Windows Local Password Attacks
Last updated
Last updated
With access to a non-domain joined Windows system, we may benefit from attempting to quickly dump the files associated with the SAM database to transfer them to our attack host and start cracking hashes offline. Doing this offline will ensure we can continue to attempt our attacks without maintaining an active session with a target. Let's walk through this process together using a target host.
There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:
Registry Hive | Description |
---|---|
We can create backups of these hives using the reg.exe
utility.
Launching cmd.exe
as admin:
Technically we will only need hklm\sam
& hklm\system
, but hklm\security
can also be helpful to save as it can contain hashes associated with cached domain user account credentials present on domain-joined hosts.
Lets transfer them (this is only one possible method):
On Kali linux, there's a symlink to a script that simplifies using impacket:
otherwise it can be manually found here:
CompData
Share name
/home/ltnbob/Documents
Target folder
-smb2support
ensures newer SMB support
Again, on Kali Linux we have a shortcut:
Notice the first step secretsdump executes is targeting the system bootkey
before proceeding to dump the LOCAL SAM hashes
. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section.
Notice at the top of the secretsdump.py output:
This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS.
Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account.
awk command to save the nt hashes
(rockyou.txt is usually compressed in Kali Linux, you need to extract it)
Having the passwords could be useful to us in many ways. We could attempt to use the passwords we cracked to access other systems on the network. It is very common for people to re-use passwords across different work & personal accounts. Knowing this technique, we covered can be useful on engagements. We will benefit from using this any time we come across a vulnerable Windows system and gain admin rights to dump the SAM database.
Keep in mind that this is a well-known technique, so admins may have safeguards to prevent and detect it. We can see some of these ways documented within the MITRE attack framework.
With access to credentials with local admin privileges
, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords. or NetExec
We can also dump hashes from the SAM database remotely.
Launch mimikatz then
In addition to getting copies of the SAM database to dump and crack hashes, we will also benefit from targeting LSASS. LSASS is a critical service that plays a central role in credential management and the authentication processes in all Windows operating systems.
Upon initial logon, LSASS will:
Cache credentials locally in memory
Create access tokens
Enforce security policies
Write to Windows security log
Let's cover some of the techniques and tools we can use to dump LSASS memory and extract credentials from a target running Windows.
Task Manager Method
A file called lsass.DMP
is created and saved in:
Rundll32.exe & Comsvcs.dll Method
Before issuing the command to create the dump file, we must determine what process ID (PID
) is assigned to lsass.exe
. This can be done from cmd or PowerShell (in order):
Then to dump:
Recall that most modern AV tools recognize this as malicious and prevent the command from executing. In these cases, we will need to consider ways to bypass or disable the AV tool we are facing. AV bypassing techniques are outside of the scope of this module.
Once we have the dump file on our attack host, we can use a powerful tool called pypykatz to attempt to extract credentials from the .dmp file.
lsa
in the command because LSASS is a subsystem of local security authority
specify the data source as a minidump
Useful information in the output:
MSV is an authentication package in Windows that LSA calls on to validate logon attempts against the SAM database.
WDIGEST
is an older authentication protocol enabled by default in Windows XP
- Windows 8
and Windows Server 2003
- Windows Server 2012
. LSASS caches credentials used by WDIGEST in clear-text.
Kerberos is a network authentication protocol used by Active Directory in Windows Domain environments. Domain user accounts are granted tickets upon authentication with Active Directory. This ticket is used to allow the user to access shared resources on the network that they have been granted access to without needing to type their credentials each time. LSASS caches passwords
, ekeys
, tickets
, and pins
associated with Kerberos. It is possible to extract these from LSASS process memory and use them to access other systems joined to the same domain.
The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Mimikatz and Pypykatz can extract the DPAPI masterkey
for the logged-on user whose data is present in LSASS process memory. This masterkey can then be used to decrypt the secrets associated with each of the applications using DPAPI and result in the capturing of credentials for various accounts.\
Cracking the NT Hash with Hashcat
Same as above:
How we can extract credentials through the use of a dictionary attack against AD accounts
and dumping hashes
from the NTDS.dit
file.
Once a Windows system is joined to a domain, it will no longer default to referencing the SAM database to validate logon requests
.
Keep in mind that a dictionary attack is essentially using the power of a computer to guess a username &/or password using a customized list of potential usernames and passwords. It can be rather noisy
(easy to detect) to conduct these attacks over a network because they can generate a lot of network traffic and alerts on the target system as well as eventually get denied due to login attempt restrictions that may be applied through the use of Group Policy.
When we find ourselves in a scenario where a dictionary attack is a viable next step, we can benefit from trying to custom tailor
our attack as much as possible.
Example of possible usernames, could help from OSINT.
Often, an email address's structure will give us the employee's username (structure: username@domain). For example, from the email address jdoe
@inlanefreight.com
, we see that jdoe
is the username.
A tip from MrB3n: We can often find the email structure by Googling the domain name, i.e., “@inlanefreight.com” and get some valid emails. From there, we can use a script to scrape various social media sites and mashup potential valid usernames. Some organizations try to obfuscate their usernames to prevent spraying, so they may alias their username like a907 (or something similar) back to joe.smith. That way, email messages can get through, but the actual internal username isn’t disclosed, making password spraying harder. Sometimes you can use google dorks to search for “inlanefreight.com filetype:pdf” and find some valid usernames in the PDF properties if they were generated using a graphics editor. From there, you may be able to discern the username structure and potentially write a small script to create many possible combinations and then spray to see if any come back valid.
We can manually create our list(s) or use an automated list generator
such as the Ruby-based tool Username Anarchy to convert a list of real names into common username formats.
Launching the Attack with CrackMapExec
It can be useful to know what might have been left behind by an attack. Knowing this can make our remediation recommendations more impactful and valuable for the client we are working with.
On any Windows operating system, an admin can navigate to Event Viewer
and view the Security events to see the exact actions that were logged.
Once we have discovered some credentials, we could proceed to try to gain remote access to the target domain controller and capture the NTDS.dit file.
NT Directory Services
(NTDS
) is the directory service used with AD to find & organize network resources.
Recall that NTDS.dit
file is stored at %systemroot%/ntds
on the domain controllers in a forest.
This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information. If this file can be captured, we could potentially compromise every account on the domain similar to the technique we covered in this module's Attacking SAM
section.
Checking Local Group Membership
Once connected, we can check to see what privileges bwilliamson
has. We can start with looking at the local group membership using the command:
We are looking to see if the account has local admin rights. To make a copy of the NTDS.dit file, we need local admin (Administrators group
) or Domain Admin (Domain Admins group
) (or equivalent) rights. We also will want to check what domain privileges we have.
Creating Shadow Copy of C:
We can use vssadmin
to create a Volume Shadow Copy (VSS
) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install, but it is possible to change the location. We use VSS for this because it is designed to make copies of volumes that may be read & written to actively without needing to bring a particular application or system down.
Copying NTDS.dit from the VSS
You can move this file in many ways, one of which was presented in Attacking SAM
A Faster Method: Using cme to Capture NTDS.dit
usual NT hashes procedure, either a file or single one:
Useful if cannot crack the hash
A PtH attack takes advantage of the NTLM authentication protocol to authenticate a user using a password hash. Instead of username
:clear-text password
as the format for login, we can instead use username
:password hash
. Here is an example of how this would work:
Here are some helpful key terms we can use that can help us discover some credentials:
We can start by using Windows search
We can also take advantage of third-party tools like Lazagne to quickly discover credentials that web browsers or other installed applications may insecurely store. It would be beneficial to keep a standalone copy of Lazagne on our attack host so we can quickly transfer it over to the target
This will execute Lazagne and run all
included modules. We can include the option -vv
to study what it is doing in the background. Once we hit enter, it will open another prompt and display the results.
Using findstr
We can also use findstr to search from patterns across many types of files. Keeping in mind common key terms, we can use variations of this command to discover credentials on a Windows target:
Here are some other places we should keep in mind when credential hunting:
Passwords in Group Policy in the SYSVOL share
Passwords in scripts in the SYSVOL share
Password in scripts on IT shares
Passwords in web.config files on dev machines and IT shares
unattend.xml
Passwords in the AD user or computer description fields
KeePass databases --> pull hash, crack and get loads of access.
Found on user systems and shares
Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint
Username Convention | Practical Example for Jane Jill Doe |
---|---|
hklm\sam
Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.
hklm\system
Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.
hklm\security
Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.
firstinitiallastname
jdoe
firstinitialmiddleinitiallastname
jjdoe
firstnamelastname
janedoe
firstname.lastname
jane.doe
lastname.firstname
doe.jane
nickname
doedoehacksstuff
Passwords
Passphrases
Keys
Username
User account
Creds
Users
Passkeys
Passphrases
configuration
dbcredential
dbpassword
pwd
Login
Credentials