Kali Penetration Testing: Hashed Password Cracking

Language 2022-05-26 21:55:04 views: null

Kali Penetration Testing: Hashed Password Cracking

Some websites have flawed security mechanism settings, leading to the penetration of their own critical databases. Many users use the same username and password on different websites, so hackers can try to log in to website B by obtaining the username and password of users on website A, which is a "credential stuffing attack". For example, the user information of the 12306 website that has been "crazyly spread" on the Internet since December 25, 2014 is obtained by hackers through credential stuffing attacks.

Most of the data in the leaked database is in plaintext, but most of the current databases are stored in hash encryption. For example, the Windows operating system uses hash encryption to save the login password. These passwords are stored in the database after hash encryption. The hash value of the password is a messy string formed by performing one-time encryption processing on the password. This encryption process is considered irreversible, that is, it is impossible to recover the original password from the hash value. For example, the password "999999" becomes "52C69E3A57331081823331C4E69D3F2E" after hash encryption (MD5). This hash value is stored in the database. When verifying, we only need to compare the entered value with the stored value after hash encryption to know whether the password is correct. Even if the hacker obtains "52C69E3A57331081823331C4E69D3F2E", the original password "999999" cannot be reversely restored. This ensures that even if the database storing passwords is compromised, the passwords will not be leaked.

Due to the emergence of various attack methods, hash encryption is not safe . Here are some methods for cracking hash encryption.

1.1 Crack the basic LM hash encryption password

The Windows XP operating system is arguably one of Microsoft's most influential products. Although this operating system is "old and unbearable" in the eyes of most people, even Microsoft itself has announced that it has abandoned its support in 2014, but due to software compatibility problems, many organizations are still using Windows XP. . Even now, we still need to study the security issues of Windows XP.

The first thing we will study is the password security of Windows XP. We are not unfamiliar with the login interface when Windows XP is turned on or connected remotely. We need to enter the user name and password on this interface. The operating system will compare the information we entered with the saved information. If they are the same, we can log in to the system. . So can we secretly find out and "steal" the password stored in it when the owner of the computer leaves the computer? In fact, the idea is not out of the blue, because Windows XP does save passwords, and this password can indeed be found. This password is stored in C:\Windows\System32\config\SAM. In Windows XP and Windows 2003, we can grab the full LM hash encrypted password with tools. We can use a tool called SAMInside to complete this work, and its working interface is shown in the figure below.

SAMInside is a Windows password recovery tool that supports Windows NT/2000/XP/Vista operating systems, and is mainly used to recover user login passwords of Windows operating systems. It should be noted that SAMInside needs to rely on reading the two files of SAM and System in the cracked operating system to crack the user password. Both files are located in the C:\Windows\System32\config directory. However, these two files are protected during operation and cannot be read. Therefore, we need to use this tool to view the SAM file under the DOS operating system or the WindowsPE operating system.

After executing this tool, the password in WindowsXP will be displayed in SAMInside. So how does Windows XP encrypt passwords? This operating system employs an encryption mode called LM hashing. Below we give the encryption process.

​ ◆ The entered password value can be up to 14 characters

​ ◆ Convert the entered password to uppercase characters

​ ◆ Convert password to hexadecimal string after converting to uppercase characters

​ ◆ Password less than 14 bytes will be filled with 0

​ ◆ A fixed-length password is split into two 7-byte parts

​ ◆ Convert each group of 7-byte hexadecimal to binary, add 0 at the end of each 7-bit group, and then convert to hexadecimal to form two groups of 8-byte codes

​ ◆ Encrypt two sets of 8-byte codes as DES keys as "KGS!@#$%" respectively

​ ◆ Concatenate the two sets of DES encrypted codes to obtain the final LM hash value

This encryption process has since been improved, and the current operating system has several encryption methods, one of the most effective is "Salting the password". The so-called "Salt" value is to add some "seasoning". When the user provides the password for the first time (usually when registering), the system automatically adds some Salt value to the password. This value is randomly generated by the system and only known to the system. Then hash. When a user logs in, the code provided by the system for the user plus two users use the same password, and because the system generates different Salt values ​​for them, their hash values ​​are also different. Even if a hacker can find a user with a specific password by using his own password and a hash value generated by himself, this probability is too small (the password and salt value must be the same as the one used by the hacker). However, this mechanism is not used in the LM hash algorithm, so although we cannot directly derive the password from the hash value, the value of two identical passwords after LM hash encryption is the same, so it also provides us with a crack LM's method of hashing encrypted passwords.

