Hashcat for Forensics – How Did They Get In?

décembre 14, 2020 3010 Vues

When conducting forensic investigations of compromised hosts, have you ever wanted to determine what passwords were associated with compromised accounts on those hosts? Were those passwords weak, commonly used, or used elsewhere in the environment? Did a lazy admin set a password of “password” for a privileged account? In this episode, we’ll look at a fictitious (but often seen) scenario in which RDP was exposed to the Internet. Did the attackers really guess the correct password?

*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***

📖 Chapters

00:00 – Intro
02:16 – Using KAPE to Acquire Registry
05:38 – Using Impacket to Decrypt the Hashes
10:33 – Cracking Hashes with Hashcat
14:05 – Recap

🛠 Resources

Introduction to Hashcat:

Introduction to Hashcat – Part II:

KAPE:
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape

Impacket:
https://github.com/SecureAuthCorp/impacket

Hashcat:
https://hashcat.net/hashcat

RockYou and Other Wordlists:
https://wiki.skullsecurity.org/Passwords

Retrieving NTLM Hashes and What Changed in Windows 10:

Retrieving NTLM Hashes and what changed in Windows 10

Introduction to Hashing and How to Retrieve Windows 10 Password Hashes:
https://medium.com/@anunayb007/introduction-to-hashing-and-how-to-retrieve-windows-10-password-hashes-9c8637decaef

NullSec:
https://www.nullsec.us

🔒 Hashes

If you’d like to follow along, these are all of the NT Hashes for the accounts seen in this episode:

Administrator:31d6cfe0d16ae931b73c59d7e0c089c0
Guest:501:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:504:7c6d7c9ce6cb7aa40ed831a5fcdc5d75
demo:1000:0c5f925d008b951b59e068f5ee3a6e1e
admin:1001:209c6174da490caeb422f3fa5a7ae634
helpdesk:1002:cb216a62adeb776d5b816b694213d4a3
bobby:1003:8f029f902526760ba4fca303123d2011
carol:1004:b6abc48ee8dc4fba5b913bcdea226585
cindy:1005:04dd990bd824dce44818ed0ee525a272
greg:1006:60b84742a6462158dc679b4ca8e4f067
jan:1007:cdd1933e0a58c7b57528c6ac1e34a1c6
marcia:1008:e8db645211ba8f9d33af52496dbff821
mike:1009:fdf2d132eee76063182a5409c67b1f47
peter:1010:8490ac4c3a671281b118819fc41b85d0

#Hashcat #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Categories
Hacker un PC
Leave a comment

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

*

code

Pin It on Pinterest