Security Blogs

Uncategorized

Credential Dumping

Credential dumping means dumping user credentials like username or password from victim machine to attacker machine, so it can be used later whenever the attacker want to again enter in to the victim machine. By Credential dumping the attacker can get the password of the victim machine, also he can get the passwords of other computers which he or she can use to access other computers available on network as well. 

Credential dumping is largely possible because operating system provides easiness to user which save them from inconvenience of repeatedly entering the password.Once the user has entered it’s password, the password is stored on memory so operating system can call this password from memory whenever it is required it means if the hacker has gained the ability to execute malicious code on victim machine, he or she can pull the passwords from computer’s memory.

Amit Serper, a researcher for security firm Cybereason and a former Israeli intelligence hacker, in his discussion about Hash Dumping Says In some cases, he’s seen hackers who frustrate the user by messing up with their computer’s setting until he or she calls technical support, once the administrator logging into their machine. The hacker can get the credentials of administrator from memory which is definitely more valuable for attacker. He also says that other basic moves hackers make after gaining access to a single computer, They install persistent malware that survives even if the user reboots the machine. 

Credential dumping can also be used for espionage activities, in june-2019 the chinese hackers revealed that they targeted at least 10 global phone carriers in an espionage campaign.

Credential dumping has become a key tool for those hackers whose aim is to hold the ransom as many computer as possible by spreading the infection to an entire network. “Any time we hear in the news that ransomware has taken out an entire organization, this is what happened,” says Rob Graham, the founder of Errata Security. “This is how it spread through the entire domain: It gets credentials and uses this mechanism to spread from one computer to the next.”

Rob Graham, also says that system administrators can decrease chances of gaining the credentials by hackers via limiting the number of users with administrative privileges And Cybereason’s Amit Serper said that two-factor authentication can help, limiting the use of stolen passwords so if even a hackers get the password, he would need a second authentication factor to logon to computer.

The most common tool for credential dumping is Mimikatz, it was created by a French security researcher named “Benjamin Delpy”, it has become the first choice for any hacker to perform credential dumping. Dmitri Alperovitch, the chief technology officer of security firm Crowdstrike, calls it the “AK-47 of cybersecurity.”

Mimikatz originally demonstrated that how the attacker can bypass Windows authentication system by exploiting a single vulnerability . Now the tool demonstrates several different kinds of vulnerabilities. Mimikatz can perform credential-gathering techniques such as :

Pass-the-Hash: Windows store password data in an NTLM hash. Attacker can use this tool to pass that exact hash string to the target computer to login.

Pass-the-Ticket: In latest versions of windows password are stored in a construct a called ticket. By using this tool a user can pass a Kerberos ticket to another computer and can login with that user’s ticket

Over-Pass the Hash (Pass the Key): This technique passes a unique key to impersonate a user you can obtain from a domain controller.

Kerberos Golden Ticket: This is called a pass-the-ticket attack, it’s a specific kind of ticket for a hidden account which is called KRBTGT, This account encrypts all of other tickets. A golden ticket gives you domain admin credentials to any computer on the network that doesn’t expire.

Kerberos Silver Ticket: The silver ticket takes the advantage of feature in a windows which allows us to use services on the network in much easier way. Kerberos grant the TGS ticket to user and he or she can use that ticket to log into any services on the network

Pass-the-Cache: it is an attack which doesn’t take advantage of Windows. A pass-the-cache attack is almost like the pass-the-ticket attack, but pass-the-cache attack uses the saved and encrypted login data on a Mac/UNIX/Linux system.

Below is the details of some of the techniques which can be used to perform credentials dumping.

SAM

SAM is database file which is available in windows XP,windows Vista,7, 8 or other which contain a list of networks hashes password

The Tools which can be used to retrieve the SAM file are:

  • pwdumpx.exe
  • gsedump
  • Mimikatz
  • Secretdumps.py

LSA

LSA Secret is an area in registry which contain account password for various services that run by operating system and also contain password that are used to logon to windows, if auto logon in enabled

reg.exe can be used to extract from the Registry

NTDS

Ntds file is a database that store active directory data which include the information about user, object group, group membership. It includes password for all user in the domain, by default it is located in“%systemRoot%NTDS%ntds.dit” of domain controller

The tools and techniques which can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes are:

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy

GPP

Group Policy Preferences is a tool which allows administrator to create a domain policies with embedded credential and by these policies administrator set local account

The domain user can decrypt the password of these local account because the

Policies are stored in SYSVQL on domain controller and any domain user can view the SYSVQL share

The tools which can be used to gather and decrypt the password file from Group Policy Preference XML files:

  • Metasploit’s post exploitation module: “post/windows/gather/credentials/gpp”
  • Get-GPPPassword [5]
  • gpprefdecrypt.py

Cached Credential

It’s a piece of information which is compared with the user logon credentials to authenticate user in case when network is not available and then we logon to operating system.

Creddump7 is used to gather the credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *