{"id":213,"date":"2018-07-04T13:58:03","date_gmt":"2018-07-04T12:58:03","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=213"},"modified":"2018-07-06T22:06:03","modified_gmt":"2018-07-06T21:06:03","slug":"password-hashes","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=213","title":{"rendered":"Password Hashes"},"content":{"rendered":"<p>Inspired by the CQURE <a href=\"https:\/\/cqureacademy.com\/challenge\" target=\"_blank\" rel=\"noopener\">5 day challenge<\/a> I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42<\/p>\n<p><strong>Table of Content<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=164\" target=\"_blank\" rel=\"noopener\">Analyze a Windows Service<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=199\" target=\"_blank\" rel=\"noopener\">Auditing permissions<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=181\" target=\"_blank\" rel=\"noopener\">About handles and the SAM file<\/a><\/li>\n<li><strong>Password Hashes<\/strong><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=253\" target=\"_blank\" rel=\"noopener\">Memory Dump<\/a><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">If you login to your windows machine, the password you&#8217;ve typed in will be compared with the information that is stored in the SAM database. Here it&#8217;s important to know that windows does not store any password information in cleartext.\u00a0 Within that databse only the Hash value is stored. <strong>Hashes are results of<\/strong> <strong>one way calculation<\/strong>.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/OcHpG.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-216 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/OcHpG.png\" alt=\"\" width=\"520\" height=\"136\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/OcHpG.png 520w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/OcHpG-300x78.png 300w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\">That means hashing is a form of cryptographic security which differs from encryption. Where encryption is a two step process used to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1. Just as a side note, Windows uses MD4 NTLM Hashes.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/Jlmsx.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-217 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/Jlmsx.png\" alt=\"\" width=\"193\" height=\"127\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\">Let&#8217;s use the tool <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/CQHashCalc.zip\" target=\"_blank\" rel=\"noopener\">CQHashcalc.exe<\/a> to generate a sample hash for a user<\/p>\n<p style=\"text-align: justify;\"><code>CQHashcalc.exe \"Password\" \"user\"<\/code><\/p>\n<p style=\"text-align: justify;\">username: user \/ Password: <strong>P@ssw0rd<\/strong><\/p>\n<p style=\"text-align: justify;\"><code>MD4(NTHash): E19CCF75EE54E06B06A5907AF13CEF42<\/code><br \/>\n<code>SHA1: 9131834CF4378828626B1BECCAA5DEA2C46F9B63<\/code><br \/>\n<code>MSDCC2: 8D655A0CD9094CF8CFA3BF191E732199<\/code><\/p>\n<p style=\"text-align: justify;\">Now we change the Passwort to <strong>P@sSw0rd<\/strong> and notice that we get another MD4 Hash value.<\/p>\n<p style=\"text-align: justify;\"><code>MD4(NTHash): 6CEB26D5BF9354C62EACF0784247C926<\/code><br \/>\n<code>SHA1: 8696B6F261A647C1073E8808B9251F795CB2CF4F<\/code><br \/>\n<code>MSDCC2: 6C966092BFC1005E2E474C6A7E2066EE<\/code><\/p>\n<p style=\"text-align: justify;\">Hashes are not revertable on a mathematical way, but can be cracked by using <a href=\"http:\/\/project-rainbowcrack.com\/table.htm\" target=\"_blank\" rel=\"noopener\">Rainbowtables<\/a> (set of precalculated hashes), <a href=\"https:\/\/crackstation.net\/\" target=\"_blank\" rel=\"noopener\">Online Crackingdatabases<\/a> or tools like <a href=\"https:\/\/hashcat.net\/hashcat\/\" target=\"_blank\" rel=\"noopener\">Hashcat<\/a>.<\/p>\n<p>In this article the focus is about how to get\/steal the hashes of a windows System. To have a closer look how to crack them can be something for another article.<\/p>\n<p>Let&#8217;s continue with a tool called <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/CQHashDumpv2.zip\" target=\"_blank\" rel=\"noopener\">CQHasdumpv2.exe<\/a>. With help of that tool we&#8217;re able to dump the hashes live if it&#8217;s run as a systemaccount.\u00a0 We&#8217;ve allready discussed in the <a href=\"https:\/\/cybercop-training.ch\/?p=181\" target=\"_blank\" rel=\"noopener\">previous topic<\/a> how to get a cmd running as localsystem.<\/p>\n<p style=\"text-align: justify;\"><code>psexec -s -i -d cmd.exe<\/code><\/p>\n<p><code>CQHashdumpv2.exe --samdump<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-226 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_2.png\" alt=\"\" width=\"711\" height=\"314\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_2.png 711w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_2-300x132.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/a><\/p>\n<p>Note that the MD4 NTLM Hash is cencored in the pic above. If we have a <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/StolenFiles.zip\" target=\"_blank\" rel=\"noopener\">copy of the SAM and SYSTEM file<\/a>, we can also do a offline dump. The SYSTEM File is needed to decrypt the SAM File.<\/p>\n<p><code>CQHashdumpv2.exe --samdump --sam=SAM --system=SYSTEM<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-227 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_3.png\" alt=\"\" width=\"701\" height=\"317\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_3.png 701w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_3-300x136.png 300w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><\/a><\/p>\n<p>I&#8217;m curious and use <a href=\"https:\/\/crackstation.net\/\" target=\"_blank\" rel=\"noopener\">Crackstation<\/a> to see if I get a match from the extracted hashes. \ud83d\ude42<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-229 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_4-1024x330.png\" alt=\"\" width=\"1024\" height=\"330\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_4.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_4-300x97.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_4-768x248.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-230 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_5.png\" alt=\"\" width=\"1011\" height=\"401\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_5.png 1011w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_5-300x119.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_5-768x305.png 768w\" sizes=\"auto, (max-width: 1011px) 100vw, 1011px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">But what&#8217;s about when we have to deal with Active Directory? On a Windows Domain Controller Passwords are not stored in a SAM Database. Here we have to do a closer look on a file named NTDS.DIT. Like the SAM Database it&#8217;s also protected by the system, but we can use the same technique that was explained in the <a href=\"https:\/\/cybercop-training.ch\/?p=181\" target=\"_blank\" rel=\"noopener\">previous topic<\/a>. Create a VolumeShadowCopy or use an existing one and then create a Symlink to the VolumeShadowCopy and copy the files away \ud83d\ude09<\/p>\n<p>Note NTDS.DIT is located under <strong>C:\\Windows\\NTDS\\NTDS.dit<\/strong> and the Systemfile is to find in <strong>C:\\Windows\\System32\\config\\SYSTEM<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-232 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT.png\" alt=\"\" width=\"624\" height=\"470\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT.png 624w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT-300x226.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT-326x245.png 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDS_DIT-80x60.png 80w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Sadly no NTDS.Dit file was provided for this lab, but it took me only a short while to find one from <a href=\"https:\/\/blog.didierstevens.com\/2016\/07\/12\/practice-ntds-dit-file-part-1\/\" target=\"_blank\" rel=\"noopener\">someone else<\/a>. Thankyou Didier Stevens for providing this file \ud83d\ude42<\/p>\n<p>(Think that&#8217;s from a Windows 2003 Domaincontroller)<\/p>\n<p>Download <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/ntds.zip\" target=\"_blank\" rel=\"noopener\">NTDS.zip<\/a> and the <a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/NTDSX.zip\" target=\"_blank\" rel=\"noopener\">Extraction\/Dumping Tools<\/a> for the further exercise.<\/p>\n<p>First I run the tool esedbexport.exe against the NTDS.dit file to extract the tables<\/p>\n<p><code>esedbexport.exe ntds.dit<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-243 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_6.png\" alt=\"\" width=\"875\" height=\"243\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_6.png 875w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_6-300x83.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_6-768x213.png 768w\" sizes=\"auto, (max-width: 875px) 100vw, 875px\" \/><\/a><\/p>\n<p>Important for us are the <strong>datatable<\/strong> and the <strong>link_table<\/strong> which we need for further extractions.<\/p>\n<p><code>python dsusers.py ..\\ntds.dit.export\\datatable.3 ..\\ntds.dit.export\\linktable.4 --passwordhashes ..\\system &gt;..\\hashes.txt<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-244 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_7.png\" alt=\"\" width=\"938\" height=\"199\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_7.png 938w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_7-300x64.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_7-768x163.png 768w\" sizes=\"auto, (max-width: 938px) 100vw, 938px\" \/><\/a><\/p>\n<p>For some reasons it failed by the second step &#171;Extracting schema information&#187; &#8211; 100% -&gt; 0 records processed \ud83d\ude41<\/p>\n<p>After searching for an alternative I came accross another toolkit called <a href=\"https:\/\/github.com\/CoreSecurity\/impacket\" target=\"_blank\" rel=\"noopener\">Impacket<\/a><\/p>\n<p>It&#8217;s very easy to install by setting the command <code>pip install impacket<\/code> in the extracted directory.<\/p>\n<p>In the folder examples we find a pythonscrypt called <strong>secretsdump.py<\/strong> which we can run against the ntds.dit and System file the extract the hashes.<\/p>\n<p><code>python secretsdump.py -ntds ..\\ntds.dit -system ..\\system local just-dc-ntlm<\/code><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-245 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_8.png\" alt=\"\" width=\"931\" height=\"754\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_8.png 931w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_8-300x243.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/07\/4_8-768x622.png 768w\" sizes=\"auto, (max-width: 931px) 100vw, 931px\" \/><\/a><\/p>\n<p>Bingo! We&#8217;re done \ud83d\ude42<\/p>\n<p>Some repeating questions:<\/p>\n<p><strong>Which algorithm is used for calculating hashes of passwords in windows?<\/strong><br \/>\nMD4<\/p>\n<p><strong>How are password hashes protected in the SAM database?<\/strong><br \/>\nHashes are encrypted with the key stored in SYSTEM Registry Hive<\/p>\n<p><strong>What are the &#171;rainbow tables&#187;?<\/strong><br \/>\nIt&#8217;s a set of precalculated hashes for most popular passwords<\/p>\n<p><strong>Whre&#8217;s the SAM database stored on the disk?<\/strong><br \/>\nC:\\Windows\\system32\\config\\sam<\/p>\n<p><strong>How is the password hash usually displayed?<\/strong><br \/>\n32 hex digits (0-F)<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Inspired by the CQURE 5 day challenge I&#8217;ve decided to document some of the things that I&#8217;ve learned from the daily assesments. \ud83d\ude42 Table of <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=213\" title=\"Password Hashes\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":214,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-213","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=213"}],"version-history":[{"count":15,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":271,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions\/271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/214"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}