Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on the pwdump7 application which is a password dumping program that queries registry keys. Participants learn step-by-step, screen by screen instructions in using this application to discover passwords.

Video Transcription

00:03
Hello, viewers. Welcome to post exploitation. Hacking, persistence and continued access is always I'm just me, Joseph Perry. You're watching this on cyber harry dot i t
00:12
and this video, we're going to do a very, very quick and brief overview of grabbing passwords out of Windows.
00:18
Ah, part of why we're doing a quick overview of it is because most of the best tools for doing this for proprietary
00:24
and most best places to find them,
00:26
you know,
00:27
really going to be gaining gaining access to very easily. However, I did one. Should you get a sense of least some of the tools that exist some of the ways that people can
00:36
go out finding passwords?
00:38
Um, the 1st 1 we're going to do and it's really a very simple one
00:41
is a file or a an application.
00:45
Gotta click in there. Yeah,
00:47
called PW dump seven. Dottie XY Um it is what it sounds like. It's a password dumping program. It queries registry keys and windows and identifies the location. It knows the location of passwords in the registry
01:00
and ah, dumps. Their hash is to the screen.
01:03
It's very straightforward. Window seven uses an anti LM hash It's kind of a tricky hash to break it. Salted. It's pretty strong. Just beating a Windows password is typically
01:15
somewhat rare. The best method for breaking the windows passwords to get physical access to the box Buddha Live CD and manually modify things. But obviously not everyone can do so.
01:26
Um, alternative for that, as we discussed in the linen video, is Rando tables getting the anti lm hash and then using an intel, um, cracker with your
01:38
ah word file or your dictionary to do the attack.
01:42
Lots of things to exist, things like Loft crack, John the Ripper. There are plenty of tools out there. They can do it. Most of them get pinned by
01:49
windows and by any anti virus. So if you have an exploit that you can throw against an anti virus, how recommend doing it? Alternatively, if you've got a nerdy P session up,
02:00
you can pretty easily point, click and turn it off and control of the air a minute and, you know,
02:06
and through the air messages with no problem.
02:08
Which again is why our DP is basically just cheating in this business. But without any further ado, we're gonna go ahead and run this program. We're gonna hit. Enter.
02:17
Ah, see an error pop up. This is because this computer is used to demonstrate lots of hacking related things. And I've done some really horrible things to this computer in the process. So ignore this. You probably won't see it if you do. Well, then go ahead and run. Check discs slash F
02:34
Anyway, So it says no password, but it actually finds passwords. Obviously defiant. Tash is
02:40
thes as I mentioned. Ready lm hashes. It's going to go in. It's gonna hash all of these things, But
02:46
you will find occasionally
02:50
this right here.
02:52
Now I count three on this machine actually has no password,
02:55
no password enabled. So if that account is one that you identified is actually being active and usable, you now know you can gain access. There's also a useful thing that this does in that it lets us actually identify which accounts or which
03:12
this right here is the user. I d for the account,
03:15
um, you saw we had similar. We had an almost identical field in Lenox and identified users.
03:23
But what's handy is that if you know a little bit about windows. You know what this means?
03:28
500 is the administrator account, which they cleverly named account One
03:32
by the one is the guest account.
03:36
Just a count three.
03:38
Which explains why there's no password is a guest account,
03:40
and then we see everyone else is to some degree or another, just a user. Not super helpful. But if you crack passwords if you want to crack passwords, you now know
03:51
what your target password should be going after this hash
03:54
or the other. You know any admin account hashes are the ones you're gonna want to target. First,
04:01
you never know. You may be able to actually crack it. Mad Men's are sort of notorious for using terrible, terrible passports.
04:09
It's sort of a weakness. Part of that comes from sort of the sense of alarm. Assis admin. I don't do insecure practices. No one's ever going to Acme, which is whatever user thinks. But
04:20
add men's don't have anyone there to tell them their stupid for it, so they usually go ahead and do it.
04:26
There's one other thing that I want to show you, and I open another window, sort of ah, pre cooked, so to speak
04:31
It's kind of tricky to find. We see
04:33
so stuff I did up here. But we see right here
04:38
is what I wanted to show you.
