Thursday, February 16, 2012

BREAKING INTO WINDOWS VIRTUAL MACHINE – A DIFFERENT APPROACH

So my friend posted an open hacking challenge and provided users with a pre-built virtual machine for which they were to install and then black box hack in order to capture the flag stored on the admin user's dekstop. I was trying to install the virtual machine when I couldn’t log in so I wasn’t sure how I was supposed to get the system setup to hack as no credentials were provided at all. I couldn't do any in depth scanning due to initial setup on sensitive network. I then thought, well how would one go about getting the damn system passwords for a Windows machine normally if they had physical access to the box. OK, normally I would boot up to a Linux OS of choice, probably BackTrack, and then mount the system hard drive and make a copy of the SAM file and SYSTEM files to then dump and crack offline at my leasure, but this was on a virtual machine so it would seem I could find no way to do this. A) – I could not find anyway to change the boot order with the free vmware options without first installing a boot loader type mini-linux os and then installing the other systems ontop of it that way, but this was overly complex and too time consuming. B) – even if I could boot swap I don’t know if linux would be able to read the virtual hard drive or not. This part got me thinking, and I figured well why cant I just mount the damn virtual drive and then go through it like that. I had a hard time finding a method to get this to actually work…I admit at this point I was now back on Windows and only testing from Windows point of view. OK so I searched around and I found a crappy shareware program called WinImage which does the trick nicely (it allows 30 day trial and easy enough to reset on your own, can purchase if you like it and find you might use this method a lot). You can download it here: http://www.winimage.com/download.htm. Simple install that works like anything else on Windows…

Install winimage:

Once installed you can simply double click to run and then use the standard Windows icon in upper left to open a file and then point it to the location of the virtual machine hard disk file (.vmdk in this case) you want to mount for reading (free version is only read only L).

Choose mount point:

Go through content of virtual machine file system as you like J

NOTE: this crap shareware only lets you extract with the free version, pro paid version supposedly allows re-writing which would have allowed one to simple copy the cmd.exe over the sethc.exe and use the old SHIFT+Sticky Keys trick to bypass login at startup and create new administrator account or password and then restart and login with new credentials. Perhaps when I re-test with Linux this will be the easier shortcut to take…

But let’s have some fun for now shall we and review the now mounted virtual machines hard drive which will now appear like a normal C:\ drive:
Navigate to the C:\WINDOWS\system32\config folder to get our hands on the juicy stuff – mostly the SAM file so we can dump the systems usernames and passwords that are stored J Highlight the /config folder, right click and choose to extract that puppy to wherever it is you want to review it when you’re done…


OK, at this point we now have the SAM file and SYSTEM file which means we have the entire user and password hash details but we need to find a way to extract them as they are encrypted. The SYSTEM file will be used to determine the SYS-KEY which is then used to decode the SAM file so we can dump it. There are a few options when it comes to getting this part of the job done, here are a few of your options for going about things…

OPTION 1 – Dumping SAM File with: PwDump7
The first method I will show involves the use of the PwDump tool, latest version I found available online was v7 but methodology and command syntax should remain largely the same if your using a older version. The download for the one I used is available here: http://www.tarasco.org/security/pwdump_7/pwdump7.zip.  This is a command line only tool which can be used to dump the local systems SAM & SYSTEM file if run with administrator privileges or can be used to perform offline attacks as well (convenient for our particular scenario).

If you want to dump the local systems credentials, run as admin and simply run the tool without any arguments passed and it will do its thing, here is an example (no arguments but I am redirecting output to a file):

If we want to perform an offline attack we use the ”-s” switch and point it to the SAM & SYSTEM files so we can perform an offline attack, which is what we used in this particular scenario, it works the same and looks like this:

Now you have your dumped Windows usernames and password hashes and can go start trying to crack with your favorite hash cracker tool. In case your tool doesn’t accept the default PwDump file format for input the returned output file of the hash format for Windows NTLM Hashes is:  

Username:RID:LMHash:NTLMHash:::

You can just extract manually as needed and work with it from there.

OPTION 2 – Dumping SAM File with: Cain & Abel
If you don’t feel comfortable at the command line you can also get things done with the forever oldie but goodie Can & Abel. We start by launching Cain and using the Syskey Decoder tool from the tools menu:

Point it at the SECURITY file so it can determine the sys-key which we will use to decrypt the content of the SAM file in next steps, so make sure you take note or write it down…

NOTE: You need to provide the full path to where your SAM & SYSTEM files are stored on winblows.
Now we use the Cracker tab and choose the LM & NTLM Hashes options. Click on the blue “+” sign up top to launch the Add NT Hashes loader tool. We need to use the last option to load from SAM database file.

Point it at our extracted SAM file and use the sys-key we found using the decoder in the previous steps and together they will be used by Cain to extract the user password hash details. Once properly configured and loaded, just hit next and you will see the credentials loaded into Cain’s main hash window of the cracker tool. Voila we have dumped it again!

Now you can crack them with Cain or extract them now that they are in cleaner format and crack in your tool of choice, but Cain is perfectly capable if you have no other options (or just have time to wait). Now in order to crack the hashed passwords we need to go about things in a strategic order to ensure we have the best and fastest results possible. We first want to start by cracking the LM Hash by itself. In most cases you can simply right click and choose to Bruteforce the LM Hash. You might notice the max length allowed is 7, this is due to how Windows hashing algorithms break the password down for LM hashes (see Google for details on this particular subject – it is worth looking into as it will help in understanding why this approach works).

Once the LM hash is cracked you can put this in your dictionary file as it will be some portion of the NTLM password and will greatly increase your chances of cracking the NTLM hashed password which is a MD4 algorithm of sorts. Continue attacking NTLM with dictionary, bruteforce, or rainbow tables if you have them and eventually you will find the decrypted password you seek. I have a bonus at the end which will show you how you can build your own rainbow tables to perform super quick hash lookups enabling super-fast hash cracking.  The particular hash in this scenario was set to take ages running bruteforce attacks when I turned to rainbow tables for help and the password hashes were decrypted in mere seconds! A HUGE thanks to my friends over at http://www.md5decrypter.co.uk/ for some assistance they give me with rainbow tables, thanks again guys!

And voila, we have again managed to dump the SAM file so we can now perform offline dictionary and/or bruteforce attacks against the found hashed system user passwords. Once hashes are cracked you can simply pair up your username and password and login into the system as if it was meant to be J

I hope you have enjoyed this fun tutorial on how you can steal password hashes from Windows systems, and in this case even on a Virtual Machine hosted Windows platform. Physical or Admin access is the key in the end, but persistent is also the key and dominating every box in the network is the end goal so keep no rock unturned during your adventures out there in the wild. Hope you have enjoyed this one as much as I have, and as always and until next time – Enjoy!


BONUS – RAINBOW TABLES:
Building Rainbow Tables with RCRACK:
We can download the rcrack tool set from the Rainbow Tables Project homepage. We can use the tools included to build our rainbow tables, sort them (convert formats if needed) and then finally to search to see if we can quickly find our hashed passwords from our found SAM file. We first create our tables using the basic documentation provided by Rainbow Crack Team:

Note: This part may take some time so take it in strides, as you need to process the full charset into all possibilities. If you need system resources just hit CNTRL+C to stop and then re-issue the same commands to build again and the RCRACK tool will pick back up where it previously left off J

The syntax starts easy by you passing arguments for the hash type to use, followed by the charset to use (see charset.txt file if you need reference for what’s available), then you provide the minimum and maximum length you require. In this case I was building LM tables so the max allowed is 7 which kept this project relatively short in nature as opposed to generating a longer password length (longer pass, more possibilities, requires more tables, equals more time). Then the syntax gets weird, you need to pass the index (for keeping track if you break it into multiple files), the chain_len, then chain_num, and last the part_index which is just an identifier you can give that gets postfixed to the file names when generated. As I could not find any clear definition of the chain_leng or chain_num I can’t provide full clarification on how you can write you own custom runs from scratch as I don’t understand fully why or how you determine the number of times to loop the commands for a full set…perhaps it will come to me in the future, in which case I will update this article…but in the meantime I found this site: http://wired.s6n.com/files/jathias/ which provides a great tool for calculating this and in process creates a batch file with the proper commands needed to create the desired tables you need. You can run the batch file or open it up and run the commands one by one and simply use the batch file as a reference. It is up to you, but I highly recommend this tool as without it I would have been lost, and you might be too (you’re probably smarter than me so you probably figure it out :p ). If you just want the direct download, its available here: http://wired.s6n.com/files/jathias/RainCalc.zip. Once you download that you simple run it like any other program, this one has a GUI, and then you identify the charset, hash type, min and max length you want and then hit the generate batch file button.

It will generate a batch file with the needed commands to create your desired rainbow tables based on the input you provided it. If you open the batch file up, it will look something similar to this:

Now we know the proper commands to run, how many times to loop, etc. We run this which takes some serious time depending on your setup and what not.

You can find downloads available on the internet in various formats but I decided to make my own to become familiar with the whole process. Once you have rainbow tables built you can use rcrack.exe or the rcrack-GUI application to search the rainbow tables for you hash and find passwords in mere seconds in most cases. You can also look into the Free Rainbow Tables project and there new alternative tools for creating and reading of rainbow tables. It is compatible with rcrack so you an re-use your tables or convert to their format, but they have Terabytes worth of rainbow tables available for free to download here: http://www.freerainbowtables.com/

This may take a long amount of time to package in some people’s eyes but once it is done you have them to use for all cracking attempts going forward which makes the time trade off start to come out and is why rainbow tables have been popular for so long, very much a real Return on Investment (ROI) over time. Today newer methods leveraging GPU power is really starting to bring other avenues of attack to the table which are equally as impressive as I have outlined in some of my earlier articles. The folks at http://www.md5decrypter.co.uk/ also play a huge role in bringing the ability for the average user to use their online database for easy and quick hash lookups.

#EOF
NOTE: You could just take the SAM and SYSTEM files but I took the whole thing just to be safe and get it all intact…