2. WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com -We hope you enjoy it !

3. Obtaining Windows Passwords -Now you know about pass the hash and how windows hashing works lets look at some attack scenario -Let’s assume that we are within a network that using domain controller for managing resources and users.

4. Obtaining Windows Passwords - For your remember let’s take a quick look at how Active directory works again

5. Obtaining Windows Passwords -Ok now let’s go for scenarios that we can use to obtain NT and LM hashes for doing pass the hash attacks. 1- Physical attack and password bypass 2- Dumping NT and LM hashes using SAM database 3- Dumping Windows passwords from password history 4- Dumping passwords and hashes from logon sessions 5- Dumping hashed password from Domain Controller

6. Physical attack and password bypass In first scenario we have physical access to the system so how we can login into password protected system ? the answer is very easy windows do not offer any protection for physical access attacks You can use any live disk to modify SAM database in /system32/config You can boot using both USB and CD But there is problem in this method the user will informed it when you modified her/his password or added totally new user So what is solution now ?

7. Physical attack and password bypass Using Kon-Boot to win You can buy it for 15$ http://www.piotrbania.com/all/kon-boot/ Kon-Boot will doing temporary patch on kernel So you can login with any user without the pass Do your jobs and restart the system The original password will still work So you did full stealth attack !

8. Dumping NT and LM hashes using SAM database Second scenario is using You need copy of protected SAM file and by default not possible Using hobocopy or Fast RAW file copier make it possible C:\hobo copy\x64>HoboCopy.exe c:\Windows\System32\config c:\config-bkp 44 files (136.92 MB, 1 directories) copied, 0 files skipped

9. Dumping NT and LM hashes using SAM database Now you can use creddump in your BT/Kali to extract hashes You need copy of protected SAM file and by default not possible Using hobocopy or Fast RAW file copier make it possible you can see the SYSTEM file here this file is called system hive and syskey too and used for offering more securing password mechanism root@bt:/pentest/passwords/creddump#./pwdump.py /root/SYSTEM /root/SAM Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::

10. Dumping Windows passwords from password history In the networks with more than 10 user maybe you are out of luck if you look at SAM file But refer to how DC is configured we may can use some situation to find attacks on host machine One of main situations here is using Password history feature

11. Dumping Windows passwords from password history This policy will not let user use same password they used in X period For example if your password was 12345 your next password after expire can’t be same as 12345 A very cool tool called QuarckspwDump can help you to dump hashes in these situations C:\>QuarksPwDump.exe -dhl –hist Administrator:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: Administrator_hist0:500:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: Administrator_hist1:500:AEBD4DE384C7EC43AAD3B435B51404EE:7A21990FCD3D759941E45C490F143D5F::: Administrator_hist2:500:B757BF5C0D87772FAAD3B435B51404EE:7CE21F17C0AEE7FB9CEBA532D0546AD6:::

12. Dumping passwords and hashes from logon sessions We are still not down ! We have a more very cool methods to obtaining windows passwords Windows will keep every single success login in memory and call this logon session The info in memory includes username, workgroup and NT:LM hashed password And this memory storage is not only about GUI login it can be happen from : RDP login Using RunAS feature Using every API call that needs login like CreateProcessWithLogon Etc.

13. Dumping passwords and hashes from logon sessions For extracting logon session as you know you need privileged user For this task we will use french tool called mimikatz http://blog.gentilkiwi.com This tool will extract passwords by injection a DLL called securlsa.dll into lsass.exe process You can follow next slide method to dump windows passwords in clear text ! Please note you should write every command after # sign.

14. Dumping passwords and hashes from logon sessions mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 432 … mimikatz # @getLogonPasswords full Authentification Id : 0;470133 Package d'authentification : NTLM Utilisateur principal : Administrator Domaine d'authentification : Sensetive-man msv1_0 : * Utilisateur : Administrator * Domaine : Sensetive-man * Hash LM : 44efce164ab921caaad3b435b51404ee * Hash NTLM : 32ed87bdb5fdc5e9cba88547376818d4 wdigest : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 tspkg : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 kerberos : * Utilisateur : Administrator * Domaine : Sensetive-man * Mot de passe : 123456 mimikatz #

15. Dumping passwords and hashes from logon sessions Ok so we can clear-text password why ? In Windows after Vista there is new (SSP) Security Support Provider for RDP shortly called Tspkg. This feature will add single sing-on (remember me !) to this protocol. And in almost all Windows we have another feature called WDigest and this is another SSP implementation for authentication and due to logical flow in it, for responding to challenges it will keep clear-text version of password in memory.

16. Dumping passwords and hashes from logon sessions Using Kerberos protocol or msv1_0 authentication that used by lsass for connecting to domains, will force the windows to keep passwords in clear-text. In following figure you can see SSP settings for windows 7 machine.

17. Dumping hashed password from Domain Controller Ok we are at last method in our dumping windows password journey To now you should can understand it easily you can find your DC manager password from your host memory. So you will connect to your DC using RDP and will look at the SAM file and all you will get is the users for DC machine not all users domain users. For getting all users password you should head on to \windows\NTDS

18. Dumping hashed password from Domain Controller For accomplishing this task we need two tool one is called libesedb and our previously used creddump http://sourceforge.net/projects/libesedb/ http://code.google.com/p/creddump/ So you can have to compile libesedb and put your hash table you got from NTDS in NTDS.export directory #cd libesedb #chmod +x configure #./configure && make -- Now extract the hash table from ntds.dit and put it in NTDS.export directory in same program directory #cd esedbtools #./esedbdumphash../../ntds.dit Now you can use creddump to dump passwrds remember you need SYSTEM file root@bt:~/creddump# python dsdump.py../SYSTEM../NTDS.export/datatable Administrator:500:NO PASSWORD*********************:031F8E5A76932FC5CC7431680ADAE4EC:::

19. End of sample Using these simple tools and tricks you can successfully completely compromise a lot of windows network during your penetration tests. I hope you enjoyed the sample and see you in full course !!!