SMBExec 2.0 and Cracking Domain Cached Credentials on oclHashcat
2/10/2015 Article
Recently, on one of my experimentation days, I decided to play with the “Cached Hashes” that are provided when using SMBExec 2.0. SMBExec is a good tool, so if you haven’t already used it it is highly recommended. For those of you who do though you may have seen output a little like this:
[+] 192.168.111.24 – Found 3 Local, 5 Cached, 0 in Memory
[+] 192.168.111.25 – Found 4 Local, 2 Cached, 1 in Memory
[+] 192.168.111.28 – Found 4 Local, 6 Cached, 0 in Memory
“Local” means the local SAM database.
“Memory” means the plain text passwords extracted from the lsass process.
“Cached” means Domain Cached Credentials. These cached hashes are the ones I am interested in for this post and are a special type of hash. Unlike NetNTLM etc or plain NTLM hashes. The cached hashes file saved from SMBExec looks a little like this:
victim.user:3f793bb271a43c95a8***1a22f811241:targetdomain.localp:targetdomain
Just to add to any confusion – “Cached” in SMBExec 2.0 is the same thing as Domain Cached Credentials which is the same thing as MSCash hashes.
It would be easy to look at the hash and decide that it is just an MD5 or NTLM. In fact, if you were to tell oclHashcat that that is what it is, it would keep trying but would almost certainly never find the plain text. That is because MSCash passwords are in a different format and have had more work performed on them than a single pass algorithm such as MD5. MSCash hashes come in two varieties – Windows Vista and above have MSCashv2, whereas earlier had MSCashv1.
To convert the above SMBExec hash to MSCashv1 you will probably want a command like the following:
cat cached_hashes_unique.txt | awk -F “:” {‘print $2″:”$1’} > mscashv1.txt
This will produce an output file that looks a little like this:
3f793bb271a43c95a8***1a22f811241:victim.user
To convert the above SMBExec hash to MSCashv2 you will probably want a command like the following:
cat cached_hashes_unique.txt | awk -F “:” {‘print “$DCC2$10240#”$1″#”$2’} > mscashv2.txt
This will produce an output file that looks a little like this:
$DCC2$10240#victim.user#3f793bb271a43c95a8***1a22f811241
In MSCashv1 the username is the salt for the final hash.
This slows down crypt-analysis a little but is not too bad. In oclHashcat you want hashtype 1100 to crack these.
In MSCashv2 the beginning part of the string (“DCC2”) is to denote it as MSCashv2. The second part (“10240”) is to indicate the number of cryptographic rounds it is configured for – strictly speaking, this can be configured to any number, however, the default is 10240. The username is still used as a salt in MSCashv2. In oclHashcat you want hashtype 2100 to crack these.
YGHT can help you secure your technologies
Learn how by contacting us