Thursday, 15 September 2011

Attacking Windows Hashes

Its easy to get lost in the world of windows hashes, I know I do, that's why I'm writing this. I must say at this point, that I am certainly no expert when it comes to this subject, but i'm sitting in an airport for the next 5hrs with nothing to do, and it keeps my attention away from probing other people on the wifi  ;0)

Anyway, windows hashes come in many forms, and each type needs to be tackled in a different way.
  • Locally stored hashes: these can be stored in LM or NTLM format depending on the length of your password and OS type.
  • Authentication hashes: These hashes are used to authenticate to resources across the network.These can be either LM, NTLMv1 or NTLMv2, again depending on your OS type and the security that is negotiated between the two conversing machines.
  • Cached Credentials: These hashes are to allow previous users of the PC to log in to windows when a network connection is unavailable i.e. a corporate laptop user sitting at home.
  • Token hashes: These hashes are stored in RAM on the machine, and are left there from RDP and SMB sessions that other users have connected to recently. Their purpose is for Single Sign-On. 

Locally stored hashes:

Let's start with locally stored hashes, When you log on to your PC, If your running XP and your password is less than 15 characters, windows pads the password to 14 characters, splits the password into two, capitalizes it, then DES encrypts each half with a static value ("KGS!@#$%") to produce a hash. This hash is then compared to the hashes the PC has stored in it's SAM (hidden part of the registry). If your password is 15 characters or more, or you use Vista / Win7, then windows hashes this with RC4 instead, and they become NT hashes.
There are heaps of different tools out there to grab these hashes, windows reg save, Cain & Able, pwdump7, pwdumpx, gsecdump, and wce.exe are to name just a few.
The best way to tackle these is with rainbow tables. Ophcrack in particular is my favorite. Make sure you have downloaded either the  XP and VISTA tables from the site depending on your target.
You can crack these locally on the target PC by creating a boot disk which can then be booted from, and cracked automatically, or from over the network (depending on AV version) within ophcrack by choosing from the menu: load then remote sam.
Once you have the local administrator password, many options become available; These include token stealing (incognito), Pass-the-hash (psexec), domain hash dumping (wce,gsecdump), cached cred dumping (cachdump, pwdumpx), keylogging and more. Most of these are outlined below.

Authentication hashes:

Whenever you access a resource in a windows domain over the network, your PC will send over a hashed version of your password, this is so that you wont have to keep re-authenticating each time you open a mapped drive or printer for instance; Microsoft call this; Single Sign-On.
As we have seen in the previous section, these hashes can be trivial to crack, so Microsoft realizing this, took the local LM or NTLM hash and salted it with a random challenge that the server would issue. This meant that each hash became unique regardless of the password, so rainbow tables would no longer be effective. Dictionary attacks still are though, and CAIN and JTR are the best to use here.
Another technique can be used called challenge spoofing where-by you can pretend to be the server the client is looking for, and issue a static challenge of 1122334455667788 each time. This means that every password hash is now salted with the same value so we can now use rainbow tables specifically designed for this (see NetBIOS Spoofing post for more info on how to crack these.)

Cached Credentials:

Say for instance you use a laptop at work, and let's say also, you take that laptop home with you to work from.
Well, you will need to be able to logon to your laptop using your usual password without access to the domain controller back at the office. This is where Microsoft uses cached credentials.
By default, your windows machine will save the credentials of the last ten people that have previously logged onto it, allbeit in hashed format. Windows takes the regular stored password hash and hashes it again with MD4, which, is also salted with the username. This means to crack these using rainbow tables, you would need to create a new one for each username. You could use Winrtgen and create one for "Administrator" tho.
These hashes can be captured once you have administrator access to the machine. A few tools exist, such as meterpreter's post/windows/gather/cachedump, PWDumpX and GsecDump. XP/2003 family store these hashes in mscash1 format and can be cracked at a fairly fast rate of thousands of tries per second. Vista/2008 family and beyond store these in the much, much more secure mscash2 format. These are hashed many times through various algorithms and are really slow to crack (100/sec) on my machine.
These hashes are easiest to crack with john: ./john --format=mscash / mscash2 <hashfile>
To use CAIN on these, you will have to format them the correct way within the CACHE.LST file:

Token hashes:

Tokens are very similar to authentication hashes, in that they are designed again for Windows Single Sign-On. Tokens are stored in memory though, and can be extremely useful for the pentester. They are stored for a few reasons:

Maybe a domain admin has connected to a system using RDP, he has finished what he was doing and clicked disconnect (instead of logoff), his token will now stay on this system until that session is properly terminated, or the system has been rebooted.

Or, if for instance, you have an issue with your PC, and along comes the IT guy to fix it. He needs a file from the server let's say, so he browses to the share containing his file and enters his credentials. He gets his file, fixes your machine, and walks away.
Behind the scenes, windows has saved these credentials just in case you need to get another file from that same location.

These tokens are kept in memory, and are stored in the same format as the regular stored hashes i.e. LM and NT type. A huge benefit with this technique is that even though they may have have domain controllers storing the hashes in NThash format, these tokens will keep the LM version also! (providing the password is less than 15 characters).
This is good news for us, as we can now gain access to these hashes and run them through Ophcrack to gain access to his password!
This method can be achieved with  tools such as GsecDump and Windows Credential Editor, the latter being my favorite due to AV issues with GsecDump. You will need to have administrator access to the local PC for these to work, but simply running wce.exe without any options will dump both the local, and the token hashes.
Or, if you prefer, use a tool such as incognito, this will let you impersonate the holder of that token, basically giving you same permissions as the IT guy, without having to crack his password.

This particular technique is golden, and will more often than not, give you a route to domain admin, especially when used with other tools such as softperfect network scanner. Give this scanner the local admin credentials that you gained with ophcrack from the first section, and scan the network to get a list of logged on users, this will give you a quick idea as to which machines you have admin access to, and also, where those domain admin tokens are hiding away on :0)