1.2 Online cracking of LM hash encryption password

Many websites now provide services for cracking LM hash encrypted passwords, which means that you only need to submit and find the hash value on these websites, and these websites will compare them in their own databases. If you find the hash value , you can get the corresponding password. Most of these sites use a technique called <**"rainbow tables"**. You can visit the online website cmd5 to crack LM hash and NTLM hash encrypted passwords online. As shown in the figure below, it is the interface of the cmd5 website, which can realize the operation of password hash encryption.

This website can implement the operation of password hash encryption. You can try some common hash value cracking first, and then gradually increase the difficulty of the password. Next, we crack an encrypted value "32ed87bdb5fdc5e9cba88547376818d4" (NTLM hash encryption), and the reverse operation result of the hash value is shown in the following figure:

1.3 Cracking the hash value in Kali

It is very simple to crack the hash value online, but there are actually many encryption methods for the hash value. The three common encryption methods are MD5, LM, and NTLM . So how do we know which encryption method the hash value is obtained by? Woolen cloth? This is critical because different encryption methods have different decryption methods. Similarly, Kali provides two tools for distinguishing different encryption methods: one is hash-identifier and the other is Hash ID.

The usage of hash-identifier is very simple. In Kali, start a terminal and enter the hash-identifier command to start the tool. The command is as follows:

┌──(kali㉿kali)-[~]
└─$ hash-identifier

As shown below:

Enter the encrypted hash value, and hash-identifier will analyze the possible encryption methods of the hash value, as shown in the following figure: use the Ctrl-c key combination to exit after completion.

In addition, Hash ID is also a very effective tool. Open a terminal, enter the command hashid, then enter the cracked hash value and press Enter.

┌──(kali㉿kali)-[~]
└─$ hashid 32ed87bdb5fdc5e9cba88547376818d4

1.4 Pass-the-Hash Attack

How to crack the Windows password encrypted based on the LM hashing method has been described above, but in addition to the LM hashing method, the Windows operating system will also use the NTLM hashing method to encrypt the password. This is a much more secure method than LM hashing. In fact, we do not need to crack the password. If you have obtained the encrypted password value in a computer, whether it is encrypted by LM hash or NTLM hash, you can use this value to directly gain system permissions. This method is called "hash value pass-through attack" ". This is a classic attack method. Although every network attack method will gradually become outdated, this attack method can still work at present, and this attack method can also provide us with a better idea.

Some operating systems use some mechanisms that can prevent this "pass-the-hash attack". The Windows 7 operating system uses the User Account Control (UAC) technology, which first appeared in Windows Vista and is available in later versions. , which prevents malicious programs (sometimes called malware) from damaging the system, while also helping organizations deploy a more manageable platform.

Using UAC technology, applications and tasks always run under the security privileges of non-admin users, except when an administrator-specific system grants administrator-level access. UAC technology blocks the automatic installation of unauthorized applications and prevents inadvertent changes to system settings, a mechanism that has solved a number of security issues in Windows XP. But this mechanism can be turned off . So pass-the-hash attacks still have something to learn.

We target a Windows 7 operating system. First, enable the file sharing function of the Win7 operating system. The easiest way is to share a directory. This is very important. If we don't do this, we can't achieve remote attacks.

We can turn off the UAC function on this system in advance (or not turn it off, but turn it off remotely in the Meterpreter control), and the steps to turn off are as follows:

​ ◆ 1. Enter "UAC" in the text search box of the "Start" menu, as shown in the following figure:

​ ◆ 2. This will open "User Account Control Settings", then change "Choose when to notify you about computer changes" to "Never notify" (that is, drag the slider on the left to the bottom), As shown below:

​ ◆ 3. Click the “OK” button to restart the computer.

Now we can start the attack. First, we need to find a way to obtain the encrypted password hash value of the target host. We introduced two methods above. Just use Windows XP to start the system, and then copy the SAM file.

