Usando los hash de Windows LSA obtenidos de crackmapexec

1

He obtenido algunos hashes utilizando crackmapexec y descargando del proceso LSA. Los hashes están en esta forma (los datos a continuación son falsos):

adm_name:c6f132a235209036744ba5d303bd5d9b:SOME.ORGANISATION.COM:ORGANISATION:::

Las utilidades de identificación de hash en Kali no reconocen el hash tal como está, pero dan algo de salida si se modifica el hash.
Para la herramienta hash-identifier input:

c6f132a235209036744ba5d303bd5d9b

Resultados:

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Para la herramienta hashid input:

adm_name:c6f132a235209036744ba5d303bd5d9b

Salidas:

[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2

john acepta los hashes tal como están, pero informa:

Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-old"
Use the "--format=NT-old" option to force loading these as that type instead

hashcat intentará resquebrajarse (utilizando el indicador -m 1000 para los tipos de hash NTLM) si el formato es solo el resumen (como en el ejemplo de entrada hash-identifier anterior.)

Supongo que no se pueden usar en un ataque "pasar el hash", ya que el resumen parece ser el tipo de credencial del hash de NT en caché (MD4 sin sal). enlace

Además de revelar los nombres de usuario, ¿de qué sirven estos hashes de esta forma a un atacante? Cualquier orientación sería genial!

    
pregunta user1330734 10.05.2018 - 02:55
fuente

1 respuesta

2

DCC son sus propios formatos. En JtR, son:

mscash-opencl
mscash2-opencl

... y en hashcat, son:

1100 | Domain Cached Credentials (DCC), MS Cache        | Operating Systems
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2   | Operating Systems

Como notaste, mientras que estos pueden ser resquebrajados, no se pueden usar en pasar el hash. Tampoco se garantiza que sean actuales, por lo que incluso si los descifra, pueden representar una contraseña caducada que no se puede usar para la autenticación en línea "en vivo".

    
respondido por el Royce Williams 10.05.2018 - 15:52
fuente

Lea otras preguntas en las etiquetas