Non-Uniqueness of passwords: Cracking administrator passwords stored as an LM Hash using an appropriate set of Rainbow tables in an internal pen test.
The following scenario is based on a recent internal penetration test against a large private sector company, concentrating purely on one of the mechanisms used to obtain full control over the internal Active Directory network.
Details have been anonymised, but the same scenario could apply to several different organisations, and is relatively common.
The exploitation process is was as follows, starting with no knowledge of the internal network, access to a sample workstation, and some normal user credentials.
At the outset of testing, we were supplied with a single, typical, corporate workstation, and credentials for a low-privileged user account which was a member of the “Domain Users” group.
The workstation was configured to boot from the internal hard disk, and the user account had rights to log onto the workstation and run locally installed applications, but did not have local administrative rights. The workstation was also cleanly imaged for the purposes of testing.
The workstation BIOS was password protected, and the case was locked, preventing easy physical access to the workstation hardware, or ready access to the BIOS configuration. It was possible, however, to boot the workstation from a USB device which had been pre-loaded with the Kali Linux operating system (available from https://www.kali.org/), by pressing the “F12” key during boot-up.
From this point it was possible to mount the local hard disk, dump the locally held password hashes from the SAM database, and replace the “sethc.exe” file with “cmd.exe” in order to get an interactive SYSTEM shell – the well-known “sticky key exploit”.
The local hard disk was mounted as follows:
# mkdir c
# mount /dev/sda1 ./c
The local password hashes were then extracted from the SAM database as follows, and then imported into the password cracking utility Oxid CAIN (https://www.oxid.it/cain.html):
~/c/WINDOWS/system32/config# samdump2 system SAM >> ~/hashes.txt
As a final step, although not specifically required, the “Sticky Key” exploit was performed, by running the following command in Kali Linux, rebooting the workstation, and then pressing the “SHIFT” key five times at the Windows login prompt screen to present a “SYSTEM” level command shell.
~/c/WINDOWS/system32/# cp sethc.exe sethc.old
~/c/WINDOWS/system32/# cp cmd.exe sethc.exe
Once the “SYSTEM” level command shell was presented, the supplied user account was added to the local “Administrators” security group, and then used to logon to the workstation with full local administrator privileges.
C:\> net localgroup "Administrators" dionach /add
The extracted password hashes included an LM hash for the local Administrator, which was cracked, and attempts made to connect to other systems with the Administrator password. Most of the servers could not be authenticated to, as the password entered was invalid, however, the main file server FS01 used the same password for the local administration account as the workstation. It was possible, therefore, to logon to FS01 interactively, disable the local anti-virus software and run the Windows Credential Extractor (WCE) utility to extract any in-memory passwords in clear text, although they have been masked below:
C:\> wce.exe –w
[...]
Administrator\FS01:!************$
adm.jsmith\domain:A************#
[...]
Please note that WCE (available from https://www.ampliasecurity.com/research/wcefaq.html) is not the only method for performing this attack, but it is generally reliable, and so is usually the first thing we attempt.
As implied by the “adm” prefix, the user “adm.jsmith” was a member of the Active Directory security group “Domain Admins”. So, from this point it was trivial to take to full control over the entire network.
Please note that both the passwords for the local “Administrator” account, and the “adm.jsmith” domain account were strong and complex, however, as the local “Administrator” password was stored as an LM hash, it was relatively straightforward to crack with an appropriate set of Rainbow Tables. As the same password was used on a production server as was used on a corporate workstation, it was possible to take full control of that server. From there, obtaining the password for “adm.jsmith”, or any other authenticated user on the server, in clear text was only a matter of time.
LM hashes and the use of Rainbow Tables are discussed further in the following articles:
https://en.wikipedia.org/wiki/Rainbow_tables
https://en.wikipedia.org/wiki/LM_hash