[POST EXPLOITATION] - Finding the user, their password hash and cracking the password
<aside>
💡 Post Exploitation :
- Occurs after an attacker has gained access to a system
- Attacker will try to
- Escalate their privileges - obtain access to sensitive information or critical funcionality that is only available to higher privileged users
- Maintain persistence within the target environment - will set up other mechanisms to maintain access or the environment if their current access has been blocked or removed
- Post exploitation stage allows attackers to enumerate, identify, and exploit other components in the environment/network
</aside>
<aside>
💡 Authentication and Hashing :
- Windows stores credentials in the Security Accounts Manager (SAM) database
- Most common types of hashes stored in SAM
- LAN Manager (LM) - oldest form of password storage used by windows that are kept for legacy systems
- Algorithm used has a limited character set as input, so it's possible to try all combinations
- NT LAN Manager (NTLM) - modern algorithm
- Once a user logs on, the LSASS process stores the user's credentials in memory, so that they don't need to enter credentials constantly
</aside>
<aside>
💡 Dumping Password Hashes :
- Since LSASS process has to interact with SAM database, it runs with more privileges than standard user
- Standard tool to retrieve password hashes from memory is mimikatz
- Mimikatz
privilege::debug to check if you have the necessary privilegessekurlsa::logonpasswords to dump passwords
</aside>
<aside>
💡 Cracking Password Hash :
-
John the Ripper to crack password hashes.
-
john --format=NT -w=/usr/share/wordlists/rockyou.txt <hash file> --pot=<output file>
format - specifying NTLM hash
pot - clear text retrieved password will be stored in
</aside>
Questions âž–
1 - mimikatz
2 - ntlm hash of another user
3 - crack the hash