Tag: kali

Screenshots and Default Passwords with EyeWitness

GameOfPWNZ

EyeWitness

“EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.”

https://tools.kali.org/information-gathering/eyewitness

Assumptions:

You’re using Kali Linux

Downloads:

https://github.com/FortyNorthSecurity/EyeWitness

Setup

root@kali:/opt# git clone https://github.com/FortyNorthSecurity/EyeWitness.git
root@kali:/opt# cd EyeWitness/setup
root@kali:/opt/EyeWitness/setup# ./setup.sh

Using a file with hosts (-f)

root@kali:/PATH/TO/HOSTSFILE# python /opt/EyeWitness/EyeWitness.py -f hosts.txt --web

Using an nmap xml file (x)

root@kali:/PATH/TO/NMAP/SCANS# python /opt/EyeWitness/EyeWitness.py -x nmapscan.xml --web

If you want to add more http or https ports, you can use the following:

--add-http-ports 9000, 9001-add-https-ports 9002, 9003

Extra!

You can perform an active scan which will search for common locations of login forms and attempt to use common credentials against those web applications.

--active-scan

Example Output

Performing a Quick Password Audit on NTDS.dit

GameOfPWNZ

Assumptions

You’re using the latest Kali OS.
You can contact the Domain Controller.
You have an admin account on the Domain Controller.

What is the NTDS.dit?

“The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.”

Extracting Password Hashes from the Ntds.dit File

Getting a copy of the NTDS.dit

There are many different tools for getting the Ntds.dit file and extracting hashes from it, but this post will be covering one tool. You can check other tools such as VSSAdmin, NinjaCopy, etc.

Impacket

In this blog, I’ll be using Impacket’s secretsdump.py.

If you’re not using Kali, you can install impacket on Linux just using the following:

pip install pyasn1
pip install impacket

Then to dump the password hashes, you can use the following syntax:

secretsdump.py -just-dc-ntlm
<DOMAIN>/<USER>@<DOMAINCONTROLLER> >> ntds.txt

It’ll ask you for the password for that user. This will save the output to ntds.txt.

John The Ripper

You can crack the hashes using wordlists:

john --wordlist=/PATH/TO/WORDLIST /PATH/TO/HASHFILE--pot=FILENAME.pot

You may have to include the format using the –format.

Wordlists

Here are some good places to get wordlists:

https://hashes.org (LinkedIn Breach, HIBP, etc).

https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

https://github.com/danielmiessler/SecLists/tree/master/Passwords