Jump to content
Hak5 Forums
korang

Snagging creds from locked machines

Recommended Posts

Hi guys,

I also try this but also not working.

I can see hash credential already copy in /root/loot/ but the pc seems not locked automatically.

I attached some config and result for references.

I followed this link  https://room362.com/post/2016/snagging-creds-from-locked-machines/  

Is there any config that I miss ?

Thanks.

 

root@turtle:~# cat /overlay/etc/rc.local

#Add your commands above this line
#exit 0

/etc/init.d/dnsmasq stop
/usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F'
exit 0

root@turtle:~/loot/21# ls -lah
drwxr-xr-x    2 root     root           0 Oct  7 03:33 .
drwxr-xr-x   25 root     root           0 Oct  7 03:30 ..
-rw-r--r--    1 root     root           0 Oct  7 03:15 Analyzer-Session.log
-rw-r--r--    1 root     root       13.5K Oct  7 03:15 Config-Responder.log
-rw-r--r--    1 root     root        1.8K Oct  7 03:23 HTTP-NTLMv2-172.16.84.182.txt
-rw-r--r--    1 root     root        2.9K Oct  7 03:15 Poisoners-Session.log
-rw-r--r--    1 root     root        6.4K Oct  7 03:15 Responder-Session.log
 

 

Share this post


Link to post
Share on other sites

Has anyone actually managed to make this work properly?

 

If so please share with us as I / majority here are not managing.. 

Share this post


Link to post
Share on other sites
9 minutes ago, M@$T said:

Has anyone actually managed to make this work properly?

 

If so please share with us as I / majority here are not managing.. 

I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries.

Share this post


Link to post
Share on other sites
12 hours ago, M@$T said:

Has anyone actually managed to make this work properly?

 

If so please share with us as I / majority here are not managing.. 

Maybe we need to tagged Darren for this..:grin:

 

12 hours ago, tdhuck said:

I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries.

Maybe you need check if ur w7 join domain or not..

As i tried in different pc without join domain not able to get the hash data..

Share this post


Link to post
Share on other sites
19 hours ago, skippy7 said:

Maybe you need check if ur w7 join domain or not..

As i tried in different pc without join domain not able to get the hash data..

The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge.

Share this post


Link to post
Share on other sites
15 minutes ago, tdhuck said:

The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge.

Hashcat has a nice list of hashes and how they should be formatted:

 

Share this post


Link to post
Share on other sites
56 minutes ago, bored369 said:

Hashcat has a nice list of hashes and how they should be formatted:

 

I checked that out when you first posted it and when I copied the text/hash it told me it wasn't formatted properly or it threw out another error, I will have to check again and see what I missed.

Share this post


Link to post
Share on other sites

I have been playing with this over the last couple of days and have managed to get the Lan Turtle to snag creds from my Domain Joined Windows 10 machine.

Share this post


Link to post
Share on other sites
10 hours ago, D4sh said:

I have been playing with this over the last couple of days and have managed to get the Lan Turtle to snag creds from my Domain Joined Windows 10 machine.

Care to document what you did @D4sh ?

Share this post


Link to post
Share on other sites
1 hour ago, M@$T said:

Care to document what you did @D4sh ?

I followed the original web site https://room362.com/post/2016/snagging-creds-from-locked-machines/ 

Just made sure that my Lan Turtle was at factory default and latest firmware.  I did make sure that i ran the opkg update prior to trying to Responder starting and downloading its dependencies.

I did get a bunch of errors the first time i tried to enable Responder (prior to running opkg update).  I also created the loot directory myself.

But other than that it was just following the above website.

Cheers,

 

Si

Share this post


Link to post
Share on other sites

Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right?

Share this post


Link to post
Share on other sites
28 minutes ago, M@$T said:

Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right?

What i will do in a few mins when i can find a machine in the office that will not set off all the bells and whistles, is plug my LAN turtle in and take some screen shots for you.

From the modules menu it is using the quickcreds modules.

Share this post


Link to post
Share on other sites

Hiya,

Not sure if this is going to help.

Attached is a screen shot of my modules in the turtle GUI, i have also attached the two scripts from my modules directory on overlay.

Let me know if you need anything else.

Thanks,

Simon

Screen Shot 2016-10-12 at 17.28.14.png

QuickCreds

responder

Share this post


Link to post
Share on other sites

I had this snagging creds from a locked Win10 machine. However I could never get the responder portion to work. It will not poison the response. I really hope this was not a gimmick to sell more Lan Turtles. :/

Share this post


Link to post
Share on other sites

For those stating that this worked, can you share the start/stop of the hash? I have the hash (the device/code does work), but I am lost when I get the hash.

Share this post


Link to post
Share on other sites
3 hours ago, tdhuck said:

For those stating that this worked, can you share the start/stop of the hash? I have the hash (the device/code does work), but I am lost when I get the hash.

Here you go, straight off my windows 10 desktop.

 

2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000

 

 

Yes, I scrambled the text inside the hash....

Edited by barry99705

Share this post


Link to post
Share on other sites
11 hours ago, sureal808 said:

I had this snagging creds from a locked Win10 machine. However I could never get the responder portion to work. It will not poison the response. I really hope this was not a gimmick to sell more Lan Turtles. :/

I dont believe its a scam.. however it would be great if the module can be tweaked to fix all the issues most of us are having.. I will try find some time to play around with it and make a step by step guide.. unless someone already went through the time to do so or maybe a video with the walk through?

Share this post


Link to post
Share on other sites
23 hours ago, barry99705 said:

Here you go, straight off my windows 10 desktop.

 

2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000

 

 

Yes, I scrambled the text inside the hash....

Thanks, that is what I see, but I have no clue how to break it down. Obviously the entire thing isn't the hash. What are the two different MS accounts? One hash is the login, what is the other hash for? I made, what I thought were, the hashes bold/red. Are you guys simply using a hash program to decrypt the hash? Are you able to use the hash to login/get on a network share? 

Edited by tdhuck

Share this post


Link to post
Share on other sites

Yea, I just dumped that whole blob into hashcat to decrypt.  Same for the client classroom machines I used as a test.  Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file.  I was trying to find something on the internets that shows a breakdown of what section is what.  Obviously the MicrosoftAccount\barry99705 is the domain\username.

Share this post


Link to post
Share on other sites

I am having problems where QuickCreds won't start. I went back to factory reset on the turtle then loaded up QuickCreds, applied dependencies, enabled on boot. But when I start it manually I get the following error:

pVEHTSD.png

Note that I do not have the directory structure it seems to want:

 

mFmJgjm.png

Share this post


Link to post
Share on other sites
6 hours ago, barry99705 said:

Yea, I just dumped that whole blob into hashcat to decrypt.  Same for the client classroom machines I used as a test.  Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file.  I was trying to find something on the internets that shows a breakdown of what section is what.  Obviously the MicrosoftAccount\barry99705 is the domain\username.

Ok, can you quote your post and highlight what you dropped into hashcar to decrypt? Did I highlight the correct hashes or am I wrong?

 

Thanks.

Share this post


Link to post
Share on other sites

I gave it that whole file.  You're not going to get anything from mine, I scrambled the hashes, that's really my desktop and microsoft account....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×