.

Password cracking

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Apr 07, 2011 11:42 am

Password cracking

I am currently in the password cracking section of my studies, and much to my dismay, the written part of the guide seems to have glossed over acquiring passwords for Windows and Nix systems. I'm sure the videos will provide examples, but the forums are here for a reason, might as well use them.

So I know that during system hacking, password files are often transferred from the remote machine to the hacker's computer. Starting with windows, how is this done? Obviously the hacker gets remote access and a command prompt, probably of a limited user.  Can the SAM be accessed with a LU account, or does it require elevated privileges?

So I just learned about the SYSKEY function. This seems to be a mute point because I know I have cracked passwords offline using LC5 and Ophcrack. So I need to ask, if syskey something I need to be aware of when conducting password attacks?

Most importantly, how do I dump the SAM remotely? I'm on youtube now, but i'm guessing most videos will be showing local dumps.

Of course the same question needs to be asked of linux, how do I retrieve the shadow file and dump them to a remote pc (my attacking pc)?
sectestanalysis.blogspot.com/‎
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Apr 07, 2011 12:43 pm

Re: Password cracking

Just wanted to add my two cents.  Well, for password cracking on windows, you could transfer the SAM/SYSTEM files in c:\windows\repair.  You could also use MetaSploit(Meterpreter) to get a copy of the hash. For linux, you would need root privileges to get basically read the /etc/shadow file.  There are many ways to find passwords from the hashes.  You named a few already.  Also, check out these videos.  They were a great help to me. Purehate and his group are incredible with password cracking. Not sure if this helps but still wanted to give it a try.


http://www.irongeek.com/i.php?page=vide ... licy_sucks

http://www.irongeek.com/i.php?page=vide ... tion-class
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Apr 07, 2011 3:12 pm

Re: Password cracking

Thanks for posting this links, KillJ0y.  I've yet to watch the vids on the 2nd link, but the first video is great.  This is the first I've heard of masking for password cracking.  Is that something new or am I just behind the times?

As for Windows, just as KillJ0y said, you can use Metasploit to grab the hashes.  Reversespace has been doing Metasploit classes following Offensive Security's "Metasploit Unleashed."  During their week 1 class (can be found here: http://www.grmn00bs.com/), Georgia shows an example of exploiting MS08_067 using a payload that drops into meterpreter.  Once in meterpreter, you can issue a command that prints all the usernames and their respective hashes on the screen.  Then use whichever method you prefer to crack them.

I'm new to Metasploit, so if I've misworded something or understood something incorrectly, anybody please correct me :)
GSEC, eCPPT, Sec+
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Apr 07, 2011 6:36 pm

Re: Password cracking

No problem.  It is funny you mention Reverse Space.  I just found their website like a week or two ago.  I follow Georgia on twitter and watched her webinar on SMS botnets on smartphones. (http://www.brighttalk.com/webcasts?q=EC-Council) Very cool.  They have videos for almost everything for MetaSploit. 

Oh, on password cracking, check out PaulDotCom to see the system they built for some cracking (http://pauldotcom.com/2010/10/your-pass ... ystem.html).  That is nice! Besides, SWTOR, their system is the reason I wanted to use three-way SLI with Nvidia.  Oclhashcat, oclhashcat+ and (cudahashcat+) has to be very nice with that.  Might be worth checking hashcat (http://hashcat.net/), JTR (http://www.openwall.com/john/), passwordpro(http://www.insidepro.com/eng/passwordspro.shtml) and Cain and Abel(www.oxid.it/cain.html) is worth a look too.  Hope I helped instead of rambling.
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Apr 07, 2011 8:52 pm

Re: Password cracking

Thanks to all for some stuff that is over my head lol. I'm still trying to understand that "meterpreter"stuff.

In any case, what about Netcat? I see that it is a popular tool, and I hear it has the ability to transfer files. I assume I would need to get a copy on the remote computer and one on my local computer. Which would be the listener, and which would connect? How do I get nc on the remote machine?

it also appears it is for nix only, so I suppose I need to look at that MSU article referenced above.
sectestanalysis.blogspot.com/‎
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Fri Apr 08, 2011 12:55 am

Re: Password cracking

I found the grmn00bs/Reversespace stuff after listening to her talk about her SMS botnet project also lol.  Heard her chat about it on PaulDotCom and Hak5 @ Shmoocon.  I've bookmarked that BrightTalk website, looks like some good videos there.

As for netcat, I don't have experience using it myself (yet), but IIRC from reading, netcat on the remote machine is the listener while you connect to the machine on the port netcat is listening on.

I did some reading on SysKey and it seems that being aware of it would be beneficial since it's an extra level of encryption on the SAM file.  From what I can gather from Irongeek's article on it though (http://www.irongeek.com/i.php?page=secu ... lsamcrack2), if you grab the SAM file while logged in as admin, then the SAM is unencrypted.  So then you only have to worry about cracking the hashes.  Otherwise, you're going to need the system key to bypass SysKey.  The article was last updated in 2007 though, so I'm not sure if there are other ways to bypass SysKey now.  I'll edit/post again if I find something else.
Last edited by lorddicranius on Fri Apr 08, 2011 2:16 am, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Fri Apr 08, 2011 7:23 am

Re: Password cracking

yeah, that article focuses on getting the SAM locally, which isnt the goal in this exercise, though it may be useful to someone reading this.

I assume that either during my CPT examination, or at some other time, I will need to get a SAM from over the internet. Also, looking at my W7 box, there doesn't appear to be a C:\Windows\Repair directory, perhaps it is not included in W7 or has been renamed.

I found a link to a post here on the forums, from the Remote Exploit forums that explains one way to do it on windows:

http://www.ethicalhacker.net/component/ ... pic,533.0/

A also found a video that shows how to do the meterpreter exploit.

http://www.youtube.com/watch?v=XbG8qW_COaQ

of course the the video shows how to perform this when you are "in control" of both machines. I would need to find a way to get the executable on the "remote" pc and execute the binary without user interaction.

*sighs*

this course has taught me a few things, but i'm still comming up with the same questions. I think the problem is they are not presenting the material the same way a test would go...

For instance (I know this is off topic),

The syllabus goes from network recon to service identification to breaking passwords... the first two are good, but I cant crack the passwords until I have access to the machine, which hasn't been taught yet...
Last edited by SephStorm on Fri Apr 08, 2011 9:01 am, edited 1 time in total.
sectestanalysis.blogspot.com/‎
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Fri Apr 08, 2011 9:00 am

Re: Password cracking

Ah, good point regarding local vs remote.  I would think you'd need escalated privileges to access the SAM.  Checking my Win2k3 box, it only has permissions for administrators and system.  And I think if you have either admin or system privileges on a box, you wouldn't need to worry about the SysKey.  I think watching those week 1 Metasploit Unleashed vids from grmn00bs might of benefit to you.
GSEC, eCPPT, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Apr 09, 2011 3:19 pm

Re: Password cracking

I just skimmed this thread and may have missed this, but what course are you doing?

As others noted, if you can use Metasploit to exploit a vulnerability on the target system, you can use hashdump via the meterpreter payload's priv module to obtain the hashes.

If you have credentials and the requisite network connectivity, you can use pwdump/fgdump to obtain the hashes remotely.

Physical access allows you to boot to an alternate OS and retrieve the actual/backup SAM files (or LiveCD for cracking that specific system).

You can also use pwdump/fgdump locally. Just run one of those on your own system with no options and load the hashes into Ophcrack with the free tables to get a feel of that process.

As I'm sure you know, Linux uses /etc/passwd and /etc/shadow, but the idea is the same. Use credentials or exploits (or leverage a horrible misconfiguration) to gain access. You can combine the files with JTR (unshadow) and crack away. The salt used for the passwords will require you to use a brute-force/dictionary/hybrid method instead of rainbow tables.
The day you stop learning is the day you start becoming obsolete.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Sun Apr 10, 2011 11:05 pm

Re: Password cracking

Its okay, i didnt mention it in this thread, I am taking the InfoSec Institute Online PenTesting course (CEH/CPT). I think I'm actually about ready to write a review, i'm about 2/3rds complete.


IAC, I am watching the exploitation module, and he is now walking through exactly the method I was looking for, Exploiting the machine, then creating accounts from the command line, adding to admin groups, and now, using tftp to grab the pwdump files from a remote location and dumping the hashes to an accessible locale.

My only concern at this point, is that they were exploiting a W2k3 server that apparently had tftp installed. I need to look into how to install tftp from the windows cmd line.
sectestanalysis.blogspot.com/‎
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon Apr 11, 2011 2:14 pm

Re: Password cracking

If you really need to crack a hash, you'll save a bunch of time by paying the guys at question-defense. They're setup to do it. It costs $5 & up.
Last edited by WCNA on Mon Apr 11, 2011 2:23 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri May 06, 2011 7:39 pm

Re: Password cracking

SephStorm wrote:My only concern at this point, is that they were exploiting a W2k3 server that apparently had tftp installed. I need to look into how to install tftp from the windows cmd line.


Sorry for the delayed response...

That's a fun exercise if you want to explore it, but you can grab the hashes remotely if you have credentials. You can also use SMB, FTP, HTTP, and other built-in services to transfer files. If you use meterpreter as your payload, you can upload and download files with that (but hashdump would just be the easiest at that point).

WCNA wrote:If you really need to crack a hash, you'll save a bunch of time by paying the guys at question-defense. They're setup to do it. It costs $5 & up.


I would be VERY careful with this as it's a HUGE liability. How would you feel if you were the customer and you found out that someone sent your password hashes to an unknown third party?
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software