Obtaining credentials

Gaining access to a system through credential acquisition involves obtaining valid usernames and passwords or other authentication tokens.

Password Attacks

Non-Electronic attacks

Non-electronic attacks are methods of compromising passwords or security measures without the use of digital technology.

  • Shoulder Surfing - Watch over the shoulder of a user to observe them entering their password or personal identification number (PIN)

  • Social Engineering - Convince people to reveal their credentials.

  • Dumpster Diving - Searching through discarded materials, such as paper documents, to find information that may include passwords or other confidential data.

Active Online Attacks - Directly Communicating with the target.

Active online attacks involve direct interaction with the target system or user to compromise passwords.

  • Dictionary, Brute Force and Rule-based attacks - Try different combinations of words, phrases, or characters to guess a password. "Dictionary" attacks use common words or phrases, "brute force" attacks try all possible combinations, and "rule-based" attacks apply patterns or rules to password guessing.

  • Trojan, Spyware, Keylogger - Malware that can be deployed to capture passwords and other sensitive information. Trojans, spyware, and keyloggers discreetly monitor and record user activities, including keystrokes and login credentials.

  • Password spraying - Target multiple users simultaneously with a small set of common password. This helps avoid account lock outs.

  • Pash-the-Hash - Instead of attempting to crack a user's password, use stolen password hashes to gain access.

  • Kerberoasting / AS_REP Roasting - Request a TGS (Ticket Granting Service) for SPN (Service Principal Name) of the target service account or a TGT (Ticket Granting Ticket) form the KDC (Key Distribution Center) and crack the ticket to obtain user's password.

Passive Online Attacks

Passive online attacks involve monitoring or eavesdropping on network traffic without actively interacting with the target.

  • Sniffing - Intercept and capture network traffic to obtain sensitive data, such as passwords, as it traverses the network. Think unencrypted protocols like HTTP, FTP, Telnet or rlogin.

  • Man-in-the-Middle - Intercept communication between two parties and may capture passwords or sensitive information exchanged between them.

  • Replay Attack - Capture and reusing previously intercepted data, such as authentication credentials, only work if no challenge response is in place.

Offline attacks

Offline attacks involve attempting to crack passwords without direct access to the target system or network. Attackers work on stolen password databases or hashed files. Usually preferable!

  • Dictionary, Brute Force and Rule-based attacks - Try different combinations of words, phrases, or characters to guess a password. "Dictionary" attacks use common words or phrases, "brute force" attacks try all possible combinations, and "rule-based" attacks apply patterns or rules to password guessing.

  • Rainbow Table Attack - Offline attack in which precomputed tables are used to quickly crack hashed passwords by matching them to their plaintext equivalents.

  • Distributed Attack - Involves multiple attackers or systems working together to launch coordinated password attacks.

Look up breached passwords

As a first step try look up breached password at BreachDirectory - combine this with hash lookup tool or brute force.

Hashes

When successfully breached a system an important objective is to obtain the password hashes of user accounts. Password hashes are cryptographic one-way representations of passwords. A hash function that takes an input (or "message") and returns a fixed-size string of characters, the hash of said message.

Location of password hashes

Windows

In Windows systems, the password hashes are typically stored in the Security Account Manager (SAM) database. The SAM database is a part of the Windows operating system that stores user account information, including username and password hash.

Linux

In Linux systems, the password hashes are usually stored in the /etc/shadow file. The /etc/shadow file is a configuration file that holds user account information, including password hashes, in a more secure manner compared to the older /etc/passwd file.

Salting

Salts are random data values that are combined with a user's password before it is hashed. When a password is hashed with a salt, it creates a unique and unpredictable output. This added complexity makes it significantly more challenging for attackers to use precomputed tables and techniques like rainbow table attacks to crack password hashes.

Hash types

Hashcat maintains a nice list of example hashes which can be used to manually identify the type of a hash. Link

hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions.

Tools

LLMNR and NBT-NS poisoning

LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are integral components of Windows operating systems responsible for resolving host names within the same network segment. These services are typically enabled by default in Windows operating systems and, if exploited, can potentially lead to the extraction of user password hashes.

Given the limited awareness of this attack, there is a significant potential for obtaining user credentials during internal network penetration tests.

Responder is a tool designed to exploit LLMNR, NBT-NS, and MDNS (Multicast DNS) protocols. It responds to specific NBT-NS queries based on their name suffix, but it typically responds primarily to File Server Service requests, often associated with the SMB (Server Message Block) protocol.

  1. Clone repository

  2. sudo ./responder.py -I <interface>

Responder starts capturing the access logs.

By default, Responder stores the logs in Home/Responder/logs

Tools to extract password hashes

  • Mimikatz is a powerful and well-known post-exploitation tool used to extract sensitive information from Windows systems. It specializes in retrieving credentials, including plaintext passwords, password hashes, and Kerberos tickets.

  • Pwdump7 is a password hashing extraction tool that extracts password hashes from Windows systems from the SAM database.

    • DSInternals is a collection of PowerShell modules designed for Active Directory (AD) administration, auditing, and penetration testing. Can also be used as a password hashing extraction tool. Since PowerShell 5, you can install the DSInternals module directly from the official PowerShell Gallery by running the following command: Install-Module DSInternals -Force

    • Impacket-secretsdump is used for extracting and dumping credential information from Windows systems, specifically from the Security Account Manager (SAM) database and the Active Directory (AD) NTDS.dit database. Default in Kali.

Tools for password cracking

  • John the Ripper is a widely used open-source password cracking tool designed for offline password attacks.

  • Hashcat is a powerful, open-source password cracking tool that is optimized for offline attacks. It excels at accelerating the cracking of hashed passwords through the use of GPUs and CPUs.

  • THC-Hydra is a versatile online password-cracking tool that is used to perform attacks on network services.

All are default in Kali

PreviousInitial AccessNextVulnerability Exploitation

Last updated