Linux & Windows Password Mining

Password mining is the process of searching for and enumerating encrypted or clear-text passwords stored in persistent or volatile memory on the target system.

While the method varies from Linux distribution to distribution, it’s crucial to have a fundamental understanding of where and how Linux stores passwords (both encrypted or clear-text). The approach heavily depends on a number of flaws in an organization’s or user’s password security procedures.

Password Security Policies are used to establish a baseline security level for user passwords and enforce the secure storage and usage which usually comprises of words, numbers, symbols and of a minimum length of 8 characters.

Because employees/users would rather rely on one “safe” complex password than to produce a new one for each account, this leads to the use of the same password for many accounts. For convenience of access, people who are obliged by company regulations to use separate passwords for several accounts are more likely to save the numerous passwords on their systems in clear-text in .doc, .txt, and .xlsx files.

Linux encrypts and stores user passwords locally; following a first penetration, user account hashes can be retrieved from memory and cracked, depending on how weak the password is. Furthermore, Linux is frequently used to host a variety of third-party business-critical applications, and these applications frequently require user access management and are vulnerable to password mining attacks because they frequently store clear text passwords in their configuration files on the server.

Prequisites:

You will require initial foothold on the system. Here, I’m authenticating to the target via SSH as a standard user with no privileges.

standard bash shell

We start by investigating a novel technique that depends on the target’s application type and deployment use case. Applications that use username and password authentication are permitted to keep the credentials in user-space memory (either in clear-text or encrypted). Such an application’s memory dump and analysis could turn up credentials that are relevant to it. The credentials can be used to access the service or take control of it. Since many users and administrators are prone to reuse passwords for other accounts and applications, we can also utilize the detected credentials to authenticate in other places.

To obtain clear-text or encrypted passwords, we can use the GNU Debugger (GDB) to dump the memory of a running service or application.

GDB is a portable debugger that runs on various Unix-like systems and can be used to debug various programming languages.

This technique would vary from system to sytem due to the type of application we are interacting with.

This displays a list of all currently active services on the target along with their associated Process Identifiers (PID). We can recognize a number of services operating as “user” in the image below. Let’s examine Bash, which is the currently active terminal…

If you have specific service in mind you would like to look up, you can manually do that by combining the grep command to limit the ‘ps’ command output to a specified term. Use command:

2. After identifying the bash service, let’s use the GDB tool to dump its memory in order to discover any credentials that the user may have previously entered. Use command:

This command is used to specify the PID of the service you want to analyze. Fom our screenshot above, Bash is runnig with a PID of 3839.

It launches you into a gdb interactive shell where subsequent commands would be entered.

3. Now we list all mapped memory regions for the process. Use GDB command:

Take note of the Start Address and End Address of the Heap as selected in the screenshot.

4. We can now dump the memory of the service by specifying the start and end address of the heap allocation. Use GDB command:

This will output the contents of the heap memory of the Bash service into a file for us to analyze. Press q to quite the debugger.

The Heap is a dynamic memory used by applications to store global variables.

5. After dumping the heap into a file, we can use the strings utility to identify potentially useful information such as credentials. Use command:

This command will identify all strings in the output file and find any occurrence of the passw keyword.

We are able to identify an authentication to the MySQL server with the username and password in clear-text.

However, the target isn’t running MySQL per Nmap scan results.

Nmap scan results

6. Alternatively, we can utilize the MySQL credentials to try and gain access via ssh since users are prone to re-suing same credentials everywhere. I’m going to try to SSH into the target with this newly discovered creds.

We’ve now been able to dump and analyze the memory of an active service. This was due to:

When analyzing the heap output file, don’t limit your string search to ‘passw’ only, you can search for FTP, SSH, su, nano, cat, vim etc commands to see any sensitive info in these commands the user might have entered in the command line.

Applications give attackers a wide range of options because their flaws and vulnerabilities, as well as the storage of their credentials, can result in total system compromise or privilege escalation. The method shown here changes depending on the application and on the kind of target you are dealing with. The first phase entails looking locally for passwords. Meaning that we will locate any text files or configuration files that contain user or application passwords.Searching for passwords

--color will color code the results accordingly

-rnw means recursive search, print line number, match only whole words

‘/’ means start search from root directory

-ie means ignore case, and use patterns for matching.

This produces a large output so you can always redirect the search results to an output file to analyze later.

It is recommended to try out other keywords such as passwd, pass, passw, key, secret, etc. This is because configuration files store passwords under different names and may use abbreviated forms of the word.

