Click to edit Master subtitle style Stamp Out Hash Corruption Crack All theThings! Crowe Horwath. XTrustwave* ' ' SpiderLabs Ryan Reynolds Manager, Crowe Horwath ■ Pentester Twitter: @reynoldsrb Crowe Horwath. XTrustwave* ' ' SpiderLabs Jonathan Claudius SpiderLabs Security Researcher, Trustwave Vulnerability Research Twitter: @claudijd Crowe Horwath. ^Trustwave* ' ' SpiderLabs What's inside? Windows Hash Extraction Story of What We Found Windows Hash Extraction Mechanics A Different Approach Why Are All the Tools Broken? Demo Patches Crowe Horwath. fcet*s tafk about hashes!!! Crowe Horwath. XTrustwave* ' ' SpiderLabs Goals of Getting Hashes Privilege Escalation Password Analysis Forensics Investigations Crowe Horwath. XTrustwave* ' ' SpiderLabs Windows Password Hashes Two Types of Hashes: LM (Lan Manager) Old Hashing Algorithm w/ Security Flaws ■ Case insensitivity, Broken into 2 Components NTLM (NT Lan Manager) ■ Newer Hashing Algorithm w/ Security Flaws Not salted, but is case sensitive Crowe Horwath. Windows Password Hashes Two Methods to Get Hashes: Injection via LSASS ■ Reads hashes from memory ■ Registry Reading via SAM/SYSTEM Reads hashes from local registry hives Crowe Horwath. Click to edit Master subtitle style Story Time Crowe Horwath. ^Trustwave ' ' SpiderLabs Failed Attempt 1 Social Engineering Engagement Gained Physical Access Dumped Hashes on a Bank Workstation Failed to Crack John the Ripper Rainbow Tables Crowe Horwath, Failed Attempt 2 Internal Penetration Assessment Popped a Shell via Missing Patch ■ Dumped Hashes on System ■ Fail to Crack Rainbow Tables (via all LM Space & French) Pass the Hash (PTH) Crowe Horwath. Example Hashes Via Registry (Metasploit) LM: 450oa2ii5ce8e23a99303f76oba6cc96 NTLM: 5Cobdi65cea577e98fa923o8f996cf45 Via Injection (PwDump6) LM: aad3b435b5i404eeaad3b435b5i404ee NTLM: 5fibec25dd42d4ii83dof45obf9bid6b Crowe Horwath. Metasploit Framework Overview Activity Roadmap Issues Wiki Repository Bug #4402 Hashdumn scrint/oost module breaks with oasswords areaterthan 14 When using "run hastiduirip" or the pes t/ windows /gat her /h as hduinp module on a windows 200 8 server with a password of l arger than 14 characters, I the hash that is returned is incorrect- 1 Crowe Horwath. XTrustwave* ' ' SpiderLabs Crowe Horwath. XTrustwave* ' ' SpiderLabs Where Do Hashes Live? Crowe Horwath. XTrustwave* ' ' SpiderLabs Where Do Hashes Live? HKLM\SAM ■ Store security information for each user (including hash data) HKLM\SYSTEM Stores the SYSKEY ("salts" the SAM information for security purposes) Crowe Horwath. What The Registry Looks Like HKLM\SAM\SAM\domains\account\users\ Users: oooooiF^., ..lFs, etc. Name Type Data ■"'(Default) REG_£Z (value not set) F REG.BINARY 02 00 01 00 00 00 00 00 8d J?$V REG.B1NARV 00 00 00 00 be 00 00 00 02 ACraweHorv^th. ^3jSESSS ye What's Inside These Values? ■ For each user, we have two values... "F"- Binary Data Last Logon, Account Expires, Password Expiry, etc. "V"- Binary Data Username, LM Hash Data, NT Hash Data, etc. Crowe Horwath. A Closer Look At Raw Data Raw Data w/ LM & NTLM Data 000 AAAAAAAAO OBBBBBBBB 00000 Raw Data w/ just NTLM Hash Data 000000 0BBBBBBBB0 00000000000 Crowe Horwath. XTrustwave* ' ' SpiderLabs Registry Extraction Tools Metasploit Hashdump Script Creddump Samdump2 Cain and Able Pwdump7 ■ FGDump3.o Others Crowe Horwath. XTrustwave* ' ' SpiderLabs Current Parsing Logic OFFSET H DAT/ LM&NTLM lfsize> 40 bytes: NTLM None Crowe Horwath. XTrustwave* ' ' SpiderLabs Click to edit Master subtitle style The u Flav Crowe Horwath. ^Trustwave ' ' SpiderLabs Remember these? Via Registry (Metasploit) LM: 450oa2ii5ce8e23a99303f76oba6cc96 NTLM: 5Cobdi65cea577e98fa923o8f996cf45 Via Injection (PwDump6) LM: aad3b435b5i404eeaad3b435b5i404ee NTLM: 5fibec25dd42d4ii83dof45obf9bid6b Crowe Horwath. The "Flaw" OFFSET ASH DATA DATA++ LM&NTLM lfsize> 40 bytes: MTI IV/I ^ Crowe Horwatla XTrustwave* f 1 SpiderLabs The "Flaw" BAD 000 AAAAAAAAO OBBBBBBBB 00000 000000 OBBBBBBBB 0000000000000 Crowe Horwath. XTrustwave* ' ' SpiderLabs Root Cause? How do we get "DATA++"? OFFSET HASH DATA DATA++ ■ By following Microsoft best practices Set Password History No LM Hashes Crowe Horwath. XTrustwave* ' ' SpiderLabs Raw Look at U V" Data Structure HK E Y_LO C AL_MAC H I N E \ aarri\ sam\ doma i n s \ ac c ou nt \ u s e r s \ 3 ed F REG_BINARY 020001 0000000000000000000000000000000000000000001C6 1A42C 0F5ACD0 10000000 00 00000 0OA4CE64 64 OE5ACD01ED030 00001 02000 01002 00000 00000 0002000000 0000000000000000008444 00 V REG_BINARY OOOOOOOOD400000002 000100D4 0O0OO0OAOO0O0OO0O0OO0OEOO0O0OO 0A0OO0O0OO0O0OO0ECOO0O0OO0O0OO0O0OO0O0OOEC0OO0O0OO0O0OO0O0OO0O0OECO0OO0O0OO0O0OO 0O0OO0O0EC0O0OO0O0OO0O0OO0O0OO0OECO0O0OO0O0OO0O0OO0O0OO0ECOO0O0OO0O0OO0O0OO0O0OO EC0O000 000 00 000 00 00000 0OEC00O0 000000000000 000 0O0EC0O0O00 1500 0O0OA6O0O0 0004010000 08 00000001 0O0OO0OCO1 00001400000000000000200 10000 14 000000000000003401000094000000 00 00000 Oca 01 000 0940000 00000000000 1001480B4 000 0O0C4 00000 01400 00004400000002003000 0200000002CO 14004400050 ] ^ ininr,r,nnnnn ™ ni HQ 00000002C01400FFFFI ^ nnrt 1 ni "^^"^^^5 07000000020070000400000 I M HASH -Oioooooooooooioooo kit HASH DATA 10 01020000000000052000000 '07 OF0001 02000 00000 )0 0000240044 0002000105 00000 00 OOC0#SI"EAOO 000 3FAD1462235F636B07E53B2BED0300 000 1020000 000000052000000 02 002 00 00010200 000000000520000 00020 0200007400 6500730074 0032000000 7 4 006500 7 3 007400320001 0OFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3E6 8 01020000 07 00000 00100 01009AC412C7DA10C7 88 963DF9DF7E6B5EF40100010 0BOFD8B04845B3E6836EC62ED D3EC84CA0100 010 015F478COD71D99AB56AB61F0 921DEOEF9C21D09 6BE07202EDF579D32EF31DF17 8E47CFC180A85D5 0451DBBCD73DB89F3E81DC94 9 89A51D23610F866 9762EBFD5DF73B4 0F40B95683 5E957l9EOCl8D4B27CAC2754CA8 07AD8l8CB4C2 7 67 7A5262lBAOA5AFBeCAA34AC3DFCDA8054B9395 14CD7E8A5184 02 2 0C7ElAF65C08 65C0ir * 18 1584F4E2D0 652C0 10001 00300 77263 8DEB345B51FF5B0CCAO123BB9B5C2 7 9A' DATA++ 38434 88CD9682 64658 858D55 6 0A2 04 7DB 06FC112 69C82 6D74B1EA6C1F2B6293F9^ ^lCO 9 1EDDC0C054E6A4 788 10 65C4F38C5C F8 887 81246B8 87 6 9BCE6E0 8E3ADBC0 6193EF25OEC437 75CBA5AE558A44F8 74 84AED9BE0B734 64DCD A257CC67 Crowe Horwath. XTrustwave* ' ' SpiderLabs How often does this occur? Newer OS's do not store LM Windows Vista and newer LM can be disabled by a proactive Sysadmin Password histories set through GPO Crowe Horwath. XTrustwave* ' ' SpiderLabs In an ideal world. We would want... LM Exists? NTLM Exists? Parse correct hash data 100% of the time Crowe Horwath. XTrustwave* ' ' SpiderLabs Raw Look at U V" Data Structure hke y_ldcai_kacb ine\ .Sdffj\ smA domains \ account \U! F REG BINARY 020 100 000 000 1 sc-rsAOOOOO OOOOQOOOQQ 3ed 000 0000Q 0000 0000 1C61A4 2C 0F5ACD0 10OOO00OOO00OOO00A4CE646^ ni: ' £;an ' riri 1 ™ n 5 000 102 00 1 02C"^ n r,r,nn n nfJOO 2000 00 0000000000000000008.44400 i iv/i MT oao o ooo o o ooo o o ooeco ooo o o ooo o o ooo u WEAEDtERu oooo oo ooo oo ooo uHlaAJDERu oooo ooooo ooo 00 000 OECOO 000 000 000 000EC000 000 000 000 0OOICOOOO OOOOO 0000 OOOOO 00 ICO 000 000 000 000 OECO 000 000 000 000 OECOO 00 15 0000 OOA80 0000 40 10 00 03 000 100 0OOOC0 100 14000 000 000 020 01 OOOO 140000 000 0000 03401 0000 9 4000 00 00 000 OC801 0084 000 00 000 000 01 00149 034 000 OC400 0014 0000 0440 0000 2003 00 02 000 2C0 14 0044 005 O^ 1 "' ; "0 000 2C0 14 OOFFFF lF n ^ " ' 07000000020070000400000 LM HASH o:oooooooooooiooooo( NT HASH DATA 01020000000000052000000 .-' 0F0 102 000 000L 00 240 04 400 02 000 1 500 000 OOOIMT$00 03FABl4622 35F6 3 630 7E5332BED0 3 OOOOO 1020 00 00000005200000002002000001020000000000052000000 020020000740065007300740032000000 740065007300 74 0032 0001 0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3E68 1020 00 07 000 0100 01009AC412c7DAlOc788 9 6 3DF9DF7E6B5EF4 0100 0i0030FD930 4G45B3E69 3 6EC62ED D3ECe4CA0100 010015F478COD7lD9 9AB56AB6lF092lDEOEF9C2lD0 96BE07202EDF57 9D32EF3lDFl7 9E47CFC19 0A95D5045 1D3BCD7 3DBfl 9F3E9 1DC94 989A5 1D2 36 1QF96 6976 2EBFD5DF7 3B40F4 0B956 63 5E95 7 19E0Cl8D4B27CAC2754CA8 07AD8i9C34c2 7 677A5262lBAOA5AF3flCAA34AC3DFCDA8 5439 3&5 14CD7E8A5184 02 2 0C7ElAF6 5C08 6 5COir ^ 1 B1594F4E2D0652C0 10 0100 3 00772 63 8DEE3 4595lFF5B0CCA0123BB9'35c2 7 9A4 DATA++ 9 43499CD9 6 6264 6 5635flD5560A2 047DB 06FCll2 69c82 6D743lEA6ClF23629 3F99^^-.^u^_^^^^^lC09lEDDC0c054E6A478ai065c4F38c5C F3flfl7 8124 638fl7 693CE6EOflE3ADBC0619 3EF250EC4 37 7 5C9A5AE55eA44Fe749 4AED9BE037 3^64Dt:D A257CC67 V REG BIHARY OOEOOOOOOO Crowe Horwath. A Different Approach "V" hash 4 byte headers for LM & NTLN 0x4 (4 bytes) = Hash Not Present (false) 0x14 (20 bytes) = Hash Present (true) No more guessing! Crowe Horwath. XTrustwave* ' ' SpiderLabs A Different Approach OFFSET HASH DATA DATA++ LM & NTLM NTLM None Crowe Horwath. XTrustwave* ' ' SpiderLabs A Different Approach BAD LOGIC . . . 0000AAAAAAAA0000BBBBBBBB00000 . . . OOQO[oOOOBBBBBBBBOOOOOOOOOOOOO GOOD L OGIC . . . 0000AAAAAAAA0000BBBBBBBB00000 . . . OOOOOOOOBBBBBBBBOOOOOOOOOOOOO Crowe Horwath. XTrustwave* ' ' SpiderLabs Why are all the tools broken? Crowe Horwath. XTrustwave* ' ' SpiderLabs Who's Patient Zero? pwdump samdump2 Cain & Able Creddumc etasploit ^\ Crowe Horwath, XTrustwave* f 1 SpiderLabs Tool Timeline Pwdump v. 1 FGDump v. 3.0 Cain & Abel Creddump Pwdump7 v. 2.7.4 v - °-i v. 7.1 Samdump2 Samdump2 v. 1.1.1 v. 1.0.1 MSF Hashdump 3/24/1997 3/28/04 7/9/05 n/21/07 12/30/09 ii/9/ii 2/20/08 3/io/io ^\ Crowe Horwatla XTrustwave* f 1 SpiderLabs Take Away Reverse engineering is hard Exhaustive testing is time consuming Leveraging code is helpful Fully reusing code is not always good Open source let's others learn and help fix! Crowe Horwath. Click to edit Master subtitle style Demonstration Crowe Horwath. XTrustwave* ' ' SpiderLabs Click to edit Master subtitle style Patches!!!! Crowe Horwath. ^Trustwave ' ' SpiderLabs Patches AAMCULCU lUUlo Dptrhprl? Creddump Yes Metasploit's Hashdump Script Yes LOphtcrack Working with Author(s) Pwdump7 Working with Author(s) FGDump3.0 Working with Author(s) Samdump2 Fixed in v 1.1.1 Cain & Abel Working with Author(s) Crowe Horwath. XTrustwave* ' ' SpiderLabs Click to edit Master subtitle style Questions? Crowe Horwath. ^Trustwave ' ' SpiderLabs