In the 2 previous videos we have shown how by compromising just one user on an RDP server we can steal the hashed passwords of all logged in users. In part 3 we show how to crack those hashes to reveal the plain text passwords.
If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.
As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory ready for us to crack the hashes and see what other credentials we get.
We copy these hashes over as shown in the video and save them in a file named “StolenCredsJohn” using the shown format of username:hash
We also have a file named “small-wordlist1.txt” which is a file of usernames we want to test against the hashes we have. There are of course massive wordslists which contain BILLIONS of passwords, however here we have carried out some intel of the victim organisation and found some details of previous breaches so have created a custom wordlist.
The program we are using to crack the hashes is John The Ripper. There are plenty of other programs out there but I prefer John which allows you to create custom rule sets and combine those with custom wordlists.
To use John we simply provide switches which state; NOTE you need double dashes to enable the switches below. They may display as single dashes below in some browsers, or may show as having a space between the dashes in others. It is shown clearly in the video below)
- Hash type (NTLM, MD5, for example). – -format=
- The file name of the stolen hashes
- The file name of the wordlist we will use. – -wordlist=
The John The Ripper commands we use in this video are:
- John – -format=NT – -wordlist=small-wordlist.txt StolenCredsJohn; use john to crack the hash file “StolenCredsJohn” using the wordlist “small-wordlist1.txt”
- John – -show – -format=NT StolenCredsJohn show the cracked hashes from the file “StolenCredsJohn”
Once we have the cracked hashes we then use them to login to the RDP server undetected. Using legitimate credentials means there is nothing malicious for the Anti-Virus to detect.