Jump to content
korang

Snagging creds from locked machines

Recommended Posts

Pretty sure he was only referring to the USB Armory when he was talking about inotify-tools. There aren't any LEDS on the Turtle for inotify-tools to interface with.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hopefully , Darren will create a module which do also handle the LED's , he's hinted at it here , https://room362.com/post/2016/snagging-creds-from-locked-machines/#comment-2880269923

However Lanturtle set up seems quite straight forward. 

**Edit**

Can't get it to log anything on my locked Win10 devices , obviously grabs the NTLM hashes from unlocked devices. 

Edited by zoro25

Share this post


Link to post
Share on other sites

I did this with a raspberry pi zero and im not getting results either

Share this post


Link to post
Share on other sites

Darren mentioned in the comments you can control the LEDs on the turtle with this method:

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To make the LED go solid on the LAN Turtle after the creds are looted put the following in the /etc/rc.local file:

echo "Staring cred watch" >> /root/rc.log
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do echo 255 > /sys/devices/platform/leds-gpio/leds/turtle:yellow:system/brightness; done'

If you want to get creative with blinky blink patterns you can echo 0 for off and 255 for on into the file /sys/devices/platform/leds-gpio/leds/turtle:yellow:system/brightness
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I haven't tested it yet myself though.  I was able to setup the turtle and it grabbed creds seconds after it was setup on my win10 system.  I was logged in at the time and i do have onedrive syncing, so I assumed that's what was pulled.  Unsure though...

Share this post


Link to post
Share on other sites

I followed the instructions explicitly.  Didn't work for me on an attempt at my lab Win10 test unit.  The blog article doesn't go into any depth on the Turtle configurations employed.

Share this post


Link to post
Share on other sites
17 hours ago, Forgiven said:

I followed the instructions explicitly.  Didn't work for me on an attempt at my lab Win10 test unit.  The blog article doesn't go into any depth on the Turtle configurations employed.

I do agree, moreover i don't understand if i have to change the DHCP options or not to include the proxy WPAD on the Lan Turtle..

Share this post


Link to post
Share on other sites

It's mostly working for me, the only problem is the responder.db is not in the root folder, it's in /etc/turtle/Responder/ folder.

Share this post


Link to post
Share on other sites
13 minutes ago, barry99705 said:

It's mostly working for me, the only problem is the responder.db is not in the root folder, it's in /etc/turtle/Responder/ folder.

this is a problem because if you reboot you will lost it right?

This is what i have done so far:

 

  1. Installed responder module, enabled and started
  2. modified rc.local with this lines:
    1. /etc/init.d/dnsmasq stop
      /usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F'
      #Add your commands above this line
      exit 0

Am i missing something? I receive hashes only if i connect to HTTP websites or non existent shares.. But i am not receiving hashes while i have screen locked (i have multiple accounts in the machine but i don't think that`s the problem) Thank you very much for any help

 

Share this post


Link to post
Share on other sites

I'm not entirely sure as I've only just started looking at this - but for those of you who it's not working for, do the test machines belong to a domain, or only use local accounts?

I don't think local accounts will be grabbed - only challenge-response type authentication, NTLM etc

I'm just guessing, but i'm sure someone skilled on this can clarify?

Share this post


Link to post
Share on other sites
12 minutes ago, 8bit said:

I'm not entirely sure as I've only just started looking at this - but for those of you who it's not working for, do the test machines belong to a domain, or only use local accounts?

I don't think local accounts will be grabbed - only challenge-response type authentication, NTLM etc

I'm just guessing, but i'm sure someone skilled on this can clarify?

It works with local accounts as well.  I've been testing it with both local account and microsoft accounts on windows 10.  Haven't had it fail yet, haven't tested if no one is logged in, but both logged in and in a locked session it always seems to grab a hash with the creds in it.

Share this post


Link to post
Share on other sites

I'm logged into a domain and nothing for me, 

I have a both Darren's light script and also the needed  /etc/init.d/dnsmasq stop
/usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F'  

in my rc.local file and nothing is logged from locked devices (also domain joined). 

For people who can get it to work can you please give more info on your set up or even a walk through if possible. 

Share this post


Link to post
Share on other sites

Thanks bored369 - appreciate the confirmation.

I tried at hom on my 10.11 OSX machine with no luck, also didn't work on my Windows 7 VM

I just tried on my Win 7 work machine which in bound to a domain and that did work - however I had to install the drivers so that would be a show stopper in a real world attack. I guess running on a Pi and connected via Ethernet as opposed to USB would be better to avoid driver issues?

One question - I tried on another OSX machine at work and the turtle seems to boot, then after a short time the LED's confirm credentials have been obtained.. however when I get my loot folder all I see is the files below - which of course don't contain any captured hashes. Does this sound right?


root@turtle:~/loot/0008# ls -l
-rw-r--r--    1 root     root             0 Sep 12 20:36 Analyzer-Session.log
-rw-r--r--    1 root     root          6794 Sep 12 20:36 Config-Responder.log
-rw-r--r--    1 root     root             0 Sep 12 20:36 Poisoners-Session.log
-rw-r--r--    1 root     root           107 Sep 12 20:36 Responder-Session.log
 

Thanks again!

Share this post


Link to post
Share on other sites

I was able to capture but, I needed to disconnect the machine from the network (ethernet and wireless).    The problem I'm having is when I disconnect the Turtle and move it to my machine to view the logs and the DB, they get overwritten.   How can I resolve this, any help would be appreciated.

Share this post


Link to post
Share on other sites

I can only get this to save the file in the /tmp/ folder. But then it will be deletet the next reboot.

 

Any clue ?

Else it works fine.

Share this post


Link to post
Share on other sites
4 hours ago, azzarin said:

I can only get this to save the file in the /tmp/ folder. But then it will be deletet the next reboot.

 

Any clue ?

Else it works fine.

Try to do something like this:

mkdir -p -m 700 /root/logs

rm  /overlay/etc/turtle/Responder/logs
ln -s /root/logs /overlay/etc/turtle/Responder/logs

I am still unable to receive any hash with a locked Win 10..I run "python Responder.py -I br-lan -f -d", is that correct?

Share this post


Link to post
Share on other sites

Hi all,

Been trying to get this working with my LAN Turtle, using various guides im finding online. Suspect I may be making it more difficult than it is!

But then I noticed a module (QuickCreds) was released for this. I tried updating my LAN Turtle, but it says No Updates Available, and its not appearing in my list of modules.

Can anyone shed any light on this?

 

Share this post


Link to post
Share on other sites

Hey ROTHWELLO

The turtle will need an internet connection.. this happened on mine - just connect a network cable from the ethernet port of the turtle to your router/hub/whatever an it should get a DHCP IP and connect.

That's what I needed to do at least.

Then once added, go to 'configure' inside that module and it'll download and install the required dependencies

 

 

Share this post


Link to post
Share on other sites
29 minutes ago, ROTHWELL said:

Hi all,

Been trying to get this working with my LAN Turtle, using various guides im finding online. Suspect I may be making it more difficult than it is!

But then I noticed a module (QuickCreds) was released for this. I tried updating my LAN Turtle, but it says No Updates Available, and its not appearing in my list of modules.

Can anyone shed any light on this?

 

EDIT: To anyone that read the above and thought "What a tool!" - you were right, I am!

After alittle more googling, I realised I needed to go into Module Manager, and update my list of modules from there. Completely my own fault for not properly learning how to use the tool. (My only excuse is i've been hectically busy doing my OSCP).  #RubbishExcuse  #GoogleAllTheThings 

Share this post


Link to post
Share on other sites

Regarding the new QuickCreds module, I installed this using "configure" from the module list, then enabled it.  None of the Windows machines I used for testing responded with "creds" as far as I could tell.  Three of the log files in the loot/000# directory showed growth, and looking at them I can see where it says it is responding with poison responses, but it never snags any results.  I tried disabling all other networking on one of the targets and it still did not work.  I'll be taking this to work with me tomorrow to let one of the corporate security team members try it on a workstation that is associated with an active domain controller (since my personal ones are not, in case this is the issue.)

I did notice while reviewing the Config log that it keeps complaining that some other service has port 53 tied up.  I looked at the /etc/turtle/autostart_modules/99-QuickCreds script, and the 'start' function looks like it is calling /etc/init.d/dnsmasq stop, but it's not working correctly.  If I run netstat -plant before starting QuickCreds, it shows dnsmasq owns that port.  If I run 99-QuickCreds start manually and check again, a bunch of services are listening that belong to python, but 53 still blongs to dnsmasq.  If I manually stop dnsmasq before running the QC start script, then start QuickCreds as above, python owns port 53 as expected.  Running the QuickCreds stop actually works properly and re-starts dnsmasq as expected.  I'll dig through this script with a more careful eye and see if I can figure out why it's hosed on start, but I don't know if this is why I never get creds or not.

The three targets I tried were two Windows 10 laptops and a Windows 7 laptop.  I tried in both "logged in" and "workstation locked with windows-L key" modes.  I got nothing for my troubles.

  • Upvote 1

Share this post


Link to post
Share on other sites

After my rocky start, I managed to get this to work on one domain machine (my own!).

Tried it on two others though, and its mithering for the Ralink driver :-/

Share this post


Link to post
Share on other sites

Hi there!

 

My Turtle is on its way and I can't wait to try it out! I have been looking at guides and tutorials on how to use the snatch credentials functionality.. Looks straight forward, but most of you seem to be finding it a bit difficult.. Is there someone here who managed to successfully make this work create a guide with step by step commands. This would help out everyone here on the forum

Just a suggestion to help everyone out :happy:

Share this post


Link to post
Share on other sites
8 hours ago, barry99705 said:

Leave the responder module running as well.

I'm not sure whom you are replying to specifically, but if it was me, I never set up the responder module through the turtle config separately from the QuickCreds module.  Are both modules supposed to be configured?  It looks like a conflict to do it that way, since QuickCreds sets it up a specific way and runs it, and "responder" has settings that change the behavior.  And both of them are at the same 99-<script name> level in the autostart_modules directory.  If we're supposed to set up both, what are the configuration options that the responder module needs that don't conflict with the QuickCreds module?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...