Sunday, October 15, 2017

Online Password Attacks: Medusa / Ncrack / Hydra


- Layout for this exercise:

1 - Introduction

- Online password attacks involve password-guessing attempts for networked services that use a username and password authentication scheme. 

- This includes services such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc. 

- In order to be able to automate a password attack against a given networked service, we must be able to generate authentication requests for the specific protocol in use by that service. 

- Tools such as Medusa, Ncrack, Hydra and even Metasploit can be used for that purpose.

- The same wordlist will be used along this exercise:

2 - Medusa for HTTP brute force attack

- Medusa is a command line speedy, massively parallel, modular, login brute-forcer, supporting services which allow remote authentication.

- Medusa supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet. 

- While cracking the password, host, username and password can be flexible input while performing the attack.

- Efficiency of the tool depends on network connectivity; for instance on a local system, it can test 2000 passwords per minute.

- With Medusa it is possible to perform a parallel attack, for instance cracking passwords of a few email accounts simultaneously, specifying the username list along with the password list.

- Installation and further information here:

- In the next example Medusa is used to perform a brute force attack against an htaccess protected web directory.

-  First of all, let's check that the target has got open the port 80:

- Launching medusa (option -T 10 means 10 threads) against the target the attack is successful:

3 - Ncrack for RDP brute force attack

- Ncrack is a high-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

- Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

- Protocols supported by Ncrack include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

- Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system. 

- For download and further information:

- In the next example ncrack is used against the Remote Desktop Protocol working at port 3389:

- The attack is successful:

4 - Hydra for SSH brute force attack

- Hydra is a fast network logon password cracking tool. 

- It is available for Windows, Linux, Free BSD, Solaris and OS X, supporting many various network protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

- Download Hydra here:

- In the next example SSH credentials are attacked with Hydra.

- Checking that the SSH service is running at port 22 of the target:

- The attack is successful:

5 - Hydra for FTP brute force attack

- This attack is similar to the previous one, with the only difference that the attacked service is FTP working at port 21:

- The attack is successful:

Extracting Windows password hashes with pwdump/fgdump and WCE (Windows Credentials Editor)


- Layout for this exercise:

1 - Windows SAM, LM, NTLM and SYSKEY

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, and Windows 7 that stores users' passwords and it can be used to authenticate local and remote users. 

- SAM uses hashing cryptographic measures to prevent unauthenticated users accessing the system.

- The user passwords are stored in a hashed format in a registry hive either as a LM or NTLM hash

- This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

- LAN MAnager (LM) hash is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords.

- Support for the legacy LM protocol continued in later versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off by administrators. As of Windows Vista, the protocol is disabled by default.

- LM authentication uses a particularly weak method of hashing a user's password that makes such hash crackable in a matter of seconds using rainbow tables, or in few hours using brute force.

- Weakness of LM hashes lies in their implementation; since they change only when a user changes their password, they can be used to carry out a Pass The Hash Attack (PTH).

- The NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.

- NTLM is the successor to the LM authentication protocol.

- NTLM remains vulnerable to the Pass The Hash (PTH) attack, which is a variant on the reflection attack. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine.

- The Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via NTLM.

- Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution.

- In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the Syskey function in Windows NT 4.0. 

- Syskey is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit RC4 encryption key that, by default, is stored in the Windows registry. 

- Syskey can optionally be configured to require the user to enter the key at boot time as a startup password or load it on removable storage media (e.g., USB flash drive).

- It was meant to protect against offline password cracking attacks by preventing the possessor of an unauthorised copy of the SAM from extracting useful information from it.

- However, it is commonly being misused by scammers to lock victims out of their own computers in order to coerce them into paying a ransom.

2 - pwdump/fgdump

pwdump/fgdump are password hash dumpers for Windows 2000 and later systems. 

- pwdump/fgdump are capable of dumping LM/NTLM hashes as well as password hash histories.

- pwdump/fgdump perform in-memory attacks by injecting a DLL containing the hash dumping into the Local Security Authority Subsystem (LSASS) process memory.

- The LSASS process has the necessary privileges to extract password hashes as well as many useful API that can be used by the hash dumping tools. 

- fgdump is a more powerful version of pwdump, because pwdump tends to hang when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. 

- fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump, some of them would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. 

- For further information and downloading pwdump/fgdump:

- fgdump.exe is run from the Windows command line with administrator privileges:

- Running fgdump.exe:

- Reading the file the NTLM hashes for all users are displayed:

3 - Windows Editor Credentials (WCE)

- Windows Credentials Editor (WCE) is a post-exploitation security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets). 

- WCE can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon. 

- WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.

- WCE works by using DLL injection or by directly reading the Local Security Authority Subsystem (LSASS) process memory. This second method is more secure in terms of operating system stability, because code is not injected into a highly privileged process.

- For further information and downloading WCE:

- VCE is run from the Windows command line with administrator privileges:

- The output of running wce.exe displays both the LM and NTLM hashes of the passwords from all users currently logged on:

Decrypting Windows and Linux password hashing with John the Ripper


- Layout for this exercise:

1 - John The Ripper

- John The Ripper is a free password cracking software tool:

- Initially developed for the Unix operating system, it now runs on fifteen different platforms, eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS. 

