1. Credential Storage
1) Linux
(1) /etc/shadow
- Passwords are commonly stored in the form of hashes.
- This file can only be read by the user root.
root@htb:~# cat /etc/shadow
...SNIP...
htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::- $ {id} $ {salt} $ {hashes}
- {id} is the cryptographic hash method used to encrypt the password.
a. $1$: MD5
b. $2a$: Blowfish
c. $5$: SHA-256
d. $6$: SHA-512
e. $sha1$: SHA1crypt
f. $y$: Yescrypt
g. $gy$: Gost-yescrypt
h. $7$: Scrypt
(2) /etc/passwd
- In the past, the encrypted password was stored together with the username in the /etc/passwd file, but this was increasingly recognized as a security problem because the file can be viewed by all users on the system and must be readable.
yeon0815@htb[/htb]$ cat /etc/passwd
...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash- The x in the password field indicates that the encrypted password is in the /etc/shadow file.
2) Windows Authentication Process
(1) LSA (Local Security Authority)
- It is a protected subsystem that authenticates users and logs them into the local computer.
- It maintains information about all aspects of local security on a computer.
- It also provides various services for translating btw names and security IDs. (SIDs)
(2) WinLogon
- It launches LogonUI to enter passwords at login
- It relies on credential providers installed on the system to obtain a user's account name or password.
- After WinLogon obtains a user name and password from the credential providers, it calls LSASS to authenticate the user attempting to log in.
(3) LSASS (Local Security Authority Subsystem Service)
- It is a collection of many modules and has access to all authentication processes that can be found in %SystemRoot%\System32\Lsass.exe.
- It is responsible for the local system security policy, user authentication, and sending security audit logs to the Event log.
(4) SAM (Security Account Manager) Database
- It is a database file in Windows operating systems that stores users' passwords.
- $SystemRoot%/system32/config/SAM
- SYSTEM level permissions are required to view it.
(5) Credential Manager
- It is a feature built-in to all Windows operating systems that allows users to save the credentials they use to access various network resources and websites.
- Saved credentials are stored based on user profiles in each user's Credential Locker.
PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\
(6) NTDS
- It is very common to come across network environments where Windows systems are joined to a Windows domain.
- In these cases, the Windows systems will send all logon requests to Domain Controllers that belong to the same Active Directory forest.
- Each domain controller hosts a file called NTDS.dit that is kept synchronized across all Domain controllers with the exception of Read-Only Domain Controllers.
2. John The Ripper (JTR)
- The "Jumbo" variant is recommended for those in the security field, as it has performance optimizations and additional features such as multilingual word lists and support for 64-bit architectures. This version is more effective in cracking passwords with greater accuracy and speed.
1) Encryption Technologies
(1) UNIX crypt(3)
- a traditional UNIX encryption system with a 56-bit key.
(2) Traditional DES-based
- uses the Data Encryption Standard algorithm
(3) bigcrypt
- an extension of traditional DES-based encryption.
- uses a 128-bit key.
(4) BSDI extended DES-based
- an extension of traditional DES-based encryption
- uses a 168-bit key.
(5) FreeBSD MD5-based
- uses the MD5 algorithm with a 128-bit key.
(6) OpenBSD Blowfish-based
- uses the Blowfish algorithm with a 448-bit key.
(7) Kerberos/AFS
- These are authentication systems that use encryption to ensure secure entity communication.
(8) Windows LM
- uses the Data Encryption Standard algorithm with a 56-bit key.
(9) DES-based tripcodes
- are used to authenticate users based on the Data Encryption Standard algorithm.
(10) SHA-crypt hashes
- are used to encrypt data with a 256-bit key and are available in newer versions of Fedora and Ubuntu.
(11) SHA-crypt and SUNMD5 hashes (Solaris)
- use the SHA-crypt and MD5 algorithms with a 256-bit key and are available in Solaris.
2) Attack Methods
(1) Dictionary Attacks
- Dictionary attacks involve using a pre-generated list of words and phrases (known as a dictionary) to attempt to crack a password.
(2) Brute Force Attacks
- Brute Force Attacks involve attempting every conceivable combination of characters that could form a password.
- This is an extremely slow process, and using this method is typically only advisable if there are no other alternatives.
(3) Rainbow Table Attacks
- Rainbow table attacks involve using a pre-computed table of hashes and their corresponding plaintext passwords, which is a much faster method than a brute-force attack.
- These are only effective against hashes already present in the table, making the larger the table, the more successful the attack.
3) Cracking Modes
(1) Single Crack Mode
- brute-force attack
- It takes known information, such as usernames or other data from the password file, and tries combinations based on those inputs. (e.g., If the username is john_doe, this mode might try passwords like john, doe123, johndoe!, password_john, etc.)
yeon0815@htb[/htb]$ john --format=<hash_type> <hash or hash_file>yeon0815@htb[/htb]$ john --format=sha256 hashes_to_crack.txt
(2) Wordlist Mode
- dictionary attack
yeon0815@htb[/htb]$ john --wordlist=<wordlist_file> --rules <hash_file>
(3) Incremental Mode
- It is an advanced John mode used to crack passwords using a character set.
- It is a hybrid attack, which means it will attempt to match the password by trying all possible combinations of characters from the character set. (e.g., a, b, ab, abc, 123abc!)
- This mode is the most effective yet most time-consuming of all the John modes. It is highly resource intensive
- The default character set is limited to a-zA-Z0-9. Therefore, if we attempt to crack complex passwords with special characters, we need to use a custom character set.
yeon0815@htb[/htb]$ john --incremental <hash_file>
4) Cracking Files
- It is also possible to crack even password-protected or encrypted files with John.
cry0l1t3@htb:~$ <tool> <file_to_crack> > file.hash
cry0l1t3@htb:~$ pdf2john server_doc.pdf > server_doc.hash
cry0l1t3@htb:~$ john server_doc.hash
# OR
cry0l1t3@htb:~$ john --wordlist=<wordlist.txt> server_doc.hash