Start to finish: Cracking a Windows Server 2012 R2 Administrator account (Part 1 of 2)

I want you to imagine your best friend from college challenges you to a duel.

Here’s the deal: you both graduated with honors from ivy league schools but your careers bifurcated down different paths.  You decided to work in corporate america but he started his own software company in Silicon Valley.

Now you’re friend has a kinetic personality.  He’s incredibly smart, talks faster than you can think and really understand technology.  But he’s also full of hubris and lacks humility.

One day over drinks, in a moment of spontaneity, he looks you straight in the eye and challenges you to a duel.

He leans in and boasts:

I bet you can’t hack into my network.  I’ve hired the best security administrators.  I have invested millions on cutting edge protection systems and I’m confident that my network is indomitable.  In fact, I’m so sure you can’t break in that I’ll cut your company a check for $500,000 if you can breach my security controls.  I’ll give you 1 week.  But if you can’t break in you’ll have to give me bragging rights and every time you see me you’ll have to rhapsodize about my invulnerable network.  I’ll be expecting constant laudation.  Sound like a deal?

With a smug smirk on his face, he stretches out his hand for the shake.

Would you shake on it?

You decided to shake on it.  After all, it’s not going to cost you anything to accept the challenge.

The first thing you need to do is figure out how you’re going to gain access to his corporation.  Are you planning to penetrate his enterprise remotely or physically through social engineering?  MAybe you hang out with a group of people on a smoke break and then tailgate the crowd into the elevator as they pass through the security turnstiles?  Or maybe you can pose as a plumber or FedEx employee and dupe the receptionist into letting you inside?

Hmm…

WE also also have someone click on a link and get access that way.

Let’s say you use chicanery and charm to weasle your way into one of the cubicles on his floor.  What next?

Since you read my 3 part introduction on Kali Linux, you have the Live CD in hand.  So you pop it in the CD tray, boot the PC off the CD, mount the file system, find the hash and dump it to a USB drive.

Is this possible?

Yes.

Is it probable?

You bet.

How Hash Hacking Works

Windows stores plaintext passwords in a obfuscated format known as a hash.

We can use a tool such as SAMdump2 to capture the password hashes and team that with John the Ripper to crack the password.  John The Ripper tries to guess the password by hashing it and comparing hashes.  If the hash matches the one we captured with SAMdump2 then we know John The Ripper correctly guessed the password.

If we have a dictionary list with millions of phrases we can use that.  Or we can combine that with a brute force attack to create a hybrid attack.

Let’s say he has a Dell PowerEdge R920 running Windows Server 2012 R2.  We slipped into the server room, popped open the DVD drive and booted from the Kali Live CD.

How did we get inside?  The door was ajar.

Why?

Because an authorized technician was working on the phone system and propped it open so he could easily enter and exit without bothering management.

Ha.

Image credit Dell PowerEdge R920

After inserting the CD you press F12 to bring up the Dell Boot menu.

You quickly look over your shoulder and select CD/DVD/CD-RW Drive.

Dell Boot Screen

After a few seconds, the Kali Boot screen appears.

Kali Live CD

After another glance over your shoulder you hit enter to boot into the terminal.

Kali Terminal Window

Whoa.

So now what?

Remember what we need to do: with the Live CD booted on the victim’s computer, we can mount the file system and dump the SAM hashes, take it back to our basement and feed it to John the Ripper so we can crack the passwords.  Hash cracking is effective but it’s a slow process.  So you should expect to leave your computer cracking for days, maybe weeks before you strike gold.

That being said, you really want the $500,000 offer your friend promised so you’re up for it.

Looking around

The first thing we need to do is look around the file system.  We’ve booted to the Windows Server 2012 R2 server but we can’t view the file system without mounting it.

fdisk can help us see what’s going on.

fdisk -l (lowercase "L")

fdisk -l

We can see two storage devices here:

  • /dev/sda1
  • /dev/sda2

The password hashes are typically on the larger device so let’s go with sda2.

The Plan

We’re going to make a new folder and then we’ll mount the sda2 filesystem to that folder so we can look around.

Let’s name our folder PC_HDD and then mount it:

mkdir PC_HDD
mount /dev/sda2 /root/PC_HDD

Now can can poke around SDA2 by changing to the PC_HDD directory.

Mount SDA in Kali

cd /root/PC_HDD
ls

Kali Linux File System

And this my friend is the Windows Server 2012 R2 file system.  It’s like we’re sitting at a Windows command prompt browsing through the files.

We need to browse to the directory that holds the password hashes.

cd ./Windows/System32/config
ls | more

Windows Server 2012 SAM

Oooh what’s that?

SAM file contains our hashes but we can’t just grab the file and leave.  There are a few things we need to do to extract the hash:

There are two steps:

  • Use bkhive to extract the hive
  • Use samdump2 to extract the hashes

bkhive is just an intermediate step to give us a file that samdump can use.

bkhive SYSTEM /root/key.txt

And now we invoke samdump2 using the bkhive output file.

samdump2 SAM /root/key.txt > /root/hash.txt

bkhive and samdump2

Whoohoo.

hash.txt is our gold.

Let’s take a look before someone notices you:

more /root/hash.txt

SAM hash

Here’s the list of accounts on the server.  We only have two:

  • Administrator
  • Guest

The 500 after Administrator means it’s an admin.  So if you saw another account named Vonnie:500 you would know Vonnie is also an admin.

The exit!

After verifying the hash, you furtively save the file to your jump drive, eject the Kali Linux CD and dash out the server room.

You now have everything you need to crack the password offline.

The Bottom Line

Don’t be overconfident.

If someone is motivated enough they can break any security system.  I don’t care how much money you’ve spent on locking down your servers, securing the perimeter and educating your staff.  If someone wants in to your company they’re going to get in.  The best you can do is slow them down.

Perfect security doesn’t exist.

Tomorrow I’ll show you how to crack the Windows Server 2012 hashes was filched.

About

Connect with Vonnie on Twitter

Posted in How To, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , ,