Jump to content
Hak5 Forums
korang

Snagging creds from locked machines

Recommended Posts

21 minutes ago, barry99705 said:

I gave it that whole file.  You're not going to get anything from mine, I scrambled the hashes, that's really my desktop and microsoft account....

Gotcha, I was trying to copy/paste what I thought was the hash. For the record, I wasn't planning on using yours, I figured it was garbage/worthless if you posted it.

Share this post


Link to post
Share on other sites
On 9/17/2016 at 11:50 PM, Skeletnyy Klyuch said:

SQLite3-low.jpg

I went to the path above and I do not have the responder.db - am I missing something?

Share this post


Link to post
Share on other sites

I tried this on 2 Windows 10 and a Windows 7 and the Responder.db never appears.. 

I am using the quick creds module.. Maybe this only appears with the original @mubix tutorial?

 

Share this post


Link to post
Share on other sites
5 hours ago, M@$T said:

I tried this on 2 Windows 10 and a Windows 7 and the Responder.db never appears.. 

I am using the quick creds module.. Maybe this only appears with the original @mubix tutorial?

 

What lives in /root/loot ?  Should have a few numbered folders, they'll be in the order of the computers you've plugged into.

Share this post


Link to post
Share on other sites

I only have four files within every numbered folder.. 

Analyzer-Session.log

Config-Responder.log

Poisoners-Session.log

Responder-Session.log

under loot, apart from the folders there is a file named responder.log

Share this post


Link to post
Share on other sites

ok guys I re flashed the turtle for the 5th time and now it captured the hash and i have the Proxy-Auth-NTLM file and also the responder.db.

 

I cant open the db for some reason. 

 

Can someone help me out here maybe im missing something.. Is the hash stored in the Proxy-Auth file or in the responder.db?

Share this post


Link to post
Share on other sites

I have setup the pi zero with responder and it "functions successfully"; but unless your target has the "RNDIS ethernet gadget" driver installed it isn't going to grab any creds. This effectively makes the device useless since almost no targets you will ever come across on a pentest will have this driver installed given the complexity of the driver install (see steps for installation here-> https<colon slash slash>github<dot>com/ev3dev/ev3dev/wiki/Setting-Up-Windows-USB-Ethernet-Networking). With much time wasted on this effort (well, not that much; but still quite a let down) I am hesitant to grab a lanturtle. Seeing many users here unable to grab or keep credentials has me a fair bit gun shy. wasting $5 on a pi zero is one thing; but $50 on a lanturtle that I may have to spend hours or days on getting to work is not something I have the time or patience for. Does this work reliably? Can anyone testify to its usefulness on actual engagements? Thanks to all who reply!

Share this post


Link to post
Share on other sites
On 11/22/2016 at 8:15 AM, M@$T said:

ok guys I re flashed the turtle for the 5th time and now it captured the hash and i have the Proxy-Auth-NTLM file and also the responder.db.

 

I cant open the db for some reason. 

 

Can someone help me out here maybe im missing something.. Is the hash stored in the Proxy-Auth file or in the responder.db?

If grabbing the creds from the responder.db on the pi zero implementation you do the following:

sqlite3 /home/pi/tools/responder/Responder.db
select * from responder;

Getting the creds from the lanturtle they should be under the loot directory. Possibly the file is accessed by the same means. Sorry, I don't own a lanturtle yet so I'm not sure. I'm hesitant to purchase one for actual engagements because stability and repeatability is key. Having to re-flash 5 times to get it to work doesn't fill me with confidence. Once I have extra cash lying around I'll def get one to play with; but if someone can testify to the stability and reliability of the lanturtle in red team engagements for the quickcreds and any other functionality then i'll grab one right away. Here's to hoping I get a ton of responses about its reliability!! :)

Share this post


Link to post
Share on other sites

Just sharing my experience in the off chance in helps someone:

  • after initial setup -> enable quick creds and responder modules 
  • Noticed quick creds refuses to start unless responder is running and neither would auto-start 
  • in /etc/turtle/autoload-modules : 
  • 3 links were in the folder: 99-responder, 99-module-manager, 99-quick-creds
  • renamed 99-responder to 98-responder 
  • works fine now! all modules auto-load and I got my creds in as few as 3 seconds after boot 

My only issue with this otherwise fantastic technique is that all win 7 computers I tried failed to auto-install the LAN drivers :-(

Was really hoping to use this in the field. Does anyone know if I can still use eth1 on the turtle if the computer doesn't install the drivers? If I can't run responder on br-lan for local machines, maybe it's still useful as a self-contained LAN responder device? Thoughts?

 

 

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi there,

I'm new with LAN turtle..I just want to try it with Quick Creds,,,I;m not sure about the procedure...after I enabled  and plug it to a locked machine ..it won't do the work..Do i need to find the snagged creds inside some directory called loot..confused.. Please help

Share this post


Link to post
Share on other sites
6 hours ago, SenalWolf said:

Hi there,

I'm new with LAN turtle..I just want to try it with Quick Creds,,,I;m not sure about the procedure...after I enabled  and plug it to a locked machine ..it won't do the work..Do i need to find the snagged creds inside some directory called loot..confused.. Please help

Do some troubleshooting first. The target computer needs to have the appropriate drivers installed to recognize the turtle as a USB lan adapter. Once you plug it in, ssh into it to make sure the modules are running. For this scenario only quickcreds and responder need to be enabled, anything else may block ports which responder may try to use. Activity on the computer is definitely something to think about. Are there any running applications? if you want to force some hashes to get sent, try SMB browsing to a share that doesn't exist or enabling auto proxy detection on IE, then browsing around to some sites. Finally, keep in mind that while capturing hashes in this manner works *most* times, there are some configurations which are resistant to the attack, in which case you may not capture any hashes at all.

Share this post


Link to post
Share on other sites
On 12/7/2016 at 5:03 AM, jason001 said:

Do some troubleshooting first. The target computer needs to have the appropriate drivers installed to recognize the turtle as a USB lan adapter. Once you plug it in, ssh into it to make sure the modules are running. For this scenario only quickcreds and responder need to be enabled, anything else may block ports which responder may try to use. Activity on the computer is definitely something to think about. Are there any running applications? if you want to force some hashes to get sent, try SMB browsing to a share that doesn't exist or enabling auto proxy detection on IE, then browsing around to some sites. Finally, keep in mind that while capturing hashes in this manner works *most* times, there are some configurations which are resistant to the attack, in which case you may not capture any hashes at all.

Thanks for the reply mate

Share this post


Link to post
Share on other sites

Hello all,

I am super new to this but I am pretty sure I got it running. Is it true, unless you are able to crack the hash then you are basically just stuck with a hash?

I tried using Hashcat to crack my windows password with no luck using a large word list I found online. When I changed my windows password to 'test' I was able to crack it.

So is it only as good as the list you use?

Thanks and sorry for the noob question.

 

Share this post


Link to post
Share on other sites

Well, this seemed dead simple, but apparently not. I've got QuickCreds and Responder modules started but I on;y get a flashing yellow light and nothing in my loot logs even in the latest.Not even the next layer of log file names. 

Has anyone figured this out? Will someone at Hak5 come to our rescue? Is this a lost cause?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×