Tools and Techniques for Extracting Password Hashes and Credentials from Windows Systems
Explore various tools and scripts such as ESEDBXTRACT, GPPPFinder, and PowerShell scripts for extracting password hashes and credentials from Windows systems, including NTDS.dit and SYSTEM files, Group Policy Preferences, and more. Learn how to handle different Windows versions and access encrypted passwords in UTF-16 format. Discover new tools and methods to enhance your security auditing and enumeration processes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
MY CONTINUING MISSION TO REPLACE MYSELF WITH A SMALL SCRIPT PYTHON CONTINUINGMISSION.PY
CONTENTS esedbxtract A script to extract password hashes from NTDS.dit and SYSTEM files. GPPPFinder Group Policy Preference Password Finder Nettynum (v3) A Windows Domain Enumeration Tool
ESEDBXTRACT Extract hashes from NTDS.dit and SYSTEM files from domain controllers. Wrapper script around libesedb s esedbexport, bundles ntdsxtract 1.2 and a modified dshashes.py Handles all the fiddly details like datatable and link_table name changing depending on the version of Windows. Outputs pwdump format
A SHORT ASIDE GET-PASSWORDFILE.PS1 Getting the NTDS.dit and SYSTEM using Powershell. Can t just issue the same commands as you can from cmd.exe the copy fails. I ve found a powershell script online! Not available on the original author s site, so its in the quickscripts repo. Either change the execution policy on the host to allow execution, or just copy the contents of the file into a powershell prompt then call the function: Get-PasswordFile C:\
GPPPFINDER GROUP POLICY PREFERENCE PASSWORD FINDER Introduced by Microsoft in Windows Server 2008 Policy Settings are enforced, Policy preferences are not. Local Groups and User Accounts, Drive Mappings, Schedule Tasks, Services, and Data Sources May have usernames and passwords. Stored within the preference item in SYSVOL in the GPO containing that preference item. MS14-025 (13thMay 2014) Removed the ability to create new preferences with credentials in them. But doesn t remove existing preferences.
GPPPFINDER Password is UTF-16 encoded string padded so that the length is a multiple of 16 (padding is chr of amount of padding required) then encrypted with a publically known key. After encryption the password is base64 encoded and the = padding stripped. Existing Tools: Get-GPPPassword (PowerShell - http://obscuresecurity.blogspot.co.uk/2012/05/gpp- password-retrieval-with-powershell.html) gpp (Metasploit Post Module - http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp) gpprefdecrypt.py (Python - http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py) gpp-decrypt-string.rb (Ruby - http://carnal0wnage.attackresearch.com/2012/10/group- policy-preferences-and-getting.html)
GPPPFINDER New Tool: Connects to Domain Controller using specified credentials. Searches recursively for XML files Searches XML files for password Parses XML of known files (e.g. groups.xml) Outputs a file containing - username:cpassword:password:file Cross Platform (sudo on linux because of mount command)
NETTYNUM VERSION 3 History v1 (Placement Year), v2 (complete rewrite for final year project, unit testing, design documents, etc), v3 (LDAP) Windows Domain Enumeration with minimum in put from tester finds domain and domain controllers, extracts information, writes output file. Uses Windows API calls and Null session by default (will wrap around rpcclient or net commands on linux eventually ). Iterates through discovered domain controllers until it finds one will null sessions. With credentials it will default to LDAP enumeration Handles Sessions
NETTYNUM By default it will find: domain names domain controllers full group list with comments accounts policy the members of groups that match regular expression or a list of groups the user account information for each of those members.
BaseAuthenticator -log -_allow_deauth : <unspecified> = True -_host : <unspecified> = "127.0.0.1" +get_host() : <unspecified> +authenticate() : <unspecified> +deauthenticate() +_set_allow_deauth() : <unspecified> +_get_allow_deauth() SMBAuthenticator SNMPAuthenticator AuthenticationController -_username : <unspecified> = "" -_passwd : <unspecified> = "" -_domain : <unspecified> = "" -_share : <unspecified> = "IPC$" -_target -_community_string : <unspecified> = None -_host -_authenticators -_authenticated -_username -_domain -_passwd -_community_string +authenticate() : <unspecified> +get_useraname() : <unspecified> +get_passwd() : <unspecified> +get_domain() : <unspecified> +get_target() : <unspecified> +get_share() : <unspecified> +_already_authenticated() : <unspecified> +deauthenticate() : <unspecified> +authenticate() : <unspecified> +get_community_string() +create_sessions() +destroy_sessions() +authenticate() +deauthenticate()
BaseEnumerator BaseEnumerator -log -_auth : AuthenticationController = None -_auth : AuthenticationController = None -log +enumerate() +enumerate() DomainNameEnumerator GroupMembershipEnumerator -_domain_names : <unspecified> = [] -_groups : <unspecified> = [] -_host : <unspecified> = "" +get_domain_names() : <unspecified> +_set_domain_name() +get_host() : <unspecified> +set_host() +get_user() : <unspecified> +set_user() +_set_group() +get_groups() : <unspecified> NetUserGetGroups NetUserGetLocalGroups GroupMembershipEnumerationController LocalGroupMembershipEnumerationController FromFQDN FromObject FromDNSServFQDN DomainNameEnumerationController -_kwargs -_kwargs +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() DomainControllerEnumerator PolicyEnumerator -_doman_controllers : <unspecified> = [] -_domain_name -_host : <unspecified> = "" -_policy : <unspecified> = {} +get_domain_name() : <unspecified> +set_domain_name() +get_domain_controllers() : <unspecified> +_set_domain_controller() +get_host() : <unspecified> +set_host() +get_policy() : <unspecified> +_set_policy() DNSLookup NetGetDC DsGetDCName DomainControllerEnumerationController LockoutPolicy PasswordPolicy -_kwargs PolicyEnumerationController +_lookup_a() +_lookup_srv() +enumerate() +enumerate() +enumerate() +enumerate() -_kwargs +enumerate() +_enumerate_complexity() +_enumerate_password() +enumerate() +enumerate() GroupEnumerator -_groups : <unspecified> = [] -_host : <unspecified> = "" InterestingHostEnumerator +get_host() : <unspecified> +set_host() +get_groups() : <unspecified> +_set_group() -_hosts : <unspecified> = [] +get_hosts() : <unspecified> +_set_host() NetGroupEnum NetLocalGroupEnum GroupEnumerationController LocalGroupEnumerationController FromNetServerEnum FromDNSRecords InterestingHostEnumerationController -_kwargs -_kwargs -_valid_types -_domain_name -_services -_domain_name : <unspecified> = "" -_kwargs +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +get_domain() : <unspecified> +set_domain() +get_valid_types() : AuthenticationController +_convert_type() +find_hosts() +enumerate() +get_services() : <unspecified> +set_services() +get_domain_name() : <unspecified> +set_domain_name() +lookup() +zone_transfer() +enumerate() GroupMemberEnumerator -_members : <unspecified> = [] -_host : <unspecified> = "" -_group : <unspecified> = "" +get_host() : <unspecified> +set_host() +get_group() : <unspecified> +set_group() +get_members() : <unspecified> +_set_member() BaseUserEnumerator -_host : <unspecified> = "" +get_host() : <unspecified> +set_host() +get_info() : <unspecified> +_assign_info() +_set_info() NetGroupGetUsers GroupMemberEnumerationController NetLocalGroupGetMembers LocalGroupMemberEnumerationController -_kwargs -_kwargs +enumerate() +enumerate() +enumerate() +enumerate() ShareEnumerator UserEnumerator UserInfoEnumerator -_host -_shares -_auth -_info : <unspecified> = [] -_host : <unspecified> = "" -_info : <unspecified> = {} -_host : <unspecified> = "" -_user : <unspecified> = "" +_assign_info() +get_host() +set_host() +get_shares() +set_share() +get_host() : <unspecified> +set_host() +get_user() : <unspecified> +set_user() ShareEnumerationController NetShareEnum NetUserEnum SNMPUserEnum UserEnumerationController NetUserGetInfo UserInfoEnumerationController -_kwargs -_kwargs -_kwargs +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +enumerate() +enumerate()
DomainControllerEnumerationCon troller Top Package::User DomainNameEnumerationControlle r GroupMemberEnumerationControll er GroupMembershipEnumerationCont roller DomainAutomation Reporter Domain AuthenticationController PolicyEnumerationController GroupEnumerationController UserInfoEnumerationController enumerate() enumerate() get_domain_names() domain names set_domain_name() enumerate() get_domain_controllers() domain controllers set_domain_controller() create_sessions() enumerate() get_policy() policy set_policy() enumerate() get_groups() groups set_group() enumerate() get_members() members set_member() enumerate() get_info() info enumerate() get_groups() groups set_user() destroy_sessions() generate_report() generate()
AuthenticationController Authenticator Top Package::Actor create_sessions() authenticate(type) True authenticated.append() {OR} False authenticate() True {OR} False deauthenticate() destroy_sessions() deauthenticate()
WHERE TO GET THEM: esedbxtract - https://bitbucket.org/grimhacker/esedbxtract GPPPFinder - https://bitbucket.org/grimhacker/gpppfinder Nettynum - https://bitbucket.org/grimhacker/nettynum QUESTIONS?
