Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂
Table of Content
- Analyze a Windows Service
- Auditing permissions
- About handles and the SAM file
- Password Hashes
- Memory Dump
If you login to your windows machine, the password you’ve typed in will be compared with the information that is stored in the SAM database. Here it’s important to know that windows does not store any password information in cleartext. Within that databse only the Hash value is stored. Hashes are results of one way calculation.
That means hashing is a form of cryptographic security which differs from encryption. Where encryption is a two step process used to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1. Just as a side note, Windows uses MD4 NTLM Hashes.
Let’s use the tool CQHashcalc.exe to generate a sample hash for a user
CQHashcalc.exe "Password" "user"
username: user / Password: P@ssw0rd
Now we change the Passwort to P@sSw0rd and notice that we get another MD4 Hash value.
In this article the focus is about how to get/steal the hashes of a windows System. To have a closer look how to crack them can be something for another article.
Let’s continue with a tool called CQHasdumpv2.exe. With help of that tool we’re able to dump the hashes live if it’s run as a systemaccount. We’ve allready discussed in the previous topic how to get a cmd running as localsystem.
psexec -s -i -d cmd.exe
Note that the MD4 NTLM Hash is cencored in the pic above. If we have a copy of the SAM and SYSTEM file, we can also do a offline dump. The SYSTEM File is needed to decrypt the SAM File.
CQHashdumpv2.exe --samdump --sam=SAM --system=SYSTEM
I’m curious and use Crackstation to see if I get a match from the extracted hashes. 🙂
But what’s about when we have to deal with Active Directory? On a Windows Domain Controller Passwords are not stored in a SAM Database. Here we have to do a closer look on a file named NTDS.DIT. Like the SAM Database it’s also protected by the system, but we can use the same technique that was explained in the previous topic. Create a VolumeShadowCopy or use an existing one and then create a Symlink to the VolumeShadowCopy and copy the files away 😉
Note NTDS.DIT is located under C:\Windows\NTDS\NTDS.dit and the Systemfile is to find in C:\Windows\System32\config\SYSTEM
Sadly no NTDS.Dit file was provided for this lab, but it took me only a short while to find one from someone else. Thankyou Didier Stevens for providing this file 🙂
(Think that’s from a Windows 2003 Domaincontroller)
First I run the tool esedbexport.exe against the NTDS.dit file to extract the tables
Important for us are the datatable and the link_table which we need for further extractions.
python dsusers.py ..\ntds.dit.export\datatable.3 ..\ntds.dit.export\linktable.4 --passwordhashes ..\system >..\hashes.txt
For some reasons it failed by the second step „Extracting schema information“ – 100% -> 0 records processed 🙁
After searching for an alternative I came accross another toolkit called Impacket
It’s very easy to install by setting the command
pip install impacket in the extracted directory.
In the folder examples we find a pythonscrypt called secretsdump.py which we can run against the ntds.dit and System file the extract the hashes.
python secretsdump.py -ntds ..\ntds.dit -system ..\system local just-dc-ntlm
Bingo! We’re done 🙂
Some repeating questions:
Which algorithm is used for calculating hashes of passwords in windows?
How are password hashes protected in the SAM database?
Hashes are encrypted with the key stored in SYSTEM Registry Hive
What are the „rainbow tables“?
It’s a set of precalculated hashes for most popular passwords
Whre’s the SAM database stored on the disk?
How is the password hash usually displayed?
32 hex digits (0-F)