Snagging creds from locked machines

[tdhuck]

Is there a final answer on which file needs to be opened up/viewed? I am still not clear on that. 

 

[UnixSecLab]

5 minutes ago, UnixSecLab said:

I updated the QuickCreds module and tried it on the same Windows 10 anniversary update laptop I used last weekend.  I get the same "dnsmasq" is running instead of python for port 53 errors for the DNS portion.  The loot directory still contains the same 4 files only.  I did the "fix" so that python could actually take port 53 by moving /etc/rc.d/S60dnsmasq to /etc/rc.d/s60dnsmasq, and have a script that automatically moves it back on next login in place as before.  I restarted it with this work around in place.

I really think the issue is that it's too slow to issue the DHCP information.  The LLMR logs show the private IP Microsoft uses, then the actual 172.16.84.x address a little while later.

09/24/2016 03:57:01 PM - [*] [LLMNR]  Poisoned answer sent to 169.254.215.253 for name Workstation
09/24/2016 03:57:02 PM - [*] [LLMNR]  Poisoned answer sent to 169.254.215.253 for name Workstation
09/24/2016 03:57:02 PM - [*] [LLMNR]  Poisoned answer sent to 169.254.215.253 for name Workstation
09/24/2016 03:57:19 PM - [*] [LLMNR]  Poisoned answer sent to 172.16.84.172 for name Workstation

I'm thinking of blowing away the current config with a firmware update again, and do a fresh install of everything, then try again.  I'll also try it on some other systems again as needed.  I was hoping to get this to work on my home gear before handing off for my coworker to test, but I may not be able to get it to work out of the box on my stuff.

Oddly enough, the next time I plugged it in right after this update, I saw the light go yellow after a bit.  I logged in and it actually got the hash (finally.) with no more changes from me.  I don't know why this is so sporatic.  It's very hit and miss, and with all of the testing I've been doing, it's heavy on the "miss."  This is encouraging, though.

[tdhuck]

6 minutes ago, UnixSecLab said:

Oddly enough, the next time I plugged it in right after this update, I saw the light go yellow after a bit.  I logged in and it actually got the hash (finally.) with no more changes from me.  I don't know why this is so sporatic.  It's very hit and miss, and with all of the testing I've been doing, it's heavy on the "miss."  This is encouraging, though.

Which file contains the hash?

and

How are you opening/viewing this file?

Thanks.

[UnixSecLab]

I pulled out my other LAN Turtle, because I remembered that it hadn't been configured for this module, yet.  I installed QuickCreds on it, tried a fresh session, and waited about 3 minutes before giving up on it.  Unplugged it and waited again.  For this second session, I locked my workstation while it was plugged in, and then waited some more.  It didn't snag anything on this session until I actually logged back in, but it did snag on the login.

Proxy-Auth-NTLMv2-172.16.84.139.txt

The file has 19 lines in it for one account over and over.

[UnixSecLab]

14 minutes ago, tdhuck said:

Which file contains the hash?

and

How are you opening/viewing this file?

Thanks.

I log in, exit the Turtle shell menu, cd to loot, ls -ltra to see what the latest directory is, cd to that, and ls -l to see what files are there and how big they are (if they're size 0, not worth trying to view.)

I use "cat" or "more" to view the file.

[tdhuck]

18 minutes ago, UnixSecLab said:

I log in, exit the Turtle shell menu, cd to loot, ls -ltra to see what the latest directory is, cd to that, and ls -l to see what files are there and how big they are (if they're size 0, not worth trying to view.)

I use "cat" or "more" to view the file.

Never even thought about viewing the size of the directories/files to confirm they are empty, thanks.

Apparently, something isn't working properly.

responder.log states that creds were saved, but apparently they were not saved/written successfully.

[UnixSecLab]

6 minutes ago, tdhuck said:

Never even thought about viewing the size of the directories/files to confirm they are empty, thanks.

Apparently, something isn't working properly.

responder.log states that creds were saved, but apparently they were not saved/written successfully.

The directories will always show as size "0" so you need to go into them and do the ls -ltra to see if the files inside are growing or not.  But you know that 17 is the newest directory and thus is the one you need to go into to check for this particular session.  At a minimum you should have FOUR files in that directory all ending with "-Session.log"

Hope this helped.

[tdhuck]

3 minutes ago, UnixSecLab said:

The directories will always show as size "0" so you need to go into them and do the ls -ltra to see if the files inside are growing or not.  But you know that 17 is the newest directory and thus is the one you need to go into to check for this particular session.  At a minimum you should have FOUR files in that directory all ending with "-Session.log"

Hope this helped.

It did help, I had a feeling that what you said is true, but I still decided to post the screen shot showing 0s. I do have the 4 files, but no proxy file, this time. Why am I sometimes seeing a proxy file?

I used cat to open the files, all of them opened with text, except 1 file, Analyzer-Session.log doesn't open, when I use cat to open it, it just bring me back to a new command line.

I do see clean text in the other files, I need to spend some time to look and see if there are any hashes. I do see some output stating that .txt files exists in other directories, I will check those as well. Is that where the actual hashes are? Keep in mind I have not looked at the contents in detail, yet, I wanted to get my reply back to you/this thread, first. 

Thanks.

[UnixSecLab]

Analyzer-Session.log is probably the one that is size 0.

I tried using the Turtle without a network cable plugged into the RJ45 jack and have 0 success with it this way thus far.  I would  hope that this doesn't actually require a network plugged into it since this attack's primary purpose is to present as dhcp from the turtle itself to get the creds.  There's no need for the network outside of man in the middle poisoning of other stuff like DNS, unless I'm wrong.

[tdhuck]

I can't seem to get into this directory/files

 

 Settings.HTTPBasicLog = /etc/turtle/Responder/logs/HTTP-Clear-Text-Password-%s.txt

    Settings.HTTPNTLMv1Log = /etc/turtle/Responder/logs/HTTP-NTLMv1-Client-%s.txt

    Settings.HTTPNTLMv2Log = /etc/turtle/Responder/logs/HTTP-NTLMv2-Client-%s.txt

When I try to cd /etc/turtle/Responder/logs it tells me that I can't or the command prompt changes to the 19 subdirectory you see in my above picture.

 

[UnixSecLab]

I may have to rig up either one of the Raspberry PI or the BeagleBone Black as a surrogate 'internet' connection for the RJ45 end to see if it'll work without a true internet connection, and it just wants a dadgum network plugged in for no real reason.  It wold be kludgey, but at least it would make it portable without jacking into the network first.  It would also mean I could have it send the loot to the other machine as soon as it detects that it has some, if keys are set up between the two.  The other machine could be set up to crack the loot once it's been uploaded, with this scenario, too.  A beefier machine would be better, but if the turtle absolutely must have a network connection on that end, might as well take advantage of it.  If this doesn't work, maybe tying it to a pineapple for a wireless connection and portability would work.

Does anyone know why this seems to need a network on the RJ45 end?

[tdhuck]

26 minutes ago, UnixSecLab said:

I may have to rig up either one of the Raspberry PI or the BeagleBone Black as a surrogate 'internet' connection for the RJ45 end to see if it'll work without a true internet connection, and it just wants a dadgum network plugged in for no real reason.  It wold be kludgey, but at least it would make it portable without jacking into the network first.  It would also mean I could have it send the loot to the other machine as soon as it detects that it has some, if keys are set up between the two.  The other machine could be set up to crack the loot once it's been uploaded, with this scenario, too.  A beefier machine would be better, but if the turtle absolutely must have a network connection on that end, might as well take advantage of it.  If this doesn't work, maybe tying it to a pineapple for a wireless connection and portability would work.

Does anyone know why this seems to need a network on the RJ45 end?

I have not been using a network connection on the turtle when I test.

 

[Mohamed A. Baset]

Guys, Can anyone make a clean and working "QuickCreds module"!!

[M@$T]

On 9/25/2016 at 4:40 AM, Mohamed A. Baset said:

Guys, Can anyone make a clean and working "QuickCreds module"!!

Must agree with Mohamed.. the module isn't consistent and isnt working well for most of us.. My amber led keeps flashing continuously and doesn't seem to be working... maybe a refresh of the module is needed?

[UnixSecLab]

The existing QuickCreds works pretty consistently for me, now.  The only problem is that it requires the RJ45 jack end to also have a connection.  I still haven't gotten one of my project computers set up to act as a surrogate "other end," but I will.  I tried disabling the QuickCreds, configuring the responder module manually per Mubix's guide, and I get nothing (with or without a network cable plugged in.)  I wonder if QuickCreds has to be uninstalled to make the manual procedure work properly.  All I know at this time is that it works on a Windows 10 Pro with anniversary update workstation with QuickCreds, but only when the Turtle has internet access via the RJ45 jack when plugged in.  It seems like this shouldn't be a requirement, to me.  It makes the attack less practical if you have to steal the existing network connection from the target workstation temporarily.

[M@$T]

I dont believe i read anywhere that you need to have the turtle connected to the internet.. I will try it out however.. 

[kdnew]

i got the same problem as many of us. amber light is blinking and dont went solid.

my responder log says "Starting attack" and the created folders are empty.

tried it on many different machines, no luck at all.

[tdhuck]

I don't think an internet connection is needed. When I plug this into my mac, the amber LED never stops blinking, but I SSH directly into it when it comes online. I am not sure if the attack continues to run. Maybe it does but never completes. When I plug into my windows computers, I do get a solid amber light, but I am having an issue getting into the directories where the log files are at (see screen shots/posts above). I appreciate the help, to this point, but I am still looking for some help as to why I can't get into certain directories....why can't I cd into a directory that I know exists? I am sure it is an error on my part...

[ankush]

So i am able to capture the hashes and the hashes are stored in /etc/turtle/Responder/Responder.db. I saw in the lan turtle video that the lan turtle is also able to log into the machine after capturing the hash. Currently, lanturtle doesnt do it. How do i also make it to log into the machine automatically?

 

Thanks,

[tdhuck]

Ok, I made some progress, as stated, I am a newb, I must be getting confused when/where I need to use a /

Responder.db does show hashes and I see a user name (mine) with the hash behind it.

Next step would be how to use the hash, on it's own, to log back into the computer/shares, but I will wait to see how others handle that. Interesting.

Thank you to everyone who helped/posted.

[barry99705]

6 hours ago, ankush said:

So i am able to capture the hashes and the hashes are stored in /etc/turtle/Responder/Responder.db. I saw in the lan turtle video that the lan turtle is also able to log into the machine after capturing the hash. Currently, lanturtle doesnt do it. How do i also make it to log into the machine automatically?

 

Thanks,

No, the turtle doesn't log into the computer.  That was just Mubix unlocking his computer.

[letters]

On 9/17/2016 at 2:50 PM, Skeletnyy Klyuch said:

I'm hoping someone can help me decipher what I'm looking at here. 

This is essentially the same output I'm getting across various workstations but I'm having trouble understanding what I'm looking at. 

Where does the password hash begin, or what is the actual hashed password?

I notice my username is pulled similarly to the Hal9000 above, and I believe my domain is also pulled and placed after a double colon following my username; from there I have a colon followed by a 16 char string of numbers, followed by a colon with a 32 char string of numbers, followed by a colon with a load of numbers and letters, similarly to the last colon above.

But where does the password hash begin/end?

Thanks in advance for any resources or help to decipher this output. 

[tdhuck]

39 minutes ago, letters said:

I'm hoping someone can help me decipher what I'm looking at here. 

This is essentially the same output I'm getting across various workstations but I'm having trouble understanding what I'm looking at. 

Where does the password hash begin, or what is the actual hashed password?

I notice my username is pulled similarly to the Hal9000 above, and I believe my domain is also pulled and placed after a double colon following my username; from there I have a colon followed by a 16 char string of numbers, followed by a colon with a 32 char string of numbers, followed by a colon with a load of numbers and letters, similarly to the last colon above.

But where does the password hash begin/end?

Thanks in advance for any resources or help to decipher this output. 

Yeah, I have a similar question. I can see the computer name, but then just a string of text. Not sure where the hash starts/ends.

 

[bored369]

Check out the example hashes from hashcat here:

https://hashcat.net/wiki/doku.php?id=example_hashes

Specifically in this case the #5600 for NetNTLMv2; that should be how your hash is formatted and the portions that you would need for cracking it.  

That was the type of hashes i was getting from this attack, however you may want to look at other ones on that page in case you are getting other kinds.  They do look different then the ones I was getting looking at the screenshot.

[th3s3cr3tag3nt]

On my test machines I'm getting windows NLA kicking in. If work or home network is selected then I get creds. Is anyone else running into this issue? Has anyone got round it? If the machines on a domain are locked then you can't click on "work network".