# Password Attacks ## Credential Storage ### Linux * `/etc/shadow` contains the hashes Format: `$id$salt$hash$` Hash algorithm ID: | `$1$` | [MD5](https://en.wikipedia.org/wiki/MD5) | | -------- | --------------------------------------------------------------------- | | `$2a$` | [Blowfish](https://en.wikipedia.org/wiki/Blowfish_\(cipher\)) | | `$5$` | [SHA-256](https://en.wikipedia.org/wiki/SHA-2) | | `$6$` | [SHA-512](https://en.wikipedia.org/wiki/SHA-2) | | `$sha1$` | [SHA1crypt](https://en.wikipedia.org/wiki/SHA-1) | | `$y$` | [Yescrypt](https://github.com/openwall/yescrypt) | | `$gy$` | [Gost-yescrypt](https://www.openwall.com/lists/yescrypt/2019/06/30/1) | | `$7$` | [Scrypt](https://en.wikipedia.org/wiki/Scrypt) | In the past, the encrypted password was stored together with the username in the `/etc/passwd` file, but this was increasingly recognized as a security problem because the file can be viewed by all users on the system and must be readable. The `/etc/shadow` file can only be read by the user `root`. #### passwd file | `htb-student:` | `x:` | `1000:` | `1000:` | `,,,:` | `/home/htb-student:` | `/bin/bash` | | -------------- | ------------- | -------- | -------- | ------------ | -------------------- | --------------------------------- | | `:` | `:` | `:` | `:` | `:` | `:` | `` | ### Windows
#### Winlogon `Winlogon` is a trusted process responsible for managing security-related user interactions. These include: * Launching LogonUI to enter passwords at login * Changing passwords * Locking and unlocking the workstation #### lsass [Local Security Authority Subsystem Service](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service) (`LSASS`) is a collection of many modules and has access to all authentication processes that can be found in `%SystemRoot%\System32\Lsass.exe`. This service is responsible for the local system security policy, user authentication, and sending security audit logs to the `Event log`. In other words, it is the vault for Windows-based operating systems, and we can find a more detailed illustration of the LSASS architecture [here](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961760\(v=technet.10\)?redirectedfrom=MSDN). | `Lsasrv.dll` | The LSA Server service both enforces security policies and acts as the security package manager for the LSA. The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful. | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Msv1_0.dll` | Authentication package for local machine logons that don't require custom authentication. | | `Samsrv.dll` | The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs. | | `Kerberos.dll` | Security package loaded by the LSA for Kerberos-based authentication on a machine. | | `Netlogon.dll` | Network-based logon service. | | `Ntdsa.dll` | This library is used to create new records and folders in the Windows registry. | Source: [Microsoft Docs](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication). #### **SAM Database** The [Security Account Manager](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756748\(v=ws.10\)?redirectedfrom=MSDN) (`SAM`) is a database file in Windows operating systems that stores users' passwords. User passwords are stored in a hash format in a registry structure as either an `LM` hash or an `NTLM` hash. This file is located in `%SystemRoot%/system32/config/SAM` and is mounted on HKLM/SAM. SYSTEM level permissions are required to view it. Microsoft introduced a security feature in Windows NT 4.0 to help improve the security of the SAM database against offline software cracking. This is the `SYSKEY` (`syskey.exe`) feature, which, when enabled, partially encrypts the hard disk copy of the SAM file so that the password hash values for all local accounts stored in the SAM are encrypted with a key. #### **Credential Manager**
Credential Manager is a feature built-in to all Windows operating systems that allows users to save the credentials they use to access various network resources and websites Credentials are encrypted and stored at the following location: `C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\` #### NTDS In these cases, the Windows systems will send all logon requests to Domain Controllers that belong to the same Active Directory forest. Each Domain Controller hosts a file called `NTDS.dit` that is kept synchronized across all Domain Controllers with the exception of [Read-Only Domain Controllers](https://docs.microsoft.com/en-us/windows/win32/ad/rodc-and-active-directory-schema). NTDS.dit is a database file that stores the data in Active Directory, including but not limited to: * User accounts (username & password hash) * Group accounts * Computer accounts * Group policy objects