skippy7 Posted October 7, 2016 Share Posted October 7, 2016 Hi guys, I also try this but also not working. I can see hash credential already copy in /root/loot/ but the pc seems not locked automatically. I attached some config and result for references. I followed this link https://room362.com/post/2016/snagging-creds-from-locked-machines/ Is there any config that I miss ? Thanks. root@turtle:~# cat /overlay/etc/rc.local #Add your commands above this line #exit 0 /etc/init.d/dnsmasq stop /usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F' exit 0 root@turtle:~/loot/21# ls -lah drwxr-xr-x 2 root root 0 Oct 7 03:33 . drwxr-xr-x 25 root root 0 Oct 7 03:30 .. -rw-r--r-- 1 root root 0 Oct 7 03:15 Analyzer-Session.log -rw-r--r-- 1 root root 13.5K Oct 7 03:15 Config-Responder.log -rw-r--r-- 1 root root 1.8K Oct 7 03:23 HTTP-NTLMv2-172.16.84.182.txt -rw-r--r-- 1 root root 2.9K Oct 7 03:15 Poisoners-Session.log -rw-r--r-- 1 root root 6.4K Oct 7 03:15 Responder-Session.log Link to comment Share on other sites More sharing options...
M@$T Posted October 7, 2016 Share Posted October 7, 2016 Has anyone actually managed to make this work properly? If so please share with us as I / majority here are not managing.. Link to comment Share on other sites More sharing options...
tdhuck Posted October 7, 2016 Share Posted October 7, 2016 9 minutes ago, M@$T said: Has anyone actually managed to make this work properly? If so please share with us as I / majority here are not managing.. I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries. Link to comment Share on other sites More sharing options...
skippy7 Posted October 8, 2016 Share Posted October 8, 2016 12 hours ago, M@$T said: Has anyone actually managed to make this work properly? If so please share with us as I / majority here are not managing.. Maybe we need to tagged Darren for this.. 12 hours ago, tdhuck said: I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries. Maybe you need check if ur w7 join domain or not.. As i tried in different pc without join domain not able to get the hash data.. Link to comment Share on other sites More sharing options...
tdhuck Posted October 8, 2016 Share Posted October 8, 2016 19 hours ago, skippy7 said: Maybe you need check if ur w7 join domain or not.. As i tried in different pc without join domain not able to get the hash data.. The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge. Link to comment Share on other sites More sharing options...
bored369 Posted October 8, 2016 Share Posted October 8, 2016 15 minutes ago, tdhuck said: The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge. Hashcat has a nice list of hashes and how they should be formatted: Link to comment Share on other sites More sharing options...
tdhuck Posted October 8, 2016 Share Posted October 8, 2016 56 minutes ago, bored369 said: Hashcat has a nice list of hashes and how they should be formatted: I checked that out when you first posted it and when I copied the text/hash it told me it wasn't formatted properly or it threw out another error, I will have to check again and see what I missed. Link to comment Share on other sites More sharing options...
M@$T Posted October 10, 2016 Share Posted October 10, 2016 On 10/8/2016 at 4:47 AM, skippy7 said: Maybe we need to tagged Darren for this.. @Darren Kitchen Can you help us out on this please? Link to comment Share on other sites More sharing options...
D4sh Posted October 11, 2016 Share Posted October 11, 2016 I have been playing with this over the last couple of days and have managed to get the Lan Turtle to snag creds from my Domain Joined Windows 10 machine. Link to comment Share on other sites More sharing options...
M@$T Posted October 12, 2016 Share Posted October 12, 2016 10 hours ago, D4sh said: I have been playing with this over the last couple of days and have managed to get the Lan Turtle to snag creds from my Domain Joined Windows 10 machine. Care to document what you did @D4sh ? Link to comment Share on other sites More sharing options...
D4sh Posted October 12, 2016 Share Posted October 12, 2016 1 hour ago, M@$T said: Care to document what you did @D4sh ? I followed the original web site https://room362.com/post/2016/snagging-creds-from-locked-machines/ Just made sure that my Lan Turtle was at factory default and latest firmware. I did make sure that i ran the opkg update prior to trying to Responder starting and downloading its dependencies. I did get a bunch of errors the first time i tried to enable Responder (prior to running opkg update). I also created the loot directory myself. But other than that it was just following the above website. Cheers, Si Link to comment Share on other sites More sharing options...
M@$T Posted October 12, 2016 Share Posted October 12, 2016 Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right? Link to comment Share on other sites More sharing options...
D4sh Posted October 12, 2016 Share Posted October 12, 2016 28 minutes ago, M@$T said: Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right? What i will do in a few mins when i can find a machine in the office that will not set off all the bells and whistles, is plug my LAN turtle in and take some screen shots for you. From the modules menu it is using the quickcreds modules. Link to comment Share on other sites More sharing options...
M@$T Posted October 12, 2016 Share Posted October 12, 2016 Thanks D4sh Link to comment Share on other sites More sharing options...
D4sh Posted October 12, 2016 Share Posted October 12, 2016 Hiya, Not sure if this is going to help. Attached is a screen shot of my modules in the turtle GUI, i have also attached the two scripts from my modules directory on overlay. Let me know if you need anything else. Thanks, Simon QuickCreds responder Link to comment Share on other sites More sharing options...
sureal808 Posted October 12, 2016 Share Posted October 12, 2016 I had this snagging creds from a locked Win10 machine. However I could never get the responder portion to work. It will not poison the response. I really hope this was not a gimmick to sell more Lan Turtles. :/ Link to comment Share on other sites More sharing options...
tdhuck Posted October 12, 2016 Share Posted October 12, 2016 For those stating that this worked, can you share the start/stop of the hash? I have the hash (the device/code does work), but I am lost when I get the hash. Link to comment Share on other sites More sharing options...
barry99705 Posted October 12, 2016 Share Posted October 12, 2016 3 hours ago, tdhuck said: For those stating that this worked, can you share the start/stop of the hash? I have the hash (the device/code does work), but I am lost when I get the hash. Here you go, straight off my windows 10 desktop. 2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000 Yes, I scrambled the text inside the hash.... Link to comment Share on other sites More sharing options...
M@$T Posted October 13, 2016 Share Posted October 13, 2016 11 hours ago, sureal808 said: I had this snagging creds from a locked Win10 machine. However I could never get the responder portion to work. It will not poison the response. I really hope this was not a gimmick to sell more Lan Turtles. :/ I dont believe its a scam.. however it would be great if the module can be tweaked to fix all the issues most of us are having.. I will try find some time to play around with it and make a step by step guide.. unless someone already went through the time to do so or maybe a video with the walk through? Link to comment Share on other sites More sharing options...
barry99705 Posted October 13, 2016 Share Posted October 13, 2016 It won't work on every machine. Link to comment Share on other sites More sharing options...
tdhuck Posted October 13, 2016 Share Posted October 13, 2016 23 hours ago, barry99705 said: Here you go, straight off my windows 10 desktop. 2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000 Yes, I scrambled the text inside the hash.... Thanks, that is what I see, but I have no clue how to break it down. Obviously the entire thing isn't the hash. What are the two different MS accounts? One hash is the login, what is the other hash for? I made, what I thought were, the hashes bold/red. Are you guys simply using a hash program to decrypt the hash? Are you able to use the hash to login/get on a network share? Link to comment Share on other sites More sharing options...
barry99705 Posted October 14, 2016 Share Posted October 14, 2016 Yea, I just dumped that whole blob into hashcat to decrypt. Same for the client classroom machines I used as a test. Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file. I was trying to find something on the internets that shows a breakdown of what section is what. Obviously the MicrosoftAccount\barry99705 is the domain\username. Link to comment Share on other sites More sharing options...
CrypieJay Posted October 14, 2016 Share Posted October 14, 2016 I am having problems where QuickCreds won't start. I went back to factory reset on the turtle then loaded up QuickCreds, applied dependencies, enabled on boot. But when I start it manually I get the following error: Note that I do not have the directory structure it seems to want: Link to comment Share on other sites More sharing options...
tdhuck Posted October 14, 2016 Share Posted October 14, 2016 6 hours ago, barry99705 said: Yea, I just dumped that whole blob into hashcat to decrypt. Same for the client classroom machines I used as a test. Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file. I was trying to find something on the internets that shows a breakdown of what section is what. Obviously the MicrosoftAccount\barry99705 is the domain\username. Ok, can you quote your post and highlight what you dropped into hashcar to decrypt? Did I highlight the correct hashes or am I wrong? Thanks. Link to comment Share on other sites More sharing options...
barry99705 Posted October 14, 2016 Share Posted October 14, 2016 I gave it that whole file. You're not going to get anything from mine, I scrambled the hashes, that's really my desktop and microsoft account.... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.