Bo co Hash Injection

Thnh vin :

Phm Minh Lc
o Vn T
Hng Phc
Nguyn Ngc Cng

Tm tt
Windows Hash

Microsoft Authentication

Cached Credentials

Hash Dumpers

Demo
Windows Hash
Khi ta to mt password cho mt ti
khon,password s khng c lu tr trong h
thng di dng clear text. Vic lu password di
dng clear text khng phi l mt tng hay bi v
nu mt ngi no truy xut c ti file
password th s bit c mi ti khon lu trong
h thng.

Nhng c mt iu l nu khng c password trn
h thng th khng th chng thc mt user login
Xung quanh vn ny,nhng ngi pht
trin h thng hash password vi mt one
way hash v lu n trn h thng.khi mt
ngi log in,password nhp vo s c
hash v em kt qu so snh vi gi tr hash
c lu tr,nu ng th s cho php log
in.
Mt one way hash l mt hm chuyn i
mt input text string thnh mt output text
string duy nht,tuy nhin bi v l hm mt
chiu nn khi nhn vo output string s
khng c hm no chuyn ngc li input
string ban u.ch c mt cch duy nht l
th tt c cc input string c th cho n khi
c output string ng vi output string cn
tm.
Vi l do y nn nu mt hacker chim ly
c hash database h cng khng th ngay
lp tc s dng n break h thng bi v
password trc tin cn phi c crack.nu
mt password di v phc tp n c th
khin cho hacker mt rt nhiu thi gian
crack ( hng triu nm i vi mt password
tt).
Microsoft Authentication
H thng Windows hin ang s dng mt hoc
nhiu bn phng php xc thc khc nhau.
LanManager (LM)
NT Lan Manager (NTLM)
NT Lan Manager 2 (NTLMv2)
Kerberos

LanManager (LM)
LAN Manager l mt trong nhng nh dng m Microsoft
LAN Manager v Microsoft Windows phin bn trc s
dng Windows Vista lu tr cc mt khu ngi dng c t
hn 15 k t.y l loi bm l loi duy nht ca m ha c
s dng trong Microsoft LAN Manager,v th m c tn LM,
v phin bn ca Windows n Windows Me. N cng c
h tr trong nhiu phin bn Windows gn y cho tng
thch,mc d trong Windows Vista v sau n mt cch r
rng phi c kch hot s dng nh n b tt theo mc
nh.
LanManager (LM)
LM l c ch bm mt khu lu i nht v km an ton nht
ca Windows. Mt khu c chia thnh hai khi 7 k t. Mi
chui bm mt cch c lp v ni 2 chui bm li. Kt qu l
mt k xm nhp ch cn crack hai chui bm 7 k t ny v
ch cn xem xt cc k t hoa, s, v cc k hiu ph v
mt khu. iu ny l rt d dng lm bng cch s dng
cng ngh ngy nay. C ch c s dng cho Window
3.1/95/98
Mt kh khn vi LM nh: v mt xc thc l bm c gi
qua mng vi c ch m ha thp khi lm mt tn ng nhp
vo h thng mng. C ch ny lm cho n c th nm bt
c chui bm bng cch sniffing mng.

NT Lan Manager (NTLM)
Chui bm c to ra bng cch bm mt khu
ngi dng vi MD4. y l mt bm mnh hn
nhiu so vi LM, cho php s dng ca tp k t
Unicode, v n khng c chia thnh ngn hn.
tng thm an ninh, ng nhp vi NTLMv1 l
ta c th thit lp cho chui khng bao gi c
gi qua mng.

NT Lan Manager (NTLM)
NLTM l mt giao thc xc thc(authentication protocol)
ca microsoft,s dng xc nhn ngi dng trn
mng hoc ti my tnh n.i vi h thng domain thi
khi xc thc,NTLM s dng cc thng tin tn user,tn
domain v 1 kt qu hash(bm) password kim tra
xem ngi dng c hp l khng.
tm hiu su hn v NTLM cc bn tham kho:
http://en.wikipedia.org/wiki/NTLM
http://msdn.microsoft.com/en-us/library/aa378749.aspx

NT Lan Manager 2 (NTLMv2)
S dng bm nh NTLMv1 nhng vi mt c
ch an ton hn nhiu xc thc ngi no
qua mng.

Chiu di chui bm di hn nhiu

Window NT/2000 xc thc LAN v MAN
dng MD4(NTLMv1), HMAC-MD5(NTLMv2)

Microsoft thng qua Kerberos nh giao thc xc thc a thch
cho Windows 2000 v Windows 2003 Active Directory
domains.Kerberos thng c s dng khi mt khch hng
thuc v mt min Windows Server, hoc nu mt mi quan h tin
cy vi mt min Windows Server c thit lp bng cch khc
(nh Linux xc thc Windows AD).

NTLM vn c s dng trong cc tnh hung sau y:
-Cc khch hng c chng thc vo mt my ch s dng
mt a ch IP.
-Cc khch hng c chng thc vo mt my ch m thuc
v mt khu rng khc nhau Active Directory, hoc khng thuc v
mt min.
-Khng tn ti tn min Active Directory (thng c gi l
"nhm lm vic" hay "peer-to-peer").
-Trong trng hp mt tng la nu khng s hn ch cc
cng yu cu ca Kerberos (trong c mt s kh)

Kerberos
Kerberos l mt giao thc mt m dng xc thc
trong cc mng my tnh hot ng trn nhng ng
truyn khng an ton. Giao thc Kerberos c kh
nng chng li vic nghe ln hay gi li cc gi tin c
v m bo tnh ton vn ca d liu. Mc tiu khi
thit k giao thc ny l nhm vo m hnh ch -
khch(client-server) v m bo nhn thc cho c hai
chiu.
Giao thc c xy dng da trn mt m i xng
v cn n mt bn th ba m c hai pha tham gia
giao dch tin tng

Kerberos authentication dng mt server trung tm
kim tra vic xc thc user v cp pht th thng
hnh(service tickets ) user c th truy cp vo ti
nguyn.kerberos l mt phng thc rt an ton trong
authentication bi v chng dng cp m ha rt
mnh. Kerberos cng da trn chnh xc ca thi
gian xc thc gia Server v Client Computer, do
cn m bo c mt time server hoc authenticating
servers c ng b time t cc Internet time server.
Kerberos l nn tng xc thc chnh ca nhiu OS nh
Unix, Windows
c tng thch vi cc h thng Windows c
hn, hu ht cc h thng mi u c tt c cc c
ch xc thc nh trn.LM c kch hot cho
php kt ni Windows vi nhm lm vic,
Windows 95 v Windows 98. Nu bn khng phi
chia s mt mng li vi cc h thng ny, bn
khng cn n v n phi c v hiu ho.
Windows Local v Group Policy keys c sn
kim sot c cc phin bn LanMan ca mt
h thng c c chp nhn hay khng.

Nguyn l xc thc
Cached Credentials
Khi mt ti khon domain logon vo mt my
tnh no trong min th password khi nhp
vo s c hash v cache li trn my tnh
.
Cached Credentials c lu tr trong
Registry ti
HKEY_LOCAL_MACHINE\SECURITY\CACH
E vi cc gi tr tng ng l NL$1,NL$2
cha thng tin cc user logon trc
Cached Credentials s c s dng khi mt
domain controller khng hot ng v dng
xc nhn mt password,khi mt user cung
cp mt password logon vo domain th
password s c hash v em so snh
vi gi tr hash ca password c lu
trc trong cache,nu ng th user s
c php log on,cn ngc li th khng.
Hash Dumpers
L cc tools dng extract LM hash v
NTLM hash t SAM Database (l mt phn
ca registry dng qun l cc thng tin
bo mt).

Ngoi ra chng cn c th ly ra cc hash
c lu tr trong h thng t nhng ln
ng nhp trc
nng cao tnh bo mt th file SAM s
c m ha nhng hu ht cc hash
dumpers bit lm th no gii m n

Mt iu cn lu l chy cc hash
dumper th cn n cc user c quyn nh
administrator
Demo 1_M hnh Domain
M hnh gm 3 my

My 1 nng cp ln Domain Controller

My 2 s dng HDH Windows join vo
domain

My 3 ng vai tr l my Hacker cng mng
vi my 1,2 nhng khng join vo domain
M t qu trnh tn cng
Hacker thng qua vic chim c
username v password ca ti khon admin
cc b trn my Client c th mo danh bt
k ti khon user domain no log on vo my
Client truy xut n domain controller ly
d liu v m khng cn username v
password ca ti khon
iu kin tin quyt
1. My Client join vo Domain

2. My Hacker chim c username v
password ti khon admin cc b trn my
Client

3. User domain log on trn my Client
Cc Tools cn dng
Psexec.exe

Gsecdump.exe

Msvctl.exe

Psexec.exe
y l tin ch ging nh telnet v l chng
trnh qun l t xa ging Symantec's PC
Anywhere

Psexec c th thc thi chng trnh trn v
tng tc dng lnh trn remote systems
psexec [\\computer[,computer2[,...] | @file][-u
user [-p psswd]][-n s][-l][-s|-e][-x][-i
[session]][-c [-f|-v]][-w directory][-d][-
<priority>][-a n,n,... ] cmd [arguments]

-s :chy mt remote process trn system
accout
-u: username s login vo remote system
-p: password ca username
-c: copy 1 chng trnh n remote system
thc thi
Gsecdump.exe
Ly ra hash trong file SAM v cache ca
domain credentials, ngoi ra n cn c th
ly ra LSA, Wireless, v Active logon
sessions

Gsecdump khng c kh nng remote
system, chy n trn mt remote system
th cn ta cn s dng thng qua psexec
gsecdump [options]
options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump mircosoft
wireless connections
-u [ --dump_usedhashes ] dump hashes from
active logon sessions
-s [ --dump_hashes ] dump hashes from
SAM/AD
Msvctl.exe
V c bn l mt chng trnh dng log in
vo mt h thng bng cch s dng hash
thay cho password
Vd :
C:\>msvctl
ibuetler::25b425XXXXXXXXXXXXXXXXec5
cabcc:fa1d701b2YYYYYYYYYYYYYYYY71
5b5::: run cmd.exe
Ti my Hacker dng psexec chy chng
trnh gsecdump.exe t xa trn my Client
Chng trnh gsecdump s ly ra ton b
cached credentials c lu trn my
workstation
My Client c ti khon admin cc b l
administrator v password l 123
Dng msvctl ng nhp vi quyn ca
userdomain3 thng qua gi tr hash ca n
Ca s cmd vi quyn hin ti ca
userdomain3
Map 1 th mc chia s trn server v a
bt k
Xem cc th mc
chia s trn my DC
S dng lnh net use map
th mc share v thnh a
cc b
Ty theo quyn ca userdomain3 trn th
mc chia s m ta c quyn tng ng vi
a map v
To th mc tailieu
trong a Z
Chy li msvctl vi quyn ca user
admindomain (thuc nhm DomainAdmin
ca min)
Lc ny vi quyn ca user admindomain ta c
th map a C: trn my server v
Di chuyn n th
mc cha cc tools
Thc hin lnh gsecdump -s ly ra ton
b gi tr hash ca cc user lu trong AD

Vi quyn hin ti ca admindomain ta khng cn
nhp username v password ca my Domain
Controller
Ta cng c th to user trn my server
To 1 backdoor trn my domain
controller
Bc 1: Map 1 th mc share trn DC v
lm a cc b ( a i )

Bc 2: Copy chng trnh netcat vo a
i( lc ny trn my DC cng s xut hin file
netcat ti th mc share )

Bc 3: Dng chng trnh psexec chy
netcat trn my DC
Copy netcat ln my domain controller
Copy netcat vo thu muc fileserver
trn DC
File nc.exe( netcat) c copy trong th
mc fileserver trn may DC
Dng psexec chy chng trnh netcat
trn my DC
M port 3333 trn my DC
T my Hacker dng netcat truy cp vo port
3333 trn my DC
Hacker c th thc hin cc thao tc nh
trn my DC
Hoc ta cng c th telnet n my DC vi
port 3333
Ca s telnet hin ra,t y ta cng c th
thc hin ton b thao tc trn my DC
Ti my DC dng lnh netstat xem cc kt
ni trn my tnh
Ta thy port 3333 hin ang lng nghe
Port 3333 ang c lng nghe trn
my DC
Cch phng chng
Trong demo ny ta thy phng chng th
cch tt nht l ta tt cached credential trn
my ng nhp hacker khng th ly ra
hash ca cc user domain ng nhp
trc

disable cached credentials th ta s c hai
cch
disable cached trn cc my c th trong
domain th ta thc hin trn my .