In a myvpn.ovpn, there’s a line which says the auth-user-pass credential is stored in a file located in /etc/openvpn/auth.txt

The output revealed the credentials of the currently logged on user. If we didn’t know the credentials of the user beforehand, this info would have been useful.

This will output a list of files that contain the ‘pass’ keyword. In this case we couldn’t find any file that contained any credential we can use.

We identify the Internet Relay Chat(IRC) client configuration file that contain the user credentials.

We can automate this process through the use of the Linux Privilege Escalation Awesome Script (LinPEAS). The LinPEAS binary can be downloaded here. After downloading, transfer it to your target.

This can be done by setting up a python web server in the directory where LinPEAS has been downloaded to.

Now that the binary is served, use the wget utility to download it to the target machine.

Now give the script executable permissions before running it. Use command:

You’ll see a change in color of the linpeas binary the next time you ls

We can now run the script with the command ./linpeas.sh

In the results, we can see it detected the openvpn auth.txt file which contains the standard user credentials.

Unless otherwise specified, Linux would by default record every bash command a user entered on a system. The system administrator will benefit from being able to examine all user actions and commands using this history of commands as a foundation. Attackers may use this, if configured incorrectly, to look for sensitive data, such as credentials from earlier Linux commands kept in other history files.

We are able to see a MySQL command used by the user sometime in the past.

NB: The .bash_history file only stores the history of a specific user. It doesn’t store the history of ALL users on the system. The history file can be configured in the .bashrc file also stored in the home folder of the user.

Since no MySQL server seems to be running on the target, let’s utilize the switch user command to switch to the root account with our newly discovered credentials.

Alternatively, we can also use the history command to see all commands entered in the terminal.

We have been able to successfully searched for and identified locally stored credentials which we used to elevate our privileges. Check out my Windows Password Mining article here

I’m gonna be honest, I used to hate Windows boxes. Usually, you’re met with a Windows remote cmd shell and after exhausting all your WinPEAS, WinES, metasploit skills, you get stuck. So I decided to take time and study a bit about Windows Privilege Escalation and this is the notes I made as I studied. Over here, I’m assuming you already have a reverse cmd shell from your Windows target. Read my Pivoting and Port Forwarding post to learn how to use Metasploit to gain foothold on a Windows system.

Target machine I’m using for this demo is Metasploitable3 which is a vulnerable Windows 2k8 R2 Server.

Now that we have established a cmd on our target machine, let’s try and enumerate all text files that contain the string “password” in them.

Use command:

findstr /si password *.txt

/s — searches for matching files in the current directory and sub-directories

/i — specifies that the search is not to be case sensitive.

findstr is a CLI tool for finding patterns of srings in a text. In our case we are saying it should find all “password” strings in all .txt on the local partition.

We jump to the beginning of the local partition and run the command so that the findstr goes through all the text files located under the C: volume.

txt files containing “Password” string

The output is large and can get overwhelming but a careful study through it would show some really sensitive info. Just like above, you can see there’s a WAMP server installed in which the password to the phpmyadmin is stored in the Documentation.txt

Other forms of the findstr command are:

This will go through all .xml, .ini and .txt files for the “password” string.

/m — print only the filename if the file contains the match.

The /m will limit the search results to filenames(without expanding to its contents) that only gave the search query specified.

list of files that contain the “password” string

You can perform a search for a specific string that can be found in all the files and folders

You can search for various strings in files by using the dir tool in cmd

This command will list all occurence of the string specified and their locations

Cont..

This automates the mass installation of Windows. This tool utilizes configuration files that contain specific configurations and user account credentials that can be used by attackers to elevate privileges.

It varies from different versions of WIndows. It’s more effective when employed against organization specific environment.

The first step involves searching for the unattended setup utility config files. The filenames vary from diff versions of windows. Some of the common names are:

As said already, the location to these files too vary with each version of windows. The common locations are:

C:\\Windows\Panther\Unattend\Unattended.xml

C:\\Windows\Panther\Unattdended.xmlAt times, instead of seeing Unattended.xml or attended.xml, you’d rather see Unattend.xml or attend.xml

If the configuration files exist, they might contain the Administrator password either in plaintext or encoded in base64

Similarly, sysprep utilize configs that contain user credentials and customization. Also, the names of these files vary with different versions of windows.

Some known names are:

Usually located in

C:\\Windows\system32\sysprep\sysprep.xml

C:\\Windows\system32\sysprep.inf

If these configuration files exist, they offer a straightforward path to authenticate to the system as the admin user attains elevated privileges.

Windows Registry is a database that contains configs and settings for windows and other applications installed on the system. We can search the registry for specific strings to reveal user credentials. Use cmd:

and

To interact with a registry file, use cmd

This will output all registry entries that match the password string

Here I couldn’t find anything but had the user embedded their credentials under the autologon registry config, we could have interacted with that registry file to display the credentials.

This will depend on the application type. The techniques demonstrated in this section will depend on the type of target you are dealing with and its deployment use case. In our case, our target virtual machine has been set up as a server and has various vulnerable applications installed on it.

During an nmap scan against our Windows 2008 R2 server, we found that it was running services:

Let’s see how you can locate the configuration files used by these applications.

Let’s identify the web hosting stack being used by the server. Listing the contents of the root directory shows the server is running WAMP (Windows Apache, Mysql, PHP).

Run cd wamp\www to see the type of applications being hosted.

Now listing all contents

We can see wordpress in there, being hosted as an application.

WordPress is a content management system that requires a database — in thiscase, MySQL — to store data and user credentials. It uses a remote connection to connect to the database and the access credentials are stored in the wp-config.php file. Let’s search for this file in the wordpress directory.

There it is

Now let’s read it’s content

use cmd command type to read files.

As you can see we have the MySQL user credentials and it happens that the database has no password protecting it.

Let’s log into the MySQL server remotely from our attack box. Use command:

Press Enter when prompted for a password. After a successful authentication, we are now connected to the SQLserver as root and we can dump any database hosted on there.Let’s start by enumerating the databases we have at our disposal.

show DBs in the server

Select one of the DBs(wordpress in my case).

selecting wordpress DB

Now let’s see the tables available under this DB

Tables in wordpress

Why don’t we take a look at the wp_users table.

contents of the wp_users Table

Wow! This is getting exciting. The user passwords are encrypted in MD5 which is easy to crack.

Also, due to the fact that we have root access, we can change the admin password to a different one of our own choosing with command:

You can now log into the wordpress admin panel with the credentials.

Now you have total control of MySQL and the Wordpress site.

A simple Nmap service scan showed many HTTP services running on the Target. I tested all the ports in the browser till I got to port 8585.

I was greeted with the WAMP server homepage.

It had links to phpmyAdmin, mysql and Wordpress.

So I went with the sqlbuddy since it had SQL in its name.

I was met with an login panel. Since from the config file, the mySQL server allows no password login with the root user, I authenticated as root without a password and I was successfully logged in.

You can see the DBs lined up on the left. Let’s take a look at the wordpress DB

Taking a look at the wp_user table

On the left, there’s the Query menu which gives you a field to manually enter mySQL queries to alter the DBs. Use that to alter the admin password.

We can gain access to the control panel of phpMyAdmin by locating and reading the contents of the configuration file. The config file is located in:

C:\wamp\apps\phpmyadmin3.4.10.1\config.inc.ini.php

phpmyAdmin config file

Let’s read it.

content of config file

You can see the credentials to the phpmyadmin panel are stored in the file which also allows a passwordless login as well.

Using the link on the WAMP server homepage, we open phpmyAdmin and we are met with a login screen.

With username of root and no password, we are logged in. We should now have root access to the phpMyAdmin control panel and be able to create, modify, and delete the contents of databases.

phpmyAdmin

Before I continue, let’s take a look at how Windows stores it’s Hashes.

Security Accounts Manager(SAM) is a database that manages users and their passwords on windows. Each password stored in the SAM file is hashed. Authentication and Verification of user credentials is done by the Local Security Authority (LSA).

SAM file is stored in the Windows Registry:

HKEY_LOCAL_MACHINE\SAM

Now that we’ve seen where windows hashes are stored, Let’s take a look at some password encryption types Windows employs.

LM is a weak authentication protocol that can easily be cracked, This is how it encrypts its passwords:

This makes it weak because:

Let’s take a look at NTLM

NTLM was supposed to be an improvement of LM. NTLM authentication operates under the client-server model of communication and involves a handshake process, similar to the TCP three-way handshake.

NTLM operates under a challenge response system, and the hashing process can be broken down into the following steps:

PwDump7.exe is a binary that extracts the SAM file and dump the hashes. It needs to be ran locally on the victim’s computer. So you upload it to the victim machine and execute.

