Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool. One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much …
A common and critical vulnerability exploited during penetration tests is that of reused Local Administrator passwords. This issue is a common one it allows an attacker to find a vulnerable machine on a network, pull the administrative hash out of that machine and then log-in to a more interesting machine or ultimately privilege escalate.
A tool exists for dumping plaintext passwords out of memory on Windows, it requires Local Administrator level privileges but it’s a great tool for privilege escalation from Local Admin to Domain Admin. There are Windows EXEs available but it’s also been rolled into Meterpreter! It can also inject a hash into memory to effectively perform a local pass-the-hash attack! If you want to run it on a remote machine remember to check out this post on running remote commands on Windows machines.
During Penetration Testing engagements one of my favourite issues to exploit is a Domain User with Local Administrator permissions. It’s a pretty common issue to see and when speaking to IT Departments about the issue it seems that the risk is often under-estimated. So a user has been given administrative permission over one workstation – what’s the worst that can happen?
What are LLMNR and NetBIOS-NS? They’re both methods of resolving hostnames to IP addresses. On your network if you try to contact a system by name first of all DNS will be used, but if that fails LLMNR will be attempted followed by NetBIOS. LLMNR is the successor to NetBIOS and it supports IPv6 and multicast addresses.
Most Penetration Testers will know and love Metasploit’s PsExec module for running commands on remote Windows machines, if you’re not familiar with it – it allows you to take a compromised Local Administrator account and use it to execute commands on the remote machine (or to upload Meterpreter of course! These methods all require the ability to write to Admin$ on the remote machine, which basically means a Local Administrator account.
On a Penetration Test, once you’ve scored Domain Admin (DA) Access, it’s generally a good idea to take a look at the hashes stored in Active Directory (AD). Not least because it’ll point out all of the weak accounts that you missed on your journey to DA but also because password reuse across accounts may get you into other systems, such as Linux servers or the network infrastructure. There are a few methods of dumping hashes and every PenTester I expect knows one of these, but I’ve included a few as it’s always good to have a backup plan.
CVE-2014-0160 A vulnerability exists in outdated version of OpenSSL which allows an attacker to cause the server to disclose up to 64kb of server memory contents. This can cause secret keys, authentication tokens, usernames and passwords to be compromised. This can lead to an attacker being able to impersonate users and decrypt data transferred between a user and the server.
All the fun of the post on XML External Entities (XXE) but less wordy! A internal entity: <!–?xml version=”1.0″ ?–> <!DOCTYPE replace [<!ENTITY example “Doe”> ]> <userInfo> <firstName>John</firstName> <lastName>&example;</lastName> </userInfo>
Pre-Execution Boot, or PXE, is a method of booting a workstation machine by loading an operating system across the network. If PXE boot can be enabled (often it is enabled by default, even when machines are restricted from booting CDs or USB Devices) then an stripped down Linux operating system can be loaded over the network and used to compromise the target.