Managing Login Credentials with Yaptest

During larger pentests, it’s quite possible you’ll acquire logon credentials for tens, hundreds or even thousands of systems.  After a while it becomes hard to track which systems you know usernames for, which ones you’ve got passwords for, etc.  Yaptest can help you keep track of all your logon credentials.  Here are some of its features:

  • Ability to parse credentials from passwd, shadow and pwdump-style files
  • Ability to parse group membership information from /etc/group and enum4linux output
  • Enter arbitrary logon information into the database from the command line
  • Command-line querying of the credentials database
  • Uses John the Ripper to crack hashes that haven’t been cracked yet
  • Can use Rainbow Tables (via rcrack) to crack LANMAN and NTLM hashes

Examples of the type of query you can make include:

  • Show me all the usernames we’ve found for host 10.0.0.1
  • Show me all the systems which have the username “bob”
  • Show me all the members of the adminstrators group on 10.0.0.1
  • Show me all the passwords we know for the user “bob”
  • Show me all the LANMAN hashes we’ve collected

Query results are all tab-delimitted so are easily cuttable and greppable.

Parsing password files

Yaptest currently knows how to parse usernames and the following types of password hashes from passwd and shadow files:

  • DES-based hashes
  • MD5-based hashes
  • Blowfish-based hashes

It will also parse the output of tools like pwdump2 and fgdump and store the LANMAN and NT hashes in the database.

Yaptest should be able to automatically determine the type of hash in the file, so you just need to tell it which host the passwords were found on and the name of the file, e.g:

$ yaptest-credentials.pl add -i 10.10.0.1 -f passwd-file
$ yaptest-credentials.pl add -i 10.10.0.1 -f shadow-dot-1
$ yaptest-credentials.pl add -i 10.10.0.2 -f pwdump2-output.txt

Entering Arbitrary Login Credentials

If you find a new username for a host but don’t yet know the password (e.g. via finger or SMTP user enumeration), you can enter just the username in the database.  Note that you’ll need to specify what type of username you’ve found as many different types are supported:

$ yaptest-credentials.pl add -i 10.10.0.1 --credtype os_unix --username bob

Later you might find the password.  The following will modify the original entry:

$ yaptest-credentials.pl add -i 10.10.0.1 --credtype os_unix --username bob --password magic

In the section above, credentials were associated with only a host.  Yaptest is also able to assiciate credentials with individual ports where appropriate.  Here’s an example of how you could add an SNMP community string:

$ yaptest-credentials.pl add -i 10.10.0.243 --port 161 --trans udp --credtype snmp_community --password private123

Parsing Group Membership Information

For Unix-based systems user and group information resides in the file /etc/passwd and /etc/group files respectively.  First make sure that the usernames are imported:

$ yaptest-credentials.pl add --ip 127.0.0.1 -f etc-passwd-127.0.0.1

Then import group membership information as follows:

$ yaptest-groups.pl add --group_ip 10.0.0.1 -f etc-groups-10.0.0.1

For Windows-based systems user and group information is imported from the output of enum4linux.pl .  First make sure that the usernames and hostnames are imported:

$ yaptest-parse-nbtscan.pl nbtscan*
$ yaptest-parse-enum4linux.pl enum4linux-10.0.0.1.out

Then import group membership information as follows:

$ yaptest-groups.pl add --group_ip 10.0.0.1 -f enum4linux-10.0.0.1.out

Note that if you run yaptest-db-ips.sh, all your username and hostname informaiton is imported automatically.  You only need to import the group information manually.

To query who is in the Administrators group on 10.0.0.1:

$ yaptest-groups.pl query --group_ip 10.0.0.1 --group_name Administrators
10.0.0.1  Administrators  null    10.0.0.1  Administrator
Total records: 1

The IP address appears twice.  This look sa bit strange, but is needed to represent Windows domains.  The IP on the left is the IP that the group resides on (could be domain admins group on the domain controller).   The IP address on the right is the IP the member resides on (e.g. Administrators group on a domain member).

To query which groups / hosts have a user called ‘bob’:

$ yaptest-groups.pl query --member_name bob

Launching John the Ripper

When you’ve collected a large number of hashes from a large number of hosts, it can be tricky to keep track of which hashed have been cracked and which which ones belong to which host.  Yaptest can act as a wrapper around john the ripper to help you keep track..

Launch john the ripper on any outstanding LANMAN hashes by running:

$ yaptest-credentials.pl crack lanman

When you’re fed up of waiting, kill john from another windows (don’t CTRL-C yaptest-credentials.pl):

$ killall john

yaptest-credendials.pl will then parse the john.pot file and update the crednetials database with all the newly found passwords.  If both LANMAN hashes have been cracked for any passwords, yaptest will also recover the case of the password using the NT hash.  List all the newly cracked passwords by running:

$ yaptest-credentials.pl query

Next time your run john the ripper, only the uncracked hashes will be used:

$ yaptest-credentials.pl crack lanman

I’ve also used yaptest-credentials.pl to crack des and NTLM hashes.  Other types of hashes may or may not work as of v0.0.5.

If you want to run a copy of John that’s not in your path or run the MPI version under mpiexec specify a different command line for john like this:

$ yaptest-config.pl query yaptest_john_command
$ yaptest-config.pl set yaptest_john_command 'mpiexec -n 4 /path/to/john'

You might also need to change the location of John’s pot file like this:

$ yaptest-config.pl query yaptest_john_pot
$ yaptest-config.pl set yaptest_john_pot /path/to/john.pot

Password Cracking with Rainbow Tables

As of v0.0.6 yaptest-credentials.pl can make use of rainbow tables to crack LANMAN and NTLM passwords.  It calls out to rcrack to acheive this.

You will of course need to be in possession of appropriate rainbow tables.  www.freerainbowtables.com is a good place to start.  Alternatively you could generate your own, but that’ll take a while.

The following command tells yaptest to run rcrack on uncracked lanman hashes using the tables in /myrainbowtables/lm/alpha-numeric-14symbols/.

$ yaptest-credentials.pl rcrack /myrainbowtables/lm/alpha-numeric-14symbols/ lanman

A note on performance: rcrack can be quite slow if used on a large number of hashes.  I wouldn’t recommend running it on more than 50 hashes.  If you have more than 50 uncracked hashes, let John the Ripper run a bit longer.

Getting Password Cracking Stats

The following command will display the number of password hashes in the database alongside the number that have been cracked so far:

$ yaptest-credentials.pl stats
**************************************************************************
*                    Starting yaptest-credentials.pl                     *
*  [ Using yaptest v0.0.6 - http://pentestmonkey.net/projects/yaptest ]  *
**************************************************************************
Stats for cracking of password hashes:
Hash Type     Count    Cracked     Uncracked
lanman        655      636 (97.1%)    19 (2.9%)
nt            655      636 (97.1%)    19 (2.9%)

Integration with Username Guessing Tools

The following scripts run tools to gather Windows usernames on hosts with RestritctAnonmous = 0 or 1 (or the XP/2003 equivalent) or host with a guessable SNMP community string:

  • yaptest-enum4linux.pl
  • yaptest-snmpwalk.pl

These scripts parse the output and enter the username into the credentials database, so you can quickly find valid logon names later using yaptest-credentials.pl:

  • yaptest-parse-enum4linux.pl
  • yaptest-parse-snmpwalk.pl

Integration with Password Guessing Tools

The following scripts launch hydra and onesixtyone against appropriate targets:

  • yaptest-password-guess-ftp.pl
  • yaptest-password-guess-mssql.pl
  • yaptest-password-guess-rlogin.pl
  • yaptest-password-guess-smb.pl
  • yaptest-password-guess-ssh.pl
  • yaptest-onesixtyone.pl

The following scripts parse the output files generate by those above and enter any credetails gathered directly into the credentials database:

  • yaptest-parse-hydra.pl
  • yaptest-parse-onesixtyone.pl

Querying the Credential Database

Now you’ve entered all your hard-earned information into the credential database how do you query it?  The yaptest-credentials.pl script is your interface for queries too:

$ yaptest-credentials.pl

Usage:
      yaptest-credentials.pl add --ip ip -f passwd.txt
      yaptest-credentials.pl add --ip ip --credtype type [ options ]
      yaptest-credentials.pl query [ options ]
      yaptest-credentials.pl crack { lanman | des }
      yaptest-credentials.pl rcrack table-dir { lanman | ntlm }
      yaptest-credentials.pl stats

Adds or queries usernames, passwords and password hashes.

options for "add" and "query" commands are:
        --port      n         Port to which credential correspond
        --trans     prot      Transport protocol (tcp or udp)
        --uid       n         UID for account
        --username  user      Username
        --password  pass      Password
        --hash      hash      Password hash
        --file      file      passwd, shadow or pwdump file
        --credtype  credtype  Credential type (os_unix, os_windows, etc.)
        --hashtype  hashtype  Type of hash (lanman, blowfish, etc.)
        --test_area area      Test area (vlan1, vlan2, etc.)
If you want to run a copy of John that's not in your path or run the MPI
version under mpiexec specify a different command line for john like this:
$ yaptest-config.pl query yaptest_john_command
$ yaptest-config.pl set yaptest_john_command 'mpiexec -n 4 /path/to/john'

You might also need to change the location of John's pot file like this:
$ yaptest-config.pl query yaptest_john_pot
$ yaptest-config.pl set yaptest_john_pot /path/to/john.pot

Here are a few examples:

List all usernames, password and password hashes along with the IPs and ports they correspond to:

$ yaptest-credentials.pl query

List all the credentials for host 10.0.01:

$ yaptest-credentials.pl query -i 10.0.0.1

List all credentials for port 161 (TCP or UDP):

$ yaptest-credentials.pl query --port 161

UDP only:

$ yaptest-credentials.pl query --port 161 --trans UDP

All windows credentials:

$ yaptest-credentials.pl query --credtype os_windows

All details about users called “Administrator”:

$ yaptest-credentials.pl query --username Administrator

To query group memberships, use the “query” command to yaptest-groups.pl. The following will list the members of the Administrators group on 10.0.0.1:

$ yaptest-groups.pl query --group Administrators --ip 10.0.0.1

Future features

Ability to be able to CTRL-C john the ripper and still have its output parse into the database.

Make sure that john the ripper also works against MD5 and Blowfish style Unix passwords.

Support for other username enumeration tools such as smtp-user-enum, ftp-user-enum, finger-user-enum and exploitation of the Apache mod_user username enumeration vulnerability.

Support for scripts that grab pwdump, passwd, group and shadow files.

More intellegent password guessing based on usernames already enumerated.

Seed john the ripper with a wordlist of passwords already cracked.

 

 

 

 

 

 

 

 

 

 

Tags:

Posted in Using