The SAM and SYSTEM file can be easily located in

C:\Users\Windows\system32\config\

SAM & SYSTEM files

Setting up a temporary Python server on my attack box, to serve the binary to the windows machine

serving the files

NB: Make sure to transfer the libeay32.dll library file along with the binary to the windows machine

Now downloading it to the windows machine

downloading served binary

Now the library file

downloading served library file

Now we have our two files(binary + dll file) on the target windows machine

Let’s save the SAM file to the C:\ drive

saving SAM file

Save the SYSTEM file also

saving SYSTEM file

Now run PwDump7.exe with the saved SAM file and the SYSTEM file to extract the hashes.

dumping hashes stored in SAM file

NB:You can run the PwDump7.exe alone to still dump the hashes without having to save the SAM file registry entries.

Samdump2 is a linux tool used to extract the hashes from a hash file.

We can save the registry value of our SAM file to our target locally with command:

save SAM file

Now we download the saved files unto the attack box and use

download the SAM & SYSTEM files to the attacker machine

Now on your attack box, run samdump2 with the SAM and SYSTEM file

extract hashes from the SAM & SYSTEM file

This is a metasploit command that dumps all users and their hashes if executed with the right permissions.

hashdump

wce.exe (comes prepackaged with Kali) is a windows binary that list the logon sessions and their corresponding NTLM hashes.

From our attack box, let’s serve the binary for download.

serve the binary

Now let’s download it to the windows target

download it to the target

Now you run it

wce64.exe

With this, you’re only able to dump the hashes of currently logged on users.

You can also dump the plain-text of the hashes with wce with the command:

plain-text dump

set session to your current active session and run

dumping hashes

We can talk about dumping credentials without talking Mimikatz. It’s a credential dumping tool when executed with the right privileges. It’s not limited to credential dumping only as it has other useful purposes such as token impersonation.

Even though we can load it from its metasploit module, I’m choosing to go the long way of manually uploading it and executing it.

It also comes prepackaged with Kali (located in /usr/share/windows-resources/mimikatz directory) so I’m going to host the entire x64 binary folder together with its dependencies for download.

Downloading on the windows machine

Now run mimikatz.exe on the target machine

launch mimikatz

Run token::elevate to elevate your permissions since you need high permissions to access the SAM file.

elevate permissions

Now dump the SAM file hashes with command lsadump::sam

dump hashes

We have been able to dump the user account hashes, aside wce64.exe which was able to dump the plaintext format of the logged on users passwords, the other tools could only dump the hashes. In this section, I’m going to demonstrate how you can utilize some Open source tools to crack these hashes.

Structure of a typical windows Hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::

<username>:<RID>:<LM>:<NTLM>

It’s an open source password security, auditing, and recovery utility that supports a large number of hashes and ciphers. We will start by saving all our password hashes into a txt file I’ll call hashes.txt

The content of hashes.txt should be similar to this

hashes.txt

Now we run John the ripper with the command:

This will run with John’s default password wordlist. You can specify your own wordlist with the — wordlist tag)

cracking the hashes

It starts to crack the password hashes one after the other. Depending on the list of hashes and the complexity of the hashes, John can take longer hours(or days even) to crack the hashes. So it’s better to always limit it to the hashes of interest only.

Another password cracking tool which is my favorite actually. With the same hashes.txt, run it with hashcat together with the rockyou wordlist.

hashcat

Now what can you do with these set of credentials after cracking them?

Here, I’m going to show you how you can use the newly found credentials to authenticate against the target to obtain privileged access. There are various techniques but I’m going to highlight a few ways.

Let’s say you’re finding it difficult to crack the hash, you can authenticate with the target using the dumped hashes without knowing the plain-text form. I’ll be utilizing one of impackets tools called Psexec

Psexec is a tool used to authenticate to windows machines, can be used to pass the hash too.

It has a module embedded in metasploit.

Set the required options (SMBUser, SMBPass(hash), RHOSTS most importantly)

Now you get a meterpreter session as the Adminstrator.

John cracked the hash of Administrator as ‘vagrant’. Let’s try to see if RDP is enabled on the windows target and if so, can we authenticate.

RDP runs on port 3389. An nmap scan revealed port 3389 to be open

RDP open

We successfully RDP’d into the target with the admin credentials. We have control of the Domain.

If the target has any form of ssh server installed on it, you can SSH into it with any valid pair of credentials. From hashcat, we saw that the password of c_three_pio was pr0t0c0l. Let’s see if we can SSH into the system.

After typing the password, we get a cmd shell