In addition, when we use Metasploit to control the target host, we can also obtain its password hash value. The demo is as follows:

We want to export the encrypted password hash value from the target host that has been successfully penetrated. This operation requires system-level (administrator-level) administrative privileges, and the UAC function on the target host needs to be turned off. In this experiment, we turned off the UAC function beforehand, so there is no need to do this. Remote shutdown can be done using the bypassuac_eventvwr module if it has not been shut down beforehand.

First, you need to switch the current session to the background and use the background command; then use the command use exploit/windows/local/bypassuac_eventvwr, as shown in the figure below. Note that this module can only be used when you have not modified the UAC settings.

In this experiment, we only need to obtain system-level administrator privileges. Here we can use the getsystem command, as shown in the following figure:

We have obtained system administrative privileges, then we use the getuid command to get the username, as shown in the following image:

Next, we can find the password hash value of the target system, using the command hashdump, as shown in the following figure:

If this command is unsuccessful, you can try to migrate the Meterpreter process to another process, such as a process with system-level system management rights; if it is not successful, you can use the post/windows/gather/smart_hashdump module . As shown below:

Use online cmd5 to query based on the hash value, as shown in the following figure:

We can also use the kiwi module in Meterpreter, this module can obtain the plaintext password, first use the load kiwi command to load this module, and then use the creds_all command to display the plaintext password, as shown in the following figure:

1.4 Dictionaries

A dictionary representation is essential when cracking passwords. The so-called dictionary is a document composed of a large number of words.

There are three sources of dictionaries in Kali, as follows:

​ ◊ Use a dictionary generation tool to generate the required dictionary. When we need a dictionary and do not have a suitable dictionary at hand, we can consider using a tool to generate the required dictionary.

​ ◊ Using the dictionary that comes with Kali, Kali saves all the dictionaries in the /usr/share/wordlists/ directory, as shown in the following figure:

​ ◊ Download popular dictionaries from the Internet. As shown below:

The dirb directory contains 3 directories and 9 files. Among them, big.txt is a relatively complete dictionary with a size of 179KB; relatively speaking, small.txt is a relatively compact dictionary with a size of only 6.4KB; catala. txt is the project configuration dictionary; spanish.txt is the method name or library directory dictionary. Among the three directories, the others directory mainly contains some dictionaries related to vulnerabilities. For example, tomcat.txt is a dictionary related to tomcat configuration.

In addition, there is only one common.txt in the fern-wifi directory, which is mainly the password of some possible public Wi-Fi accounts; there are many files in the metasploit directory, almost including various common types of dictionaries; the wfuzz directory is mainly used for fuzzing test. Crunch's home page provides how-tos and examples of how to use this tool. Using this tool is very simple, all you do is provide Crunch with the following 3 values.

​ ◊ Minimum length of a word in the dictionary

​ ◊ The maximum length of words contained in the dictionary

​ ◊ The dictionary contains the characters used in the vocabulary. The set of characters to contain (lowercase characters, uppercase characters, numbers, symbols) to generate the password. This option is optional, if this option is not selected, the default character set (lowercase characters by default) will be used.

The rest of the work just needs to be done by a Crunch. Below we give a simple example of Crunch usage. First start a terminal in Kali and enter the following command:

┌──(kali㉿kali)-[~]
└─$ cruch 2 3 -o /home/kali/Downloads/passwords.txt

The result is shown below:

This command will generate passwords of 2 or 3 digits in length, and then pop these passwords into passwords.txt. By default, passwords such as "aa" and "ab" are generated, as shown in the following figure:

If we are familiar with the target, we can also specify the characters commonly used by the target. If we see that the Q, W, E, R, T and 1, 2, 3, and 4 keys on someone's keyboard are severely worn, we can specify these characters to generate a password. The command executed is as follows:

┌──(kali㉿kali)-[~]
└─$ cruch 4 4 quert1234 -o /home/kali/Downloads/password2.txt

The generated password is shown below:

Now you can see that the password we generated only contains the characters q, w, e, r, t, 1, 2, 3, and 4.

Guess you like

Origin blog.csdn.net/weixin_41905135/article/details/124977983
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com