Jump to content

Snagging creds from locked machines


korang

Recommended Posts

Hi guys,

I also try this but also not working.

I can see hash credential already copy in /root/loot/ but the pc seems not locked automatically.

I attached some config and result for references.

I followed this link  https://room362.com/post/2016/snagging-creds-from-locked-machines/  

Is there any config that I miss ?

Thanks.

 

root@turtle:~# cat /overlay/etc/rc.local

#Add your commands above this line
#exit 0

/etc/init.d/dnsmasq stop
/usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F'
exit 0

root@turtle:~/loot/21# ls -lah
drwxr-xr-x    2 root     root           0 Oct  7 03:33 .
drwxr-xr-x   25 root     root           0 Oct  7 03:30 ..
-rw-r--r--    1 root     root           0 Oct  7 03:15 Analyzer-Session.log
-rw-r--r--    1 root     root       13.5K Oct  7 03:15 Config-Responder.log
-rw-r--r--    1 root     root        1.8K Oct  7 03:23 HTTP-NTLMv2-172.16.84.182.txt
-rw-r--r--    1 root     root        2.9K Oct  7 03:15 Poisoners-Session.log
-rw-r--r--    1 root     root        6.4K Oct  7 03:15 Responder-Session.log
 

 

Link to comment
Share on other sites

  • Replies 119
  • Created
  • Last Reply
9 minutes ago, M@$T said:

Has anyone actually managed to make this work properly?

 

If so please share with us as I / majority here are not managing.. 

I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries.

Link to comment
Share on other sites

12 hours ago, M@$T said:

Has anyone actually managed to make this work properly?

 

If so please share with us as I / majority here are not managing.. 

Maybe we need to tagged Darren for this..:grin:

 

12 hours ago, tdhuck said:

I am confident that mine is working as it should, but I don't know where the hash starts and ends. Someone posted a link to a site explaining it, but I still can't do anything with the hashes/data. As you can see form my previous posts, it did take me a few attempts before I found the correct directory, but everything seems to be there. I have tested on my w7 and w10 machines, but have only verified entries for the w10 machine. I will assume it worked for w7, but I didn't look at all of the logs to find the w7 entries.

Maybe you need check if ur w7 join domain or not..

As i tried in different pc without join domain not able to get the hash data..

Link to comment
Share on other sites

19 hours ago, skippy7 said:

Maybe you need check if ur w7 join domain or not..

As i tried in different pc without join domain not able to get the hash data..

The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge.

Link to comment
Share on other sites

15 minutes ago, tdhuck said:

The hash is there, but I don't know where it starts/ends. Computer is not on a domain. Basically, it works, I have the data, but I can't use/read it because of my lack of knowledge.

Hashcat has a nice list of hashes and how they should be formatted:

 

Link to comment
Share on other sites

56 minutes ago, bored369 said:

Hashcat has a nice list of hashes and how they should be formatted:

 

I checked that out when you first posted it and when I copied the text/hash it told me it wasn't formatted properly or it threw out another error, I will have to check again and see what I missed.

Link to comment
Share on other sites

1 hour ago, M@$T said:

Care to document what you did @D4sh ?

I followed the original web site https://room362.com/post/2016/snagging-creds-from-locked-machines/ 

Just made sure that my Lan Turtle was at factory default and latest firmware.  I did make sure that i ran the opkg update prior to trying to Responder starting and downloading its dependencies.

I did get a bunch of errors the first time i tried to enable Responder (prior to running opkg update).  I also created the loot directory myself.

But other than that it was just following the above website.

Cheers,

 

Si

Link to comment
Share on other sites

Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right?

Link to comment
Share on other sites

28 minutes ago, M@$T said:

Thanks @D4sh mine remained flashing amber.. Will flash the turtle and try update opkg before enabling and downloading responder dependecies. Also why did you create the loot directory? Isnt that created automatically? Also I believe you didnt use the quickcreds module right?

What i will do in a few mins when i can find a machine in the office that will not set off all the bells and whistles, is plug my LAN turtle in and take some screen shots for you.

From the modules menu it is using the quickcreds modules.

Link to comment
Share on other sites

3 hours ago, tdhuck said:

For those stating that this worked, can you share the start/stop of the hash? I have the hash (the device/code does work), but I am lost when I get the hash.

Here you go, straight off my windows 10 desktop.

 

2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000

 

 

Yes, I scrambled the text inside the hash....

Link to comment
Share on other sites

11 hours ago, sureal808 said:

I had this snagging creds from a locked Win10 machine. However I could never get the responder portion to work. It will not poison the response. I really hope this was not a gimmick to sell more Lan Turtles. :/

I dont believe its a scam.. however it would be great if the module can be tweaked to fix all the issues most of us are having.. I will try find some time to play around with it and make a step by step guide.. unless someone already went through the time to do so or maybe a video with the walk through?

Link to comment
Share on other sites

23 hours ago, barry99705 said:

Here you go, straight off my windows 10 desktop.

 

2016-09-11 02:50:14|HTTP|NTLMv2|172.16.84.170||MicrosoftAccount\barry99705||316FAFF2BD1B754B2B123592EFB5663D:0101000000000000D0062002E006C006F6F000042002D0054004F004F004C004B004900540004001200730069E78748D5A5DCBB0D8B0D60048005400540050002F0077007000610064003A00630061006C000800300030000000000000000100000000200000123B1100630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C1BC50A00100000000000000000000000000000000000090018006F00630061006C000500120073006D0062002E006C009780853BA2447456B152EB8704DCABCDFD10A049D70BD201EC7658261F6FB5C2000000000200060053004D0042000100160053004D380030000000000000000000|barry99705::MicrosoftAccount:1122334455667788:23592EFB5660300283004D0042002D0054004F004F004C004B004900540004001200730066F006300610062B10073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000123B119780853BA2447456B152EB8704DCABCD9E78748D5A5DCBB0D8B0D61BC50A03D316FAFF2BD1B754B01010009D70BD201EC7658261F6FB5C2000000000200060053004D00D0062002E006C004200010016005C0001000000000000000000000000000000000000000FD10A04000000900180048005400540050002F0077007000610064003A00380030000000000000000000

 

 

Yes, I scrambled the text inside the hash....

Thanks, that is what I see, but I have no clue how to break it down. Obviously the entire thing isn't the hash. What are the two different MS accounts? One hash is the login, what is the other hash for? I made, what I thought were, the hashes bold/red. Are you guys simply using a hash program to decrypt the hash? Are you able to use the hash to login/get on a network share? 

Link to comment
Share on other sites

Yea, I just dumped that whole blob into hashcat to decrypt.  Same for the client classroom machines I used as a test.  Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file.  I was trying to find something on the internets that shows a breakdown of what section is what.  Obviously the MicrosoftAccount\barry99705 is the domain\username.

Link to comment
Share on other sites

I am having problems where QuickCreds won't start. I went back to factory reset on the turtle then loaded up QuickCreds, applied dependencies, enabled on boot. But when I start it manually I get the following error:

pVEHTSD.png

Note that I do not have the directory structure it seems to want:

 

mFmJgjm.png

Link to comment
Share on other sites

6 hours ago, barry99705 said:

Yea, I just dumped that whole blob into hashcat to decrypt.  Same for the client classroom machines I used as a test.  Theirs cracked fairly easily, it's a common dictionary word, which is also the login name for the password, but mine will only crack if the password is in the dictionary file.  I was trying to find something on the internets that shows a breakdown of what section is what.  Obviously the MicrosoftAccount\barry99705 is the domain\username.

Ok, can you quote your post and highlight what you dropped into hashcar to decrypt? Did I highlight the correct hashes or am I wrong?

 

Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...