Vo trong registry tm n kha

HKEY_LOCAL_MACHINE\Software\Microsoft\Window
s NT\Current Version\Winlogon\

ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50
Gi tr t 0-50 y c ngha l s lng
user logon m my s cached li

disable th ta ch cn chnh value v gi tr
0
disable cached trn ton b cc my
trong domain th ta ty chnh policy trn my
domain controller



Gii Thiu v mt s tools
tn cng trong Hash-Injection
Whosthere
Cng c ny s lit k ra danh sch phin
ng nhp ca ngi
dng(user:domain:mng bm LM v NT )
chy c cng c ny th bn phi ang
quyn Admin ca my ang chy.
Cng c ny rt ph bin ch cn bn i
ngi qun tr vin ng nhp vo my ch
b xm nhp ca my bn t xa.ti im
ch cn bn chy whosthere.exe l s thy
(user:domain:NTLM)
Iam
Cu trc cu lnh ca tool Iam L:
Iam.exe -r cmd.exe b h username:Domain hay tn
a ch Ip ca my ch(\\192.168.1.1):NT:LM

V d:
iam.exe r cmd.exe b h
u1:pla:ADFAF0987:FAFAADSF97
HAY
Iam.exe -r cmd.exe b h
u2:\\192.168.1.1:GHDHAFGSGSG:DSFGDGGFS678
Chng trnh ny s
dng(user:domain:NTLM) ng nhp vo
domain di quyn ca user m bn bm ra
c t Whosthere trn.
Hin th ca s cmd cho bn s dng cc
lnh di quyn ca user m bn ng nhp
Bn dng lnh net view xem nhng file
chia s v map n v.s dng file chia s
di quyn ca user m bn ng nhp.
-h: username:domainname:LMhash:NThash.
-H: this help
-r: to mi 1 ci phin ng nhp v chy vi mt
dng lnh y nhim c bit (v d:-r cmd.exe)
-b:nu iam.exe gp s c chng trnh hay khng
lm vic khi chy trn h thng ca bn th dng
option ny.Iam.exe s c gng xc nh v tr trong
vi b nh thay v phi s dng gi tr hard-code.
-D:Enable sa li thng tin
Option
SMBRelay man-in-the-middle
SMBRELAY
L mt my ch SMB c th thu thp cc thng
tin phn tch v i tng s dng v mt khu t
lung thng tin SMB i ti
Ngoi ra SMBRELAY cn c th thc hin cuc
tn cng MITM
SMBRelay option
/D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to
0
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP
addresses Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use Use - to NOT first add
each relay IP address to the NIC Defaults to 192.1.1.1
/S name - Set the source machine name Defaults to CDC4EVER


SMBRelay man-in-the-middle Scenario
Thit lp m my ch SMBRELAY
Thit lp mt my ch SMBRelay gi tht n
gin. Bc u tin l chy cng c SMBRelay
bng kha chuyn i lit k xc nh mt giao
din vt l thch hp m trn ta c th chy
thit b nghe:
C:\ > smbrelay /E

Theo nh v d, giao din vi index2 l thch hp
nht ta la chn v n l
mt bng vt l c th tip cn c t mt h
thng t xa
Ta phi khi chy my ch kho lo trn cc h thng Windows
2000 v cc h iu hnh s khng cho php cc qu trnh khc
kt ni cng SMB TCP 139 khi m h iu hnh ang s dng
cng ny. Mt cch khc phc l tm thi v hiu ha cng
TCP 139 bng cch kim tra Disable NetBIOS trn TCP/IP, c
th l ta la chn Properties of the appropriate Local Area
Connection, tip l Properties of Internet Protocol , nhp vo
nt Advanced, v tip chn nt radio thch hp trn WINDS
tab,ri chn disble NETBIOS over TCP/IP. Khi thc hin
xong,SMBRelay c th kt ni TCP 139.

Nu nh v hiu ha TCP 139 khng phi l mt
la chn duy nht th k tn cng phi to ra mt
a ch IP o da vo chy my ch SMB
gi. Tht may mn, SMBRelay cung cp tnh
nng t ng gip thit lp v xa cc a ch IP
o s dng mt kha chuyn i lnh n gin,
/L+ ip_ address.
C:\ > smbrelay /IL 2003 /IR 20003 /L+
192.168.30.54 /R- 192.168.30.54
Tip theo SMBRelay s bt u nhn nhng tha
thun vng SMB. Khi mt my khch nn nhn
tha thun thnh cng mt vng SMB, sau y
trnh t SMBRelay thc hin:

-My ch SMB bt c user va password hash ca my Victim
-Nhng chui hash ny c m ha
-Ta ch c th dng nhng phn mn Crackpass b kha : Lpocrack
Nhng khng phi chc nang chinh ca SMBRELAY ,hin nay ta c
th xm nhp my khch ch bng vic kt ni n gin qua i ch
chuyn tip . Di y l nhng biu hin ca n:
C:\>net use * \\192.168.30.54\c$
Drive E: is now connected to \\192.168.30.130\c$
The command completed successfully.
C:\>dir e:
Volume in drive G has no label
Volume Serial Number is 44FO-BFDD
Directory of G:\
12/02/2000 10:51p <Dir> Documents and settings
12/02/2000 10:08p <Dir> Inetpub
05/25/2001 03:47a <Dir> Program Files
05/25/2001 03:47a <Dir> WINNT
0 File(s) 0 bytes
4 Dir(s) 44,405,624,832, bytes free



Khi s dng SMBRelay thng pht sinh mt s vn . Mt ln
th kt ni t mt a ch IP ca nn nhn cho v khng thnh
cng, tt c cc ln th khc t a ch u pht sinh li .
(li ny l do thit k chng trnh). Bn cng c th gp kh
khn ny ngay c khi s iu chnh ban u thnh cng nhng
bn nhn c mt thng tin nh: "Login failure code:
0xC000006D." Khi ng li SMBRelay gim bt nhng kh
khn . (ch cn kch phm CTRL-C dng li). Ngoi ra, bn
cng c th thy s kt ni sai t b phn iu hp Loopback .

SMBRelay c th khng n nh v kt qu khng phi lc
no cng ng hon ton, nhng thc hin thnh cng,
r rng l mt t tn cng ph hoi. My trung tm tip
cn hon ton vi ti nguyn ca my ch ich m khng cn
nhc mt ngn tay.
ng nhin, kh khn ch yu y l: trc ht phi thuyt
phc my khch b tn cng xc nhn vi my ch MITM, tuy
nhin, chng ti bn bc mt s phng php gii quyt
kh khn ny. Ta c th gi cho my khch b tn cng mt tin
nhn e-mail xu vi mt siu lin kt c gn sn vi a
ch ca my ch MITM SMBRelay. Hoc thc hin mt tn
cng c hi ARP trng li ton b mt mng no . Lm
cho ton b h thng trn phn phi xc nhn thng qua
my ch MITM bt hp php
Cc bin php c v r rng vi SMBRelay l cu hnh Windows 2000 s
dng SMB Signing, hin c xem nh s ha khch /truyn thng phc v.
Nh ci tn gi gi , xc lp Windows 2000 nhm s ha khch hoc
truyn thng phc v s lm k hiu mt m ha mi khi ca truyn thng
SMB. Ch k ny c th c mt my khch hoc my ch kim tra m
bo tnh ton vn v xc thc ca mi khi, lm cho my ch SMB khng thch
hp v mt l thuyt (khng chc c thc, ph thuc vo thut ton du hiu
c s dng).
BiN PHP PHNG CHNG