AdSense

Sunday, October 15, 2017

Decrypting Windows and Linux password hashing with John the Ripper


DECRYPTING WINDOWS AND LINUX PASSWORD HASHING WITH JOHN THE RIPPER

- Layout for this exercise:




1 - John The Ripper

- John The Ripper is a free password cracking software tool:

http://www.openwall.com/john/
https://en.wikipedia.org/wiki/John_the_Ripper


- Initially developed for the Unix operating system, it now runs on fifteen different platforms, eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS. 

- John The Ripper combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker.

- It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. 

- One of the modes John can use is the dictionary attack.

- It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string.

- It can also perform a variety of alterations to the dictionary words and try these.

- Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes.

- John also offers a brute force attack mode, the program goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. 

- John uses character frequency tables to try plaintexts containing more frequently used characters first.

- This method is useful for cracking passwords which do not appear in dictionary wordlists, but it takes a long time to run.


2 - Decrypting Windows password hashing with John The Ripper brute force attack

- For this part of the exercise, let's take the hashes obtained with pwdump/fgdump and WCE in this previous exercise:

LINK TO ANTERIOR EJERCICIO

- Creating two hashes text files (fgdump_hash.txt and wce_hash.txt), locating both of them at the TFTP folder so  that they can be transferred from Windows 7 to the Kali Linux machine:






- There is a difference between both files, the first one only contains the LM hashes while the second one contains both the LM and NTLM hashes:

- Let's transfer both files from Windows 7 to Kali Linux using TFTP service:



















- The transfer is successful:



- Now, let's decrypt with John The Ripper running the command john at the Kali machine, which  will work in brute force mode just adding the name of the text files as parameters:




- The decryption is successful for fgdump_hash.txt:




- For wce_hash.txt the result is also successful, though the clear text passwords are presented in uppercase format:







- Let's notice that this type of brute force attack can take a long time to be run.

- However, due to the presence of both LM and NTLM at the file wce_hash.txt, the process is a lot faster in comparison when only LM is present, as happens with fgdump_hash.txt.


3 - Decrypting Windows password hashing with John The Ripper dictionary attack

- In order to avoid the long time taken by the previous mode, let's perform a dictionary attack using a wordlist. 

- The difference is that now a wordlist is provided to John The Ripper. 

- For instance, let's create a text file list1 containing different strings as potential cleartext passwords:




- Passing list1 as wordlist for cracking fgdump_hash.txt:




- The result is successful:




- Passing list1 as wordlist for cracking wce_hash.txt:



- The result is also successful:




- Of course, in order the dictionary attack to be successful the wordlist provided must contain the cleartext correct passwords, as it was the case at list1.


4 - Decrypting Linux password hashing with John The Ripper

- Similar modes are used for Linux passwords, but before using John The Ripper it is necessary to "unshadow" the hashes obtained from a compromised system.

- First, there is a file passwords containing a dump from /etc/passwd:









- Also we have a file named shadow_hash containing some hashes derived from a /cat/shadow dump:




- Let's use the unshadow command:





- "Unshadow"-ing:




- Finally, applying John The Ripper with the wordlist list2 to unshadow_hashes, the cleartext passwords are obtained:








5 - Hashing identifier

- Let's hash the string today, applying different hashing cryptographic algorithms:

http://www.fileformat.info/tool/hash.htm






- Now, hash-indentifier can help to discover what type of hash function has been applied, for instance the MD5 (Message Digest 5):








- Also, the SHA-256 (Secure Hash Algorithm):













Pass The Hash (PTH) attack with pth-winexe


PASS THE HASH (PTH) ATTACK WITH PTH-WINEXE

- Layout for this exercise:




1 - Introduction

- In cryptanalysis and computer security, Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

- After an attacker obtains valid user name and user password hash values they are then able to use that information to authenticate to a remote server or service using LM or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password. 

- The attack exploits an implementation weakness in the authentication protocol, where password hash remain static from session to session until the password is next changed.

- This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.

https://en.wikipedia.org/wiki/Pass_the_hash


2 - UAC (User Account Control) remote restrictions and PTH attack

- However, the UAC (User Account Control) implemented since Windows Vista imposes severe restrictions to remote users, as explained in this Microsot document:

https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows

" When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop ... When a user with a domain user account logs on to a Windows Vista computer remotely, and the user is a member of the Administrators group, the domain user will run with a full administrator access token on the remote computer and UAC is disabled for the user on the remote computer for that session. "

- For further details and information:

https://en.wikipedia.org/wiki/User_Account_Control
https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167


- So, if the targeted machine is XP there is no need to disable UAC in order to launch a successful PTH attack, while it is necessary for Windows Vista,W7, W8, W10 desktops and W2008 and W2012 servers.

- In this exercise a Windows 7 is used, so for disabling UAC just follow these steps:

Start -> Control Panel -> User Accounts and Family Safety -> User Accounts -> User Account Control Settings -> Never notify -> OK




- Also, in case of exploiting with Metasploit, UAC can be disabled as explained in this exercise:


http://www.whitelist1.com/2016/06/metasploit-windows-7-bypassing-user.html



3 - Passing the hash in Windows

- The command winexe needs the username and the cleartext password, what can be tedious or difficult to obtain in some cases, depending of the complexity of the password:

https://en.wikipedia.org/wiki/WinExe






- Running winexe for the user marie, the command prompts for her password in cleartext:




- In contrast, pth-winexe, a patched version of winexe can be used to get a remote shell just providing the username and the hash of the password (no cleartext password is needed):

https://www.kali.org/tutorials/pass-the-hash-toolkit-winexe-updates/


- The first step for using pth-winexe is to take a user's password hash and export it as the enviroment variable SMBHASH:






- Running pth-winexe launches a remote command line from the targeted Windows 7 machine:










Password profiling with CEWL / Wordlist mangling with JOHN THE RIPPER


PASSWORD PROFILING WITH CEWL / WORDLIST MANGLING WITH JOHN THE RIPPER

- Layout for this exercise:




1 - Password profiling with CEWL

- CEWL (Custom Word List generator) scans for a list of words and phrases taken from the web server of a targeted organization and returns a textfile with the corresponding wordlist.


 

- The option -m allows to specify the minimum length of the returned words:




- The option -w outputs the result to a textfile:




- Let's apply cewl to www.whitelist1.com, setting the minimum number of letters to 6, and outputting the result to the file whitelist_wordlist.txt:





- The number of lines is 7011:



- Let's see some of the strings found:




- Another interesting option is to create an email list with all emails founded by cewl, using these options:





- Applying cewl again to the web server domain:





- The new text file contains just 3 lines:







- Finally, the option -c counts for how many times words appear at the wordlist:









2 - Wordlist mangling with John The Ripper

- There are certain practices that users tend to apply to passwords in order to mutate them. 


- For instance, adding numbers at the beginning and/or the end, swapping out to lower/uppercase letters, etc ...

- John The Ripper allows to modify a wordlist of passwords according to different criteria.

- For instance, let's add two numbers to the end of each password, just modifying the john.conf file:






- Now, the original whitelist1_wordlist.txt is modified to mutated_whitelist1_wordlist.txt




- The new file contains 1046909 strings, in comparison with the original one, containing 7011:






- Let's check how the last passwords of the wordlist have been modified: