https://ics.upjs.sk/~rkb/bpd1/kali-bpd2023.ova
The Security Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts and security descriptors for users on the local computer.
https://en.wikipedia.org/wiki/Security_Account_Manager
https://docs.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview
https://techgenix.com/how-cracked-windows-password-part1/
https://github.com/gentilkiwi/mimikatz
Mimikatz is a tool that is commonly used by hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system’s memory. It is typically used to gain unauthorized access to networks, systems, or applications or to perform other malicious activities, such as privilege escalation or lateral movement within a network.
reg save hklm/sam sam.reg
reg save hklm/system system.reg
!samdump2
samdump2 3.0.0 by Objectif Securite (http://www.objectif-securite.ch) original author: ncuomo@studenti.unina.it Usage: samdump2 [OPTION]... SYSTEM_FILE SAM_FILE Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM -d enable debugging -h display this information -o file write output to file
!samdump2 system.reg sam.reg
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: student:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: power:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Ansible:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
/etc/passwd
/etc/shadow
!cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:x:100:107::/nonexistent:/usr/sbin/nologin tss:x:101:109:TPM software stack,,,:/var/lib/tpm:/bin/false strongswan:x:102:65534::/var/lib/strongswan:/usr/sbin/nologin tcpdump:x:103:110::/nonexistent:/usr/sbin/nologin usbmux:x:104:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin avahi:x:107:112:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin speech-dispatcher:x:108:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false pulse:x:109:114:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin lightdm:x:110:116:Light Display Manager:/var/lib/lightdm:/bin/false saned:x:111:118::/var/lib/saned:/usr/sbin/nologin polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin rtkit:x:112:119:RealtimeKit,,,:/proc:/usr/sbin/nologin colord:x:113:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin nm-openvpn:x:114:121:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin nm-openconnect:x:115:122:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin mysql:x:116:124:MySQL Server,,,:/nonexistent:/bin/false stunnel4:x:995:995:stunnel service system account:/var/run/stunnel4:/usr/sbin/nologin _rpc:x:117:65534::/run/rpcbind:/usr/sbin/nologin geoclue:x:118:126::/var/lib/geoclue:/usr/sbin/nologin Debian-snmp:x:119:127::/var/lib/snmp:/bin/false sslh:x:120:128::/nonexistent:/usr/sbin/nologin ntpsec:x:121:131::/nonexistent:/usr/sbin/nologin redsocks:x:122:132::/var/run/redsocks:/usr/sbin/nologin rwhod:x:123:65534::/var/spool/rwho:/usr/sbin/nologin _gophish:x:124:134::/var/lib/gophish:/usr/sbin/nologin iodine:x:125:65534::/run/iodine:/usr/sbin/nologin miredo:x:126:65534::/var/run/miredo:/usr/sbin/nologin statd:x:127:65534::/var/lib/nfs:/usr/sbin/nologin redis:x:128:135::/var/lib/redis:/usr/sbin/nologin postgