In the previous post I shared the inside scoop on hashes and methods of password extraction. But there was one thing missing I didn’t tell you how to get the hash! Today I’m going to enumerate four common ways to grab the hash. And then I’ll show you how to use PwDump.exe and Cain to crack the hash in seconds.
Walk with me!
Without the hash we can’t do anything. So let’s start here.
Appropriating the hash
1. You can get the hash by logging into the server machine and saving the hash to a DVD, CD or USB Drive. Heck you could even upload it to OneDrive or Google Docs because the file usually isn’t that large.
2. Alternatively, you could boot to the local box using a Live CD such as Kali Linux and then use PwDump, BKHive or SAMDump2 to snag the hashes.
3. You could also execute a remote exploit using Metasploit to copy the PwDump, BKHive or SAMDump tools to the victim’s machine and then get the hash and start cracking offline.
4. Kerbcrack is another tool used to facilitate your cracking quest. It sniffs the hash off the network and then uses a cracking tool to break the password. This is how you would compromise Active Directory accounts.
Scary but true.
Let’s take a look at this on a live Windows 2003 Server machine.
Cracking the Windows password
Imagine with me that you are the attacker sitting at an unlocked server box.
So the first way to block this kind of attack is to use physical access controls to ensure people can’t just walk into your server room and login to your servers. Secondly, you would implement technical access controls by ensuring the box is never left unlocked and is secured with a strong password. Finally, an administrative access control in a company handbook could delineate that unauthorized users would be terminated and punished to the fullest extent of the law.
But hey, let’s say some silly server administrator named Vonnie left the door wide open and the box completely exposed.
You sneak into the server room and are standing before the computer accounts list.
Next, you insert your USB stick that fortuitously has PwDump sitting on it. After extracting the file you run:
pwdump localhost > win2k3hashes.log
This dumps the SAM hashes to a file called win2k3hashes.log.
Let’s open it up to take a peek. The first part is the LAN MAN hash (highlighted below) and the second part after the colon is the NTLM hash.
Here’s a quick tip: remember I told you the second half of the LAN MAN hash is AAD3B435B51404EE? We would see that string in the second part of the highlighted hash. It’s actually a hash for a blank value.
Raising cain with Cain & Able
Next, you save the dump to your USB drive, pop it in laptop and import the hash file into the ever popular password cracking application: Cain & Able.
Press the Insert key to open the Add NT Hashes from and select Import Hashes from a text file. Then browse to the text file and click Next.
Then it’s just a matter of right-clicking the account you want to crack, mousing over Dictionary Attack and choosing LM Hashes.
Now you can insert your dictionary and start cracking.
In a few seconds, Cain already deduced the first half of my password: it’s “PASSWO”
For some reason it didn’t grab the whole thing but the point is that you can use this tool to do some serious damage.
The Bottom Line
Today’s example is an excellent reason why admins shouldn’t run archaic software in production environments. Windows Server 2003 has been supplanted by Windows Server 2012 R2 which is more secure. Given how easy it is to extract and crack passwords in Windows Server 2003, no one should ever use it.
The purpose of this series was just to show you how an attacking could pull of this attack. An admin could forestall the attacker with various administrative, technical and physical controls. In addition, running the latest version of Windows Server would also stymie the attacker.
Alright, I’ve got to curtail this post here. My eyes are starting to close and I need a nap haha.
I’m outa’ here.