04:40
The directory of C users Username mapped out a roaming Microsoft credentials.
04:46
You see that this is
04:48
until I'm hash like we saw before and it's ah,
04:53
it's a user name. Where? A user password. Well, it's a file that contains the user password.
04:58
Theoretically, obviously it's encrypted, and the final name itself is encrypted.
05:02
But if you wanted to expel this, this would be a good place to start your cracker and see if you could get anything out of it.
05:10
You never know. There are other places you can look as you see here.
05:15
There's ah, Sam.
05:16
So we'll go ahead and copy this over. Then the admin window I have open. I can click properly.
05:21
Here we go.
05:24
No, that's not what I wanted. It all,
05:26
that's what. Nifty!
05:28
All right, we'll do this the hard way, then
05:32
see? They're at Stack overflow open. Great website. By the way, I guess you've never used it. It's got a lot of
05:38
things. A lot of questions you can answer. You can get an answer there.
05:42
There is
05:43
always there's, I should say never any shame in admitting you don't know something because, frankly,
05:49
someone else is also not noted in the past.
05:54
System 30 to fig
05:57
Sam.
06:00
Oh,
06:02
see the system 32.
06:04
I see lots of stuff in here. Config, eh?
06:09
Okay, so we do see there some interesting things here. There's a Sam. There's the same log their security security logs, all career system. These are related to actual registry keys. They contain
06:21
that information. So if you wanted to see something really
06:27
nifty,
06:29
there you go so it can't actually access the Sam because it's in use, obviously by your registry.
06:34
But, um, if you've got something or you've got some means of gaining access to that and turning the registry off, it's useful. It's also useful to just know where the same is. The Sam is one of the files that contains,
06:46
um,
06:46
all sorts of information. It's got the password. Hash is stored in it, things like that. This is useful because this shows us where our law, where all the log files are.
06:57
So if we get access, we can go in here and we can actually eliminate these logs. If we wanted to do a denial of service, we could actually
07:04
get system control and just erase one of these files and you're pretty much done.
07:11
But as you can see in our current state, we're not able to access Sam. And that's kind of a big deal.
07:16
Um,
07:18
in terms of you can't just go straight into the sandy of the password. You can try Reg queries. Uh, you can see a
07:26
brought it up here.
07:28
There's also a Reg edit program if you've got to do it, and you could cheat.
07:31
But in general, finding passwords just by hunting through the registry is if he if they've got any sort of security up, they're gonna know you went after that area and it's just a bad way to go.
07:42
Um, which does bring you back to an important note.
07:46
This
07:47
you just
07:50
this. Ah, pw dump seven here
07:55
is not at all new. It's not something that is secretive. It's something everyone knows about. I actually had to turn off the anti virus on this machine before I downloaded it because I mentioned it
08:07
kicks up warnings.
08:07
Um, but there are things you can do to avoid those. If you have programming experience, you can actually use the code from her, use a similar code and actually modify it can escape ashes. You can wrap it in another ex execute herbal that will
08:22
pull it in there, all sorts of high level things you can do.
08:26
But this, like most of the jewels you're going to use, will be busted by an anti virus if you just downloaded by itself.
08:33
So, uh, I recommend not doing that.
08:37
There's no scene. C. L s, uh, So passwords, obviously in windows are stored in a much more secure manner there, a little bit harder to reach. And they're much harder to go back
08:48
if you've got money to devote to the project. There are plenty of grapes for pay password crackers out there. If you're just looking to
08:56
no,
08:58
try things out, test them. They've got some anti LM crackers on Google. Most of them are proprietary, or most of them are in some way license. So I won't say any names here, Noah. No advertising bucks from me,
09:09
but yeah, it's always worth the look up, and it's always worth examining. And as every time when I touched the registry or come near the registry. I do recommend you open
09:20
this right here, Reg. Edit
09:24
on your own machine and kind of play with the registry. Look around, see what's in there. It's something worth familiarizing yourself with, and you never know what you might find. Hashed passwords. What have you
09:33
until next time your residents, me, Joseph Perry, and I hope you've enjoyed this video on Windows passwords.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor