HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Red Team Techniques - Credential Access

Domain Controller Authentication​

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials in the authentication process on a domain controller with the intent of creating a backdoor used to access any user's account and/or credentials (ex: Skeleton key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the skeleton key is erased form memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.

An incredible post from Pentestlab can be found here it it’s a great resource and do check it out for this technique.

This link is hidden for visitors. Please Log in or register now.
 

Man-in-the-Middle​

 

Arp Cache Poisoning​

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as media access control (MAC) address. Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.

An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.

The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.

Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.

Example:

As I am still new to the tool Bettercap I have managed to demonstrate a small Demo of Bettercap arp-spoofing and capturing traffic

image

I highly recommend to start playing with the tool and learn from the Documentation to better get a hold of this awesome tool.
 

LLMNR/NBT-NS Poisoning and SMB Relay​

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System(DNS) format and allows hosts on the same local link to perform name resolution of other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.

Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.

Example:

Here will use Responder a very well-known and popular tools with Red Teamers and Penetration Testers. Responder as the Name implies is a responding tool for LLMNR traffic when a Windows uses DNS for resolving Names but when the name is not found it goes back to LLMNR and NBT-NS traffic to resolve a name, when this is not found and Responder is Running this just say's "Hey yeah, this is me.." Now let's show a sample.

Responder

image

In this demonstration the user is trying to access an un-existing Share since it cannot find it then Responder just responds saying that it's the share the user is looking for and request for a Hash to authenticate

We can check it out ourselves by just using the Run Application and search for a share.

image
 

Input Capture​

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for substantial period of time before credentials can be successfully captured.
 

Web Portal Capture​

Adversaries may install code on externally facing portals, such as VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the Initial Compromise by exploitation of the externally facing web service.

Example:

Here by creating a simple login form in HTML and combining it with the SETOOLKIT Tool this custom login form will capture credentials from the user, this will just need some social engineering to have the user enter their credentials.

image
 

GUI Input Capture​

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

Adversaries may mimic functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. This type of prompt can be used to collect credentials via various languages such as AppleScript and PowerShell.

Example:

I will demonstrate a GUI Capture by using a tool called Pickle the tool is great for social engineering on internal networks having users believe that they need to re-login because of an error or anything that tricks them to input there credentials, the great thing about this tool is that it will actually try the credentials against SMB and verify if they are correct.

image

A sample of the prompt asking for credentials and typing the incorrect ones.

image

And once the correct credentials are added it will close and show the correct credentials.

image
 

Keylogging​

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include:

· Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.

· Reading raw keystroke data from the hardware buffer.

· Windows Registry modifications.

· Custom drivers.

· Modify System image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.

Example:

In this Demo I will use a simple PowerShell Keylogger. To demonstrate that though this technique is very well known it is still reliable in it's ow way, and with the implementation of using PowerShell this can be run completely in memory. We just need to be aware that this script will log the keystrokes but will create a file on Disk with all the inputs. This needs to be cancelled so the file is created.

We will import the script into out PowerShell session and start running the module.

image

Once we cancel a notepad will open with all the keystrokes done during the time running.

image

Of course this isn't OPSEC Safe but it is a simple demonstration of a Keylogger, there are many varieties of this technique out there written in many languages (C, C++, C#, ETC)
 

Forced Authentication​

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on Desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system access the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials.

There are several different ways this can occur. Some specifics form in-the-wild use include:

· A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document con include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.

· A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.

Example:

A very easy way to apply this technique is just by changing the target of an LNK File (SCF Files are also used) we can have responder running in our attacking machine and wait for our victim to click on our modified LNK file so that it will try and connect and capture a hash, this method will force authentication since the user is tricked to click on our Shortcut link and send us the hashes.

image

Responder

image

That way we see that our target tries to use the modified LNK to force the victim to authenticate to our attacking machine.
 

Credentials from Password Stores​

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
 

Credentials from Web Browsers​

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file,

AppData\Local\Google\Chrome\User Data\Default\Login Data and executing s SQL query:

SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim's cached logon credentials as the decryption key.

Adversaries have executed similar procedures for common web browsers such as Firefox, Safari, Edge, etc.

Adversaries may also acquire credentials by searching web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

Example:

Users login a plethora of times using browsers in there Day to Day lives there are paths that contains these passwords encrypted that we could find and there are also Tools that can help us crack these passwords and find these logins from many browsers some great tools are
This link is hidden for visitors. Please Log in or register now.
and
This link is hidden for visitors. Please Log in or register now.


image

image
 

Brute Force​

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
 

Credential Stuffing​

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

· SSH (22/TCP)

· Telnet (23/TCP)

· FTP (21/TCP)

· NetBIOS / SMB / Samba (139/TCP & 445/TCP)

· LDAP (389/TCP)

· Kerberos (88/TCP)

· RDP / Terminal Services (3389/TCP)

· HTTP/HTTP Management Services (80/TCP & 443/TCP)

· MSSQL (1433/TCP)

· Oracle (1521/TCP)

· MySQL (3306/TCP)

· VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.
This link is hidden for visitors. Please Log in or register now.


Example:

image

The procedure for this technique is usually gaining the stolen credentials for this attack. Even though it is very simple to Buy and Find I will not point to any resources that will help in this attack(Let's be honest a simple Google Search is enough). But once the DB of Credentials are found you might get lucky and actually login to the service they are meant for since large scale organizations have the tendency of reusing these logins.
 

Password Spraying​

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid accounts credentials. Password spraying uses one password (e.g. 'Password01'), or small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockputs that would normally occur when brute forcing a single account with many passwords.

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

· SSH (22/TCP)

· Telnet (23/TCP)

· FTP (21/TCP)

· NetBIOS / SMB / Samba (139/TCP & 445/TCP)

· LDAP (389/TCP)

· Kerberos (88/TCP)

· RDP / Terminal Services (3389/TCP)

· HTTP/HTTP Management Services (80/TCP & 443/TCP)

· MSSQL (1433/TCP)

· Oracle (1521/TCP)

· MySQL (3306/TCP)

· VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols", as well as externally facing email applications, such as Office 365.

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

Example:

In this method we will use Password Spraying this technique is great in big environments as sometimes there is a password reuse and we don't need to Brute Force an account in a live environment and lock them out.

A great tool for this in an Environment is CrackMapExec. (There are also alternatives that even work with PowerShell) we will just need to grab an account and typically use a very common format of passwords used in corporations such as Season+Year.

image

By creating a user list and using it against a single password, we are reversing the brute force technique instead of multiple passwords for 1 account and receiving a lockdown we can try 1 very common password against multiple users.
 

Password Cracking​

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

Example:

Password Cracking has been a great method to retrieve passwords offline, a technique used to not lock out accounts and leave logs off multiple attempts in an environment.

Some tools known for this attack are Aircrack-ng, Hashcat, John, Medusa, Ncrack, etc. In this example I will use John The Ripper just for a simple demonstration on how hashes can be cracked.

Simply by grabbing a sample of an NTLM hash file(You do not explicitly need this type but I will use this) and run it against john and a wordlist we can crack the hash and receive a password.

image

image
 

Password Guessing​

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

· SSH (22/TCP)

· Telnet (32/TCP)

· FTP (21/TCP)

· NetBIOS /SMB / Samba (139/TCP & 445/TCP)

· LDAP (389/TCP)

· Kerberos (88/TCP)

· RDP /Terminal Services (3389/TCP)

· HTTP/HTTP Management Services (80/TCP & 443/TCP)

· MSSQL (1433/TCP)

· Oracle (1521/TCP)

· MySQL (3306/TCP)

· VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
 
You must log in or register to reply here.
Back
Top