- John The Ripper combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker.

- It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. 

- One of the modes John can use is the dictionary attack.

- It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string.

- It can also perform a variety of alterations to the dictionary words and try these.

- Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes.

- John also offers a brute force attack mode, the program goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. 

- John uses character frequency tables to try plaintexts containing more frequently used characters first.

- This method is useful for cracking passwords which do not appear in dictionary wordlists, but it takes a long time to run.

2 - Decrypting Windows password hashing with John The Ripper brute force attack

- For this part of the exercise, let's take the hashes obtained with pwdump/fgdump and WCE in this previous exercise:


- Creating two hashes text files (fgdump_hash.txt and wce_hash.txt), locating both of them at the TFTP folder so  that they can be transferred from Windows 7 to the Kali Linux machine:

- There is a difference between both files, the first one only contains the LM hashes while the second one contains both the LM and NTLM hashes:

- Let's transfer both files from Windows 7 to Kali Linux using TFTP service:

- The transfer is successful:

- Now, let's decrypt with John The Ripper running the command john at the Kali machine, which  will work in brute force mode just adding the name of the text files as parameters:

- The decryption is successful for fgdump_hash.txt:

- For wce_hash.txt the result is also successful, though the clear text passwords are presented in uppercase format:

- Let's notice that this type of brute force attack can take a long time to be run.

- However, due to the presence of both LM and NTLM at the file wce_hash.txt, the process is a lot faster in comparison when only LM is present, as happens with fgdump_hash.txt.

3 - Decrypting Windows password hashing with John The Ripper dictionary attack

- In order to avoid the long time taken by the previous mode, let's perform a dictionary attack using a wordlist. 

- The difference is that now a wordlist is provided to John The Ripper. 

- For instance, let's create a text file list1 containing different strings as potential cleartext passwords:

- Passing list1 as wordlist for cracking fgdump_hash.txt:

- The result is successful:

- Passing list1 as wordlist for cracking wce_hash.txt:

- The result is also successful:

- Of course, in order the dictionary attack to be successful the wordlist provided must contain the cleartext correct passwords, as it was the case at list1.

4 - Decrypting Linux password hashing with John The Ripper

- Similar modes are used for Linux passwords, but before using John The Ripper it is necessary to "unshadow" the hashes obtained from a compromised system.

- First, there is a file passwords containing a dump from /etc/passwd:

- Also we have a file named shadow_hash containing some hashes derived from a /cat/shadow dump:

- Let's use the unshadow command:

- "Unshadow"-ing:

- Finally, applying John The Ripper with the wordlist list2 to unshadow_hashes, the cleartext passwords are obtained:

5 - Hashing identifier

- Let's hash the string today, applying different hashing cryptographic algorithms:

- Now, hash-indentifier can help to discover what type of hash function has been applied, for instance the MD5 (Message Digest 5):

- Also, the SHA-256 (Secure Hash Algorithm):

Pass The Hash (PTH) attack with pth-winexe


- Layout for this exercise:

1 - Introduction

- In cryptanalysis and computer security, Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

- After an attacker obtains valid user name and user password hash values they are then able to use that information to authenticate to a remote server or service using LM or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password. 

- The attack exploits an implementation weakness in the authentication protocol, where password hash remain static from session to session until the password is next changed.

- This technique can be performed against any server or service accepting LM or NTLM authentication, whether it runs on a machine with Windows, Unix, or any other operating system.

2 - UAC (User Account Control) remote restrictions and PTH attack

- However, the UAC (User Account Control) implemented since Windows Vista imposes severe restrictions to remote users, as explained in this Microsot document:

" When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop ... When a user with a domain user account logs on to a Windows Vista computer remotely, and the user is a member of the Administrators group, the domain user will run with a full administrator access token on the remote computer and UAC is disabled for the user on the remote computer for that session. "

- For further details and information:

- So, if the targeted machine is XP there is no need to disable UAC in order to launch a successful PTH attack, while it is necessary for Windows Vista,W7, W8, W10 desktops and W2008 and W2012 servers.

- In this exercise a Windows 7 is used, so for disabling UAC just follow these steps:

Start -> Control Panel -> User Accounts and Family Safety -> User Accounts -> User Account Control Settings -> Never notify -> OK

- Also, in case of exploiting with Metasploit, UAC can be disabled as explained in this exercise:

3 - Passing the hash in Windows

- The command winexe needs the username and the cleartext password, what can be tedious or difficult to obtain in some cases, depending of the complexity of the password:

- Running winexe for the user marie, the command prompts for her password in cleartext:

- In contrast, pth-winexe, a patched version of winexe can be used to get a remote shell just providing the username and the hash of the password (no cleartext password is needed):

- The first step for using pth-winexe is to take a user's password hash and export it as the enviroment variable SMBHASH:

- Running pth-winexe launches a remote command line from the targeted Windows 7 machine: