I made a small update to rtfdump and added new rules to rtf.yara.
This video is an intro to rtfdump:
This is a video on an RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158:
This is a video on an RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333:
rtfdump_V0_0_3.zip (https)
MD5: 59DC23EE55F76C065A2A718DDFDB0E4E
SHA256: 46F9D768C6976AD5D4018EFDFD35DAE4212FEAE57871434A33CAEF028CB4CBA2
Here is an overview of content I published in July:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
This is a small update for re-search.py to properly handle binary files.
re-search_V0_0_2.zip (https)
MD5: FC921EAF48774B6E113FAE76867B69E1
SHA256: B07BF53FE476E6FC4D5B568BA2B0B70DD3BC037478A2CBF3A08A1AA6CCDD402C
In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit.
I use secretsdump.py from Core Security’s impacket Python modules. The advantage is that this is a pure Python solution, and that it was able to automatically select the correct object ID. Dependencies are pycrypto and pyasn1.
This is a bugfix for pdf-parser. Streams were not properly extracted when they started with whitespace after the normal whitespace following the stream keyword.
pdf-parser_V0_6_5.zip (https)
MD5: 7F0880EB8A954979CA0ADAB2087E1C55
SHA256: E7D2CCA12CC43D626C53873CFF0BC0CE2875330FD5DBC8FB23B07396382DCC85
Today I’m releasing my rtfdump.py tool to analyze RTF documents. I started working on it about a year ago, but I didn’t like the direction it took me in, and stopped working on it. About a week ago I started again with new samples, and I’m more satisfied now with the result.
I will post more information later. But if you want to get an idea how to use my tool, take a look at this analysis in SANS ISC Diary.
rtfdump_V0_0_2.zip (https)
MD5: 368CCACC556E283D5E1759ED5E164BFF
SHA256: DA9B0AB231B1ADBC1083FC0F915A789EF19A5F7540C317CFA80BF3DE038C7952
I published a sample Active Directory database file (ntds.dit) to practise hash extraction and password cracking. And I published several how-to blog posts.
Here is an overview:
Practice ntds.dit File Part 2: Extracting Hashes
Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist
Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force
Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM
Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist
Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force
Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM
Video: ntds.dit: Extract Hashes With secretsdump.py
Practice ntds.dit File Part 9: Extracting Password History Hashes
Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32] ) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) FEPARAGON (user20) V (user21) Y6G (user23) aS (user22) *qFT (user24) lm1181992 (user16) 976b0 (user26) *Vqc( (user25) Root1$ (Administrator) Lzac08@ (user19) kurt!!! (user05) XjW*wL (user27) yeliz6 (user14) tadob (user15) zordic7 (user04) maisie2007 (user12) 8N)IMRgQ57_ (user31) girlish2020 (user06) thurlow1 (user09) cuningo (user17) A9LT5J$r (user28) Crx3#W+f (user29) beaufort1 (user10) 43PDlBR8tS#V (user32) 453758487l (user08) F-62RqTo@m (user30) WBJ_Pvtz6i42AV (user34) rachelleanne (user03) amorosaoveja (user07) b#f1HvU@Qz7nk (user33) 31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av Use the "--show" option to display all of the cracked passwords reliably Session completed
Using –show:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out Administrator:Root1$:S-1-5-21-3188177830-2933342842-421106997-500:: user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:aS:S-1-5-21-3188177830-2933342842-421106997-1127:: user23:Y6G:S-1-5-21-3188177830-2933342842-421106997-1128:: user24:*qFT:S-1-5-21-3188177830-2933342842-421106997-1129:: user25:*Vqc(:S-1-5-21-3188177830-2933342842-421106997-1130:: user26:976b0:S-1-5-21-3188177830-2933342842-421106997-1131:: user27:XjW*wL:S-1-5-21-3188177830-2933342842-421106997-1132:: user28:A9LT5J$r:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:Crx3#W+f:S-1-5-21-3188177830-2933342842-421106997-1134:: user30:F-62RqTo@m:S-1-5-21-3188177830-2933342842-421106997-1135:: user31:8N)IMRgQ57_:S-1-5-21-3188177830-2933342842-421106997-1136:: user32:43PDlBR8tS#V:S-1-5-21-3188177830-2933342842-421106997-1137:: user33:b#f1HvU@Qz7nk:S-1-5-21-3188177830-2933342842-421106997-1138:: user34:WBJ_Pvtz6i42AV:S-1-5-21-3188177830-2933342842-421106997-1139:: 31 password hashes cracked, 12 left
Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out
Working through the complete LM hash key space will take many days:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1 (user09:2) 2020 (user06:2) AS (user22) F (user29:2) R (user28:2) LM11819 (user16:1) V (user21) EANNE (user03:2) T1 (user10:2) CUNINGO (user17) AMOROSA (user07:1) 12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18 Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session aborted
You use option –show to display recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112:: user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::
The command for NT hashes is almost the same:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out
This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1g 0:00:00:11 0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia V (user21) cuningo (user17) aS (user22) 4g 0:00:01:17 0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg Use the "--show" option to display all of the cracked passwords reliably Session aborted
After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).
First we use the rockyou wordlist to crack the LM hashes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out
Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.
Output:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) RACHELL (user03:1) AMOROSA (user07:1) BEAUFOR (user10:1) GIRLISH (user06:1) 2020 (user06:2) 1 (user09:2) 007 (user12:2) THURLOW (user09:1) OVEJA (user07:2) EANNE (user03:2) AS (user22) MAISIE2 (user12:1) F (user29:2) ZORDIC7 (user04) YELIZ6 (user14) TADOB (user15) R (user28:2) LM11819 (user16:1) KURT!!! (user05) CUNINGO (user17) LZAC08@ (user19) FEPARAG (user20:1) 4537584 (user08:1) 24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the (partially) recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134:: 24 password hashes cracked, 23 left
Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out
Output:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) mychemicalromance (user02) beautifulprincess (user11) beaufort1 (user10) thurlow1 (user09) rachelleanne (user03) maisie2007 (user12) maiseythorne2007 (user13) zordic7 (user04) yeliz6 (user14) tadob (user15) lm1181992 (user16) kurt!!! (user05) girlish2020 (user06) cuningo (user17) amorosaoveja (user07) Lzac08@ (user19) Horselover1493@hotmail.com (user18) FEPARAGON (user20) 453758487l (user08) 20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s 000..♦*♥7▒Vamos!♥ Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: 20 password hashes cracked, 23 left
Didier Stevens 