# Post-Exploitation ## Pilfering * retrieve useful information from machine * passwords (`/etc/shadow`, `hashdump` SAM database) * cryptographic keys (SSH, PGP, GPG) * `/etc/passwd` format: fields separated by colons * `jef:$y$salty$youwish:20022:0:99999:7:::` 1. `jef`: username 2. `$1$salty$youwish`: hash id, salt and password hash 3. `20022`: day password was last changed (unix timestamp but in days) 4. `0`: minimum age of password before it can be changed again 5. `99999`: max age of password, after how many days password must be changed 6. `7`: how many days before expiring the user should be warned 7. number of days after password expired that user should be locked out (usually empty) 8. expiration date of account * moving files * push file directly if firewall allows it * otherwise send command to target to pull target from client * use whatever protocol works best (FTP, SMB...) * meterpreter supports sending files * Windows * user credentials cached in Microsoft Credential Manager * extract using credential cache dumping tools * requires admin * service account passwords stored encrypted in LSA secrets section of registry * Mimikatz `lsadump` can dump these * wireless client profiles can be extracted if admin * other * source code of services for vulnerability analysis * scripts for hardcoded passwords * files left behind by users that shouldn't be * browser passwords * machines with which machine has recently communicated (find pivot targets) * DNS servers * web servers * mail * ... ## Password attacks * guessing * generates lots of traffic * can lock out accounts * slower than cracking * **spray attack**: try single password on list of users * cracking * steal hashed password and compare hashes * runs on attacker's machine -> stealthier * important for assessing security posture of network 1. access control evaluation * assess password strength * password policies 2. credential-based attacks * **brute force**: try many combination to expose weak or default passwords * **dictionary**: use list of common password * **credential stuffing**: use credentials from previous breaches 3. privilege escalation 4. social engineering: trick users into revealing passwords * MFA * prevent leak of password from becoming a breach * bypassing * phishing or man-in-the-middle * expose implementation flaws * insecure methods, e.g. SMS or email * session hijacking, e.g. intercepting cookies * social engineering, e.g. pose as tech support * SIM swapping: get victim's phone number reassigned to new SIM card * use backup codes or account recovery * push notification bombing * using dictionaries * large word list for password cracking * small tailored list for password guessing * cracking not always needed * sniff cleartext protocols * keystroke logging * pass-the-hash techniques use hash directly * clean up after pentest (don't leave cracked passwords lying around) * lockouts * password guessing can lock accounts * Windows: original admin account can't be locked out * admin has SID suffix of 500 * if multiple admin accounts, only 1 is safe * Linux: lockouts not always configured * if so, done using PAM * root account not locked out by default * prevention * just don't guess passwords * ask target personnel for info on policy * create test account for pentest * attempt 1 password per observation window ## Password representation * Windows * Security Accounts Manager (SAM) for modern desktop versions * stores all local account info * login info from domain users that connected to the machine * encrypted SAM database * password hashes stored in registry * LANMAN (LM) or NT hashes * Active Directory newer alternative ### Lanman hash * operation 1. truncate password to 14 characters (pad with NUL bytes if less) 2. convert to uppercase 3. split into two 7-char pieces 4. use each piece as 7-byte DES key to encrypt 64-bit known constant `KGS!@#$%` 5. hash is concatenation of two 8-byte outputs * this hash is criminally bad ### NT hash * operation 1. convert password (max 256 chars) into UTF-16 little endian format 2. hash using MD4 (no salt) * better but still pretty bad ## Windows challenge-reponse authentication * mutiple forms of network cryptographic authentication * **LANMAN challenge/response**: legacy-only, uses LM hash * **NTLMv1**: also legacy, uses NT hash * **NTLMv2**: stronger security, uses NT hash * **Microsoft Kerberos** ### LANMAN and NTLMv1 * operation 1. client initiates authentication 2. server sends 8-byte challenge 3. client formulates response 1. pad LM/NT hash to 21 bytes 2. split hash in three 7-byte pieces 3. use each piece as DES key to encrypt challenge 4. response is 3 8-byte outputs 4. server calculates same response and compares * problems * attacker can sniff both challenge and response and try to crack * rogue server could issue static challenge for which it has rainbow tables * works because neither hash uses salting * without rogue server, method is slower than cracking hashes in SAM db * no access to actual hash * attacker needs to perform DES encryption ### NTLMv2 * operation 1. client sends authentication request 2. server sends 8-byte server challenge 3. client formulates response 1. creates NTLMv2 hash using HMAC-MD5 * data: username and domain name * key: NT hash 2. creates NTLMv2 response using HMAC-MD5 * data: server challenge + data blob (client challenge, timestamp, fields for integrity / security) * key: NTLMv2 hash 4. client sends response to server 5. server computes validity of response using stored NT hash and received fields * cracking still possible but much slower * stronger hash is used * timestamp protects against replay attacks * rainbow tables not useful due to variability of client challenge ### NTLM relay attacks * both versions vulnerable * possible if attacker can access server client usually uses * ARP or DNS spoofing * phishing * cross-site scripting attacks * operation 1. attacker poses as authentication server 2. attacker relays authentication request messages to real server -> acts as authenticating client 3. attacker receives authentication and returns error message to client