A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Pilfering Local Data: Things an Attacker Would want to Grab with Short Term Local Access

Pilfering Local Data: Things an Attacker Would Want to Grab with Short Term Local Access

Here is my talk from the 2011 Nashville Infosec. This is more or less the description I sent them: "This talk will cover core items an attacker would want to locate and copy off of a Windows system, as well as what tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords. Core date in this case would be things like stored passwords and wireless keys, but could also include network paths and the like. It will underscore the importance of physical security and hard drive encryption."

Slides PPTX
Slides PDF

Download Video

Text of Slides:

Pilfering Local Data:
Things an Attacker Would want to Grab with Short Term Local Access
Adrian Crenshaw
About Adrian
* I run Irongeek.com
* I have an interest in InfoSec education
* I don’t know everything - I’m just a geek with time on my hands
* (ir)Regular on:
What I plan to cover
* Core items an attacker would want to locate and copy off of a Windows system with short term access
* Data that could be found: Passwords, Usernames Docs, Emails, Paths
* Tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords
Why this talk is sort of a sham
* If you have short term access, your goal as an attacker should be to extend that access
* There are just so many options for useful files to grab, so it’s hard to decide the most important
* Still useful from the context of stolen and decommissioned equipment, but then time is not as critical
How are we getting at the data?
Distros/Boot environments
Just a few:
* BackTrack Linux
* Bart’s PE/UBCD4Win
* Winbuilder/Win7PE SE
http://winbuilder.net/ & http://reboot.pro/12427/ 
* Konboot
BackTrack Linux
* Tons of security tools
* Awesome hardware support for odd wireless needs
* Well maintained
* Can do a hard drive install if you wish
Bart’s PE/UBCD4Win
* Bart’s PE can be built from the files on a Windows XP CD
* UBCD4Win is Bart’s Pe with a bunch of extras + Multi-boot (DBAN)
* Plugins can be made to add functionality
Winbuilder/Win7PE SE
* Make a Windows based boot USB/CD/DVD
* Starting OS needed depends on build
* Plugins can be made to add functionality
* Build even up to Win7 SP1 32/64bit
* Hardcore roll your own
* Bypass password on some versions of Windows and Linux
* Changes kernel on boot
* Login to Linux with “kon-usr” as username.
* Use a blank password in Windows
* Meant to run from a CD/Floppy, sometimes works from a UFD using instructions found here: http://www.irongeek.com/i.php?page=security/kon-boot-from-usb 
Remote exploits as well
* Metasploit/Armitage http://www.fastandeasyhacking.com/ 
Some Useful Tools
NirSoft Tools
* http://launcher.nirsoft.net/ 
* http://www.oxid.it/cain.html 
and hashes
Windows System Trifecta
* C:\Windows\System32\config
* Grab These Files!!!
* NTUSER.DAT may also be useful as it maps to HKEY_CURRENT_USER
* Hell, get SOFTWARE to while you are at it!
Why these files?
* Cain
* *Cached passwords:SYSTEM and SECURITY
* *SAM Hashes: SAM and SYSTEM
* WirelessKeyView will do via Windows dir on Windows XP
Why exploit local passwords?
There are several reasons why an attacker may want to find local passwords:
* To escalate privileges on the local host (install games, sniffers, key stroke catchers and other software or just to bypass restrictions).
* Local passwords can be used to gain access to other systems on the network. Admins may reuse the same usernames and passwords on other network hosts (more than likely if they use hard drive imaging). Similar themes are also often used for password selection.
* Just for the fun of doing it.
* Imaged Systems
Hash Examples
* Type Hash
plaintext badpass
MD2 9C5B091C305744F046E551DB45E7C036
MD4 640061BD33AA12D92FC40EA87EA408DE
MD5 F1BFC72887902986B95F3DFDF1B81A5B
SHA-1 AF73C586F66FDC99ABF1EADB2B71C5E46C80C24A
SHA-2 (256) 4F630A1C0C7DD182D2737456E14C89C723C5FCE25CAE39DA4B93F00E90A365CB
SHA-2 (384) 8E3B1BB56624C227996941E304B061FD864868AA3DB92A1C82AE00E336BE90809E 60BB2A29FC1692189DE458B6300016
SHA-2 (512) 6109E5BDF21C7CC650DC211CF3A3706FAB8D50B132762F6D597BE1BD499E357FAF 435FAB220FA40A1067707D0E0C28F39C1EC41F435C4D820E8AB225E37489E3
RIPEMD-160 595FD77AA71F1CE8D7A571CB6ABDA2A502BA00D4
LM 4CF3B1913C3FF376
