Wednesday, May 29, 2013

Poshing the hashes part 2 - Dump Windows password hashes with PowerShell


UPDATE: As mentioned here, even after KB2871997, you could still 'Posh' the SID-500-Administrator's hashes.

Ok, this should have been the first part. Read my previous post, Posing the hashes: Using PowerShell to play with hashes, about what we can do _after_ dumping password hashes. I got many questions on how to dump hashes using powershell before using them. So here is a quick post about dumping password hashes using powershell:

There is a powershell script available in metasploit framework called powerdump which could be used to dump hashes from a Windows machine using powershell. It is written by David Kennedy. Lets see it in action.



What just happened? We need SYSTEM privs to use powerdump on a Windows 7 system, even an elevated Administrator privilege is not sufficient.

UPDATE (29/06/2014):  Get-PassHashes does not require SYSTEM privs anymore for dumping hashes.
(The code post by SuperGQ in comments has been used with modifications to achieve this)

Now, we can have SYSTEM privilege after getting admin using a number of methods. My favorite is using powershell. The Enable-DuplicateToken script in Nishang written by Niklas Goude could be used. Using this script we can use SYSTEM token from lsass process in current powershell thread. So, if we use Enable-Duplicate token and then call powerdump from the same thread we can dump password hashes from a Windows 7 machine without using any "third party" tool.

I have combined the scripts and created a payload for Nishang, Get-PassHashes.


Get-Passhashes elevates itself to SYSTEM (need Admin privs) and dumps password hashes. It is capable of exfiltrating the hashes to pastebin/gmail/tinypaste. This "exfiltration" thing has been improved in Nishang and would be included with many payloads very soon. For now, lets see Get-PassHashes in action.

Nice! We have the hashes. Now as per my other post, we can use these hashes with Windows Credential Editor and have much more fun with target and other Windows systems in the network.


As with almost every other payload/script in powershell, no AV etc. is bothered with this whole thing.

Get-PassHashes could be obtained from Nishang repository. Please checkout the repository. Existing users, please update your repos.

UPDATE:

Did Micorsoft broke Poshing the hashes with KB2871997 and KB2928120. This blog post disagrees.
http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html
Hope you enjoyed this, share your thoughts using the comments below. As always, please feel free for bugs, feedback and feature requests.

Wednesday, May 8, 2013

Kautilya 0.4.3 - New exfiltration methods, faster payloads and call for contributors

While using Kautilya in penetration tests, one shortcoming of Kautilya always bug me. It is data exfiltration is with pastebin only. Specially with Keylogger module, the support only for pastebin reduces it to a PoC only thing. Not anymore, I give you Kautilya 0.4.3!

From this version onwards, Kautilya supports pastebin, gmail and tinypaste across all payloads which need to communicate with the internet. No more 10 posts limit which pastebin enforces. Gmail is the recommended choice for the keylogger payload because of the number of pastes or posts it does. If you have enabled two factor authentication for a gmail account, just generate a application specific password and use it with a payload, it works fine.

Tinypaste is also a good one as there are no limits on pasting.

Also, I have (finally) trimmed the variable names in powershell scripts which are generated by Kautilya. It means faster "typing" of payloads on a target. Enjoy!

If you want to contribute to Kautilya, contact me! You will be credited and there is guranteed fun.

Here is the CHANGELOG for Kautilya 0.4.3:

- Names of various payloads have been changed, mostly to remove pastebin from the name.
- Shortened variables names and poweshell cmdlets names in many payloads. Payloads are "typed" much faster by HID now.
- Fixed a bug on Get Target Credentials payload.
- Fixed a bug in DNS TXT Backdoor.
- Hashdump payload now uses TokenDuplication and does not schedules a task on the target, this means the payload is faster now.
- New communication options added to various payloads which exports data to pastebin/gmail/tinypaste.
- Posts to pastebin now use HTTPS.

You can get Kautilya from the google code repository.

As always, I look forward to comments, feedback and feature requests.