersploit, which is a framework for the exploitation of various network devices and the other, Nipper-ng, which is the open-source variant of nipper studio but generates comprehensive reports on security misconfigurations of the network devices. The network devices should be kept updated with the latest firmware to prevent various attacks and these two tools will prove to be useful for the case. These are two handy tools for auditors and security analysts who had to check configurations manually and would reduce the workload by many notches. Hope this article proves to be beneficial.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here