NT 986CA892BEAB33D1FC2E60C22EC133B7
MySQL323 0AFDA7C85EE805C2
MySQLSHA1 229749C080B28D3AEFAB78279C4668E6E12F20FA
Cisco PIX RtJk8qcKDPR.2D/E
VNC Hash DAD3B1EB680AD902
Great Resources
* Password Storage Locations For Popular Windows Applications http://www.nirsoft.net/articles/saved_password_location.html
Also, using tools to reverse engineer what his apps were doing helped a bunch
* Bunch of my stuff on hacking SAM/SYSTEM hashes
* Question Defense
* Ron’s Password Lists
Assumptions and Workarounds
* In most cases, these tools/attacks will require physical access to a box
* In some cases you will…
* …need to be logged into the target account on the box.
* …just need access to the file system.
* …you must be logged in as the target account, and not have changed the password using a boot CD. ?
Windows Profile Info
* I used C:\ in this presentation as the root drive, but it could be something else
* Some differences in subdirectories when it comes to profiles
* Win 7/Vista
* Windows XP
C:\Documents and Settings\
* Let’s use <profile> as shorthand
* Enable the viewing of system and hidden files and folders
* Windows 7/Vista
* Windows XP (sort of)
<profile>\Application Data , maps to Roaming
<profile>\Local Settings\Application Data, maps to Local
* Go read
More Details
* <profile>\AppData\Roaming
Synchronized with the server if roaming profiles are used.
* <profile>\AppData\Local
Specific to that computer, even with roaming profiles enabled. Also meant for larger files.
* <profile>\AppData\LocalLow
Same use as LocalLow, but with lower integrity level an can be written to in protected mode.
Windows local accounts: LM
LAN Manager (Used in older Windows Operating System)
* *Convert password to upper case.
* *Pad the plaintext with null characters to make it 14 bytes long.
* *Split into two 7 character (byte) chunks.
* *Use each 7 byte chunks separately as keys to DES encrypt the magic value ("KGS!@#$%" or in HEX 0x4b47532140232425).
* *Concatenate the two cipher texts from step four to produce the hash.
* *Store the hash in the SAM file.
Windows local accounts: NTLM
NT Manager
* Take the Unicode mixed-case password and use the Message Digest 4 (MD4) algorithm to obtain the hash.
* Store the hash in the SAM file.
Open Source/Free tools for cracking the SAM
* FGDump (Pwdump)
* Cain
* Backtrack 5R1 DVD (SAMDump2 and other tools)
A few notes on using SAMDump from Backtrack
Cached Domain Credentials
* Cracking Cached Domain/ADS Passwords
By default Windows systems in a domain or Active Directory tree cache the credentials of the last ten previously logged in users. This is done so that the users can still login again if the Domain Controller or ADS tree can not be reached either because of Controller failure or network problems. These cached passwords are stored as encrypted (using NL$KM LSA) hashes in the local systems registry at the values:
* I’ve read the algorithm for MSCacheV1 is:
according to the folks at http://www.insidepro.com 
* MSCacheV2 adds even more issues
Win 7 + Cain does not seem to work
* Cain
* Hashcat http://hashcat.net
Cracking Creds Countered
* Credential Cache Cracking Countermeasures
* Choose stronger domain passwords. Use more than just alpha-numeric characters and perhaps throw in some extended ASCII characters by way of the Alt+num-pad method.
* For those who are still paranoid and have a VERY reliable connection to their domain controller, they can follow these steps to disable the caching of passwords and credentials: Set the registry value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
to 0 then reboot. This can also be done with the Local Security Policy or with a GPO.
* Use same “Fascist Methods” as before for restricting physical access to the computer.
Unknown Apps:
System Process Monitoring Apps and Demo
* ProcessActivityView
* RegFromApp
* Procmon
Unknown Apps:
Don’t know how it’s hashed?
* Compare the hash to know examples of other hashes
* Get a copy of the app, use the password “password” and search for the resulting hash on Google
* Get the source code
* How good are you at reverse engineering with a debugger?
Browser Passwords: Firefox
Stored in an SQLite database, but needing some key files
<profile>\AppData\Roaming\Mozilla\Firefox\Profiles\<Firefox Profile>\secmod.db
<profile>\AppData\Roaming\Mozilla\Firefox\Profiles\<Firefox Profile> \cert8.db
<profile>\AppData\Roaming\Mozilla\Firefox\Profiles\ <Firefox Profile>\key3.db
<profile>\AppData\Roaming\Mozilla\Firefox\Profiles \<Firefox Profile>\ signons.sqlite
Browser Passwords: Internet Explorer
* IE 4-6: Sprt in registry called Protected storage:
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
* IE 7+: All auto complete passwords in reg at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Have to know the URL to decrypt, but can guess common URLs.
* HTTP passwords for IE 7 in “Credential” directory under profile
<Windows Profile>\AppData\Roaming\Microsoft\Credentials
Great Apps
* PasswordFox
* IE Passview
* ChromePass
* Depends on Version
I know old ones could be found here:
* The password is DES encrypted, but since the fixed key (23 82 107 6 35 78 88 7) is know, it was trivial to decrypt.
* UltraVNC
Same basic algorithm, two bytes added on the end (not sure why) and stored in:
C:\Program Files\UltraVNC\ultravnc.ini
* Try Cain or Nir’s VNCPassView to decode
Remote Desktop Protocol (RDP)
* Apparently use to be saved in the .RDP file
* Now seems to be in the same place as Network Credentials
* Try RDPV from Nir, Or Cain
Instant Messaging Varies
* So many, it would suck to list them, so let’s ask Nir:
* I use PidginPortable from my Desktop, so for it:
<Windows Profile>\Desktop\PidginPortable\Data\settings\.purple
* Doing it by hand sucks
* MessenPass http://www.nirsoft.net/utils/mspass.html 
MSN Messenger Windows Messenger (In Windows XP)
Windows Live Messenger Yahoo Messenger (Versions 5.x and 6.x)
Google Talk ICQ Lite 4.x/5.x/2003
AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro.
Trillian Miranda GAIM/Pidgin
MySpace IM PaltalkScene Digsby
Network Shares
* Windows XP/2003: <Profile>\Application Data\Microsoft\Credentials\<User SID>\Credentials and [Windows Profile]\Local Settings\Application Data\Microsoft\Credentials\[User SID]\Credentials
* Windows Vista: <Profile>\AppData\Roaming\Microsoft\Credentials\<Random ID> <Profile>\AppData\Local\Microsoft\Credentials\<Random ID>
Forget cracking it, just look it up!
* Based on interface number
* Vista/Windows 7 store in:
* XP in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\<Interface Guid>
* They appear to be encrypted, but apparently the key is available to programs with the right privileges
Other Data
Outlook Cache
(if in Cached Exchange Mode)
* Find and .OST file in
* Open with Kernel OST Viewer
Outlook 2010 Attachments Temp
* Outlook Attachments Temp
<Profile>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook
* If the item was open when Outlook was closed, it may be here
* May have to forcefully browse to this by typing in the path
* Database file in:
<Profile>\AppData\Roaming\Skype\<Skype ID>
Look in the logs
* Windows XP
C:\Windows\System32\config in *.evt files
* Vista and newer C:\Windows\System32\winevt\Logs in *.evtx files
* Did the user type the name in the wrong place?
Printer Spool
* Sometimes a print job will get stuck here, and we all know what useful information people sometimes print.
* Location:
* Try some of the tool listed at the bottom of this page: http://www.undocprint.org/formats/winspool/spl
* O&K Printer Viewer and LBV SPLViewer recommended
So many others…
* Internet Explorer History
* IE Cookies
* Firefox Cached Pages
<profile>\AppData\Local\Mozilla\Firefox\Profiles\<some profile number>.default\Cache
* Firefox Form History File
<profile>\ AppData\Roaming\Mozilla\Firefox\Profiles\<some profile number>.default\formhistory.sqlite
* Firefox Cookies
<profile>\AppData\Roaming\Mozilla\Firefox\Profiles\<some profile number>.default\cookies.sqlite
A word on automation
* Look at using an autorun payload off of a U3
* Video on Russell Butturini’s payload:
* See this wiki:
Other Resources: Videos
* Making Windows 7 SP1 32/64bit Boot CD/DVD/USBs with Winbuilder Video
* Password Exploitation Class Video
* Portable Boot Devices (USB/CD/DVD):Or in Canadian, what is this all aboot?
Other Resources
* Forensically interesting spots in the Windows 7, Vista and XP file system and registry
* Building a boot USB, DVD or CD based on Windows 7 with WinBuilder and Win7PE SE Tutorial
* Mubix's Windows Post Exploitation List
* Mubix's Linux Post Exploitation
* Louisville Infosec
* DerbyCon 2011, Louisville Ky
* So many others

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast