Jump to content











Photo

NTHASH - playing with windows passwords

security passwords hash ntlm

  • Please log in to reply
1 reply to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2785 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

Hello Gents,
 
For once I will step a bit from network and storage discussions/tools and will get into the security world.
 
I consider myself a security hobbyist/amateur and i have been willing to explore and improve my skills around hash (md5, sha, etc) and crypto functions (rc4, aes, 3des, etc).
 
I decided then to start playing with windows passwords as obviously MS puts great efforts in protecting these.
How are they stored, how can we decrypt them, etc.
 
I started with one common way i.e patch LSASS to dump hashes.
While rather easy, patching lsass is always risky, os dependent and not telling much about how passwords are encrypted.
Thus, doing so, I stumbled on a way (google) to change a password if you know the hash only which in some cases (pentests) may come handy.
 
While playing with lsass, I took a look at the logon and wdigest datas stored in the memory.
Here again, it is an "easy" way to retrieve passwords (some in clear text, some in hashes).
One very cool feature there is the ability to "patch" a logon session with some hashes you found previously and therefore perform what is known as a "pass the hash" attack.
You dont the password? no pb, launch a process under someone else account using the hash of his password (which combined with mstsc /restrictedadmin can help you escalate your privileges).
Lots of security guys are warning these days that the complexity of your password no longer matters : true, the security of your password hash is what does matters.
I wont touch here on capturing hashes over the network (using MITM, poisoning, etc) but that could lead to another interesting thread.
 
I then took a look at the registry.
It gets trickier here as you need a samkey, a syskey, while also using hash/encryption algos.
You want to see how it works under the hood : read this great article.
 
Since on my way to use windows builtin crypt functions, I took a look at cryptunprotectdata
which ultimatimately should lead me to decrypt windows credentials.
 
Talking about credentials, you can again patch lsass to force it to dump its passwords in clear text.
 
Last but not least, because you sometimes to impersonate another account/context to perform some actions, 
I took a quick tour around runastoken, runaschild....
 
This is only the beginning of my journey.
And for once, the journey is what matters to me here, not the destination :)
 
The source is available to all.
Binaries (x32/x64) are zipped.
This is early work : i have been testing this on win7, win8.1, win10.
In case Wonko passes by : some functions will work on xp and last time I tested it, it was running fine  B)
 
If you are not into security, dont bother this tool : it will at best bore you, at worse BSOD your windows.
If you are a pseudo hacker willing to hack his GF laptop, please, ignore me.
If you are a security hobbyist/amateur and have ideas and want to develop some features, lets be friend !
 
Before I forget : it is all on my github here (with some extra details).
 
Also, I did not invent any of it : i reused lots of tips, tricks, knowledge from fantastic guys out there willing to share and document.
Tool was also greatly inspired by Mimikatz : possibly one of the most powerful and challenging tools these last years ... and developped by another frenchie ;)
 
Cheers,
Erwan


#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2785 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

command line.

 

Command line as below:
NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /gethash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /dumphash /rid:123 [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /enumpriv
NTHASH /enumproc
NTHASH /killproc /pid:12345
NTHASH /enummod /pid:12345
NTHASH /dumpprocess /pid:12345
NTHASH /a_command /verbose
NTHASH /a_command /system






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users