How to intercept and decrypt the passwords of Windows network
Hashes that contain login passwords are transferred between Windows computers in local Wi-Fi networks. By intercepting and decrypting these hashes using Responder and John the Ripper, we can find out the user credentials, which we can then use to gain physical access to their computer.
KHow such an attack is implemented
When interacting with other devices on the local network and for resolving the hostnames of these devices, Windows uses the Link-Local Multicast Name Resolution protocol . Any client on the local network can interact with the LLMNR protocol to help Windows resolve the hostname of another device on that network.
The vulnerability lies in the willingness of Windows to accept requests from any device on such a network, even if such a request is incorrect. The LLMNR protocol does not include verification of incoming data, which creates favorable conditions for its use by hackers.
The hacker's machine will listen on packets in the local network for the presence of LLMNR requests originating from the target Windows computer, and then will respond to such a request. Assuming that the answer is real, the Windows computer will try to interact with this server, and in order to open the session, it will send the user's password in the hash format NTLMv2 to it.
The NTLM hashes used by LLMNR are very valuable to hackers.
QWhat is the NTLMv2
The NTLM credentials are based on the data obtained during the login process, and consist of the domain name, user name, and one-way user password hash . NTLM to authenticate users uses encryption to not send user passwords in clear text over the network.
NTLM version 2 (NTLMv2), introduced into Windows operating systems in the late 1990s, enhances the security of NTLM against a large number of spoofing attacks and brute force attacks by increasing the cryptographic strength of the hashing algorithm.
Unfortunately, the HLAC-MD5 hashing algorithm used by NTLMv2 is still very vulnerable to brute-force attacks, allowing tens of millions of password entry attempts per minute — such attacks can even be performed using outdated hardware and Raspberry Pi.
WStep 1: Install and use Responder
To start the attack, you need to get an NTLMv2 hash from the target computer. This can be done using Responder, a command line tool written by SpiderLabs and Laurent Gaffie . It is able to analyze and modify the LLMNR and mDNS responses . The responder is used to interact with Windows computers on the local network and intercept NTLMv2 hashes transmitted from the target device.
It can be found in the Kali Linux repositories. Before installing the latest version of Responder, first use the apt-get update command. To install, use one after another these commands:
apt-get update
apt-get install responder
When the installation is complete, you can use the —help argument to view all available Responder options.
Run the Responder with this command:
responder -I wlan0
If the built-in wireless card is used to connect to the target wireless network, then “wlan0” will most likely be the name of the interface used. The -I argument is the only required argument to use the Responder. The interface name can be found using the ifconfig command.
The Responder terminal will enter the “listening” state, in which it will respond to LLMNR requests in the local network. When it detects an NTLMv2 hash that belongs to the target Windows computer, the Responder will display this hash in the terminal.
The entire hash (highlighted in red in the screenshot) must be saved locally. This can be done using nano and saved to a file called hash.txt.
nano hash.txt
To save changes and exit, press Ctrl + X, then Y, then Enter.
WStep 2. Install John the Ripper
The brute force hash received will be the last test of this attack, and we will use John the Ripper to perform it . It performs brute force using the CPU. It is currently available in most popular Linux distributions, such as Kali Linux and ParretSec.
The main goal of John the Ripper is to detect weak passwords by performing various brute-force attacks against conventional hashing and encryption algorithms, for such objects as password-protected ZIP files, private PuTTY SSH keys, encrypted Firefox password databases, macOS keychains (keychains), Windows NTLMv2 hashes, and many others.
John the Ripper (in the console simply called john) can be installed using this command:
apt-get install john
John the Ripper supports a wide range of hashing and encryption algorithms. Arguments -test and -format can be used to measure the speed of hacking, which can work John, in order to determine how many NTLMv2-passwords per second can generate and try the computer during a brute force attack.
john -test -format: netntlmv2
To view all benchmarking data for all available hashing algorithms supported by John the Ripper, simply use the -test argument with no additional options.
john -test
WStep 3. Bruteforce NTLMv2 hashes using John the Ripper
There are two ways to perform brute force — fast and slow. Each method has its advantages and disadvantages, but it is useful to know how each of them works.
InOption 1. Use of wordlist and dictionaries (quick way)
The attack with the use of vordlista for the selection of NTLMv2-hashes, most likely, will pass very quickly. We found that John was able to process more than 10,000,000 passwords in less than 20 seconds. This is due to the fact that NTLMv2 uses a weak hashing algorithm that is not able to provide a reasonable degree of security. Even using old Intel processors, John is able to process millions of passwords in a short period of time.
To specify the desired vordlist for brute force attacks, use the argument-wordlist.
john -wordlist: passwords.txt hash.txt
When the hash is successfully cracked, it will appear in the terminal next to the user name associated with that hash. On our Windows 10 virtual machine, the password is nullbyte, and IEUser is the username (login).
Alternatively, the hash can always be viewed again using the —show argument with the path to the file containing the hash.
InOption 2. Using a mask mode for hacking a hash (slow method)
Readers who have a special iron for brute force or Raspberry Pi, who are able to work for several days (or weeks) without a break, John’s mask mode (Mask Mode) can offer a complete solution.
Mask mode allows for a more complete and thorough brute force of all possible characters in the password. For example, “Password23” is likely to be found in most wordlist, but “Pzzw1rD” most likely will not. Using the mask mode, John can try every possible character from A to Z and a digit from 0 to 9.
By default, John has predefined character sets . These kits are:
? l = abcdefghijklmnopqrstuvwxyz
? u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
? d = 0123456789
Password analytics, based on public databases, tells us that most passwords will be from six to eight characters and consist mainly of lowercase letters. This rule can be represented using the -mask argument and the? L parameter, as shown in the command below.
john -mask =? l? l? l? l? l? l? l? l hash.txt
Each "? L" represents one character in the password. “L” here literally means “lower case”. A mask containing only uppercase letters instead uses a "? U".
john -mask =? u? u? u? u? u? u? u? u? u hash.txt
It is also possible to combine character sets.
John -mask =? U? L? L? L? L? L? L? L hash.txt
As mentioned earlier, most passwords are six to eight characters long. To save time when performing brute force, you can force a minimum length using the -min-len argument.
john -mask =? u? l? l? l? l? l? l? l -min-len = 6 hash.txt
To add numbers at the end of passwords, you can use the? D parameter.
john -mask =? u? l? l? l? l? l? d? d -min-len = 6 hash.txt
To view John’s progress while brute force goes, you can click the down arrow on the keyboard to display information about the brute-force details in the console.
Those who want to speed up the implementation of brute-force attacks can view our materials on using Hashcat or read about brute-force on GPU using Stackoverflow .
ToHow to protect yourself from the Responder and brute force attacks
Preventing these types of attacks is not very easy, and there are only a couple of reliable ways you can apply:
- Use a stronger password. The weak hashing algorithm used by NTLMv2 means that passwords of up to 16 characters will not be a big problem for hackers, especially if they use specialized hardware. You must use long, complex passwords.
- Disable the LLMNR and NBT-NT protocols. The Windows protocols literally beg to be compromised. If possible, disable LLMNR and NBT-NS.
Hi nice article. Thank you for sharing this information. Please check my website Convert Password to MD5 Online.
RépondreSupprimer