Capture Windows Passwords on Network Pentester Guide

Capture Windows Passwords Guide

We are going to discuss how to capture windows passwords. In the Kali Linux world, there is more than one way to set up an SMB listener (to capture windows passwords), but now's a good time to bring out the framework that needs no introduction: Metasploit. The Metasploit Framework will play a major role in attacks throughout the book, but here we'll simply set up a quick and easy way for any Windows box on the network to attempt a file- sharing connection.

We start up the Metasploit console with:

# msfconsole

The Metasploit Framework comes with auxiliary modules – they aren't exploiters with payloads designed to get you shell, but they are wonderful sidekicks on a pen test as they can perform things such as fuzzing or, in our case here, server authentication captures. You can take the output from here and pass it right along to a cracker or to an exploit module to progress in your attack. To get a feel for the auxiliary modules available to you, you can type this command in the MSF prompt:

show auxiliary

We'll be using the SMB capture auxiliary module. Before we configure the listener, let's consider a real world pen test scenario where this attack can be particularly useful.

A real-world pentest scenario to capture windows passwords

You have physical access to a facility by looking the part: suit, tie, and a fake ID badge.  Walking around the office, you notice a multifunction printer and scanner. During the course of the day, you see employees walk up to the device with papers in hand, punch something into the user interface, scan the documents, and then walk back to their desks.  What is likely happening here is that the scanner is taking the images and storing them in a file share so that the user can access them from his or her computer.

In order to do this, the printer must authenticate to the file share. Printers are often left with default administrator credentials, allowing us to change the configuration. The accounts used are often domain administrators, or at the very least, have permissions to access highly sensitive data. How you modify the printer's settings will depend on the specific model. Searching online for the user guide to the specific model is a no-brainer.

The idea is to temporarily change the destination share to the UNC path of your Kali box. When I did this, I kept a close eye on the screen; once I captured authentication attempts, I changed the settings back as quickly as I could to minimize any suspicion. The user's documents never make it to the file share; if it only happens once, they'll likely assume a temporary glitch and think nothing of it. But if multiple users are finding they consistently can't get documents onto the share, IT will be called.

Configuring our SMB listener

We have the MSF console up and running, so let's set up our SMB listener. We run this command at the MSF prompt:

use server/capture/smb

As with any Metasploit module, we can review the options available in this SMB capture module by commanding:

show options

The following screenshot illustrates the output of the preceding command:

Capture Windows Passwords

Let's take a look at these settings in more detail to capture windows passwords:

  • CAINPWFILE defines where captured hashes will be stored, but in the cain format. Cain (the powerful sniffing and cracking suite mentioned earlier, written for Windows) will capture hashes as it does its job, and then you have the option to save the data for later (capture windows passwords). The file that's created puts the hashes in a format cain recognizes. You can point cain to the file that's created here, using this flag. We aren't using cain, so we leave this blank.

  • CHALLENGE defines the server challenge that is sent at the start of the authentication process. You'll recall that hashes captured off the network are not naked hashes like you'd find in the SAM, as they're password equivalents. They are encrypted as part of a challenge-response mechanism. What this means for us is we need to crack the captured hash with the same challenge, a number that's normally randomly generated – so we define it, making it a known value. Why 1122334455667788? This is simply a common default in password crackers.  The only key factor here is that we can predict the challenge, so, in theory, you can make this number whatever you want. I'm leaving it as the default so I don't have to toy around with cracker configuration later, but something to consider is whether a sneaky admin would notice predictable challenges being used. Seeing a server challenge of 1122334455667788 during SMB authentication is a dead giveaway that you're playing shenanigans on the network.

  • JOHNPWFILE is the same setting as CAINPWFILE, but for John the Ripper. I know what the 19th-century British historian in you is saying: His name

  • was Jack the Ripper. I'm referring to the password cracker, usually called John for short. We will be exploring John later, as it is probably the most popular cracker out there.  For now, I'll define something here, as the John format is fairly universal and it will make my cracking job easier.

  • SRVHOST defines the IP address of the listening host. It has to point at your attacking box. The default of should be fine for most cases, but this can be helpful to define when we are attached via multiple interfaces with different assignments.

  • SRVPORT defines the local listening port, and as you can imagine, we'd only change this in special situations. This should usually stay at the default of 445 (SMB over IP).

The challenge/response process described here is NTLMv1. NTLMv2 has the added element of a client-side challenge. Crackers are aware of this and our SMB capture module will show you the client challenge when it captures an authentication attempt.

Final Steps to Capture Windows Passwords

Let's define SRVHOST to the IP address assigned to our interface.

  1. I'll run ifconfig and grep out inet to see my IP address

  2. Using the set command, we define SRVHOST with our IP

  3. Even though this isn't technically an exploit, we use the same command to fire off our module

Capture Windows Passwords

And that is it to capture windows passwords. It runs in the background so you can keep working. The listener is running and all you need is to point a target at your IP address.

Check out the HTTP method for capturing NTLM authentication. Follow the same steps, except issue the following command at the MSF console prompt instead:  use auxiliary/server/capture/http_ntlm. This will create an HTTP link so the user will authenticate within their browser, which is potentially useful in certain social engineering scenarios. You can even SSL encrypt the session.

We have a hit! The screen lights up with the captured authentication attempts (capture windows passwords):

Capture Windows Passwords

We can open up our John capture file in nano to see the output formatted for cracking. This attack worked, but there's one nagging problem with it: we had to trick the device into trying to authenticate with our Kali machine. With the printer, we had to modify its configuration, and a successful attack means lost data for the unsuspecting user, requiring our timing to be impeccable if we want the anomaly to be ignored.

Learn How to bypass Mac Filtering. Thanks for reading now let me recommend you some other practical guides about penetration testing of Remote Access Protocols, Remote Desktop ProtocolSSH Network Protocol, Network RoutersWordpress website using WPSeku from My Hack Stuff.



AC Milan,4,Arsenal,9,Atalanta,5,Atletico Madrid,6,Barcelona,15,Bayern München,6,Bundesliga,18,Business,1,Chelsea,13,Coronavirus,2,Cristiano Ronaldo,13,Dortmund,2,Ethical Hacking,46,Exploitation,35,FA Cup,2,Featured,215,Football,228,Footprinting,29,Google Adsense,2,Inter Milan,5,Juventus,15,Kali Linux,39,Kali NetHunter,3,LaLiga,39,Lazio,4,Leicester City,7,Ligue 1,26,Liverpool,12,Lyon,5,Make Money,3,Manchester City,15,Manchester United,14,Messi,2,Metasploit,1,Napoli,4,Offensive Security,17,Penetration Testing,15,Politics,2,Post Exploitation,19,Premier League,68,PSG,6,Real Madrid,13,Roma,3,Search Engine Optimization,4,Serie A,32,Sevilla,1,Sports,199,Technology,36,Tips,16,Tottenham Hotspur,10,Trending,443,UEFA Champions League,10,UEFA Europa League,11,United States,1,Windows,7,World News,7,
My Hack Stuff: Capture Windows Passwords on Network Pentester Guide
Capture Windows Passwords on Network Pentester Guide
My Hack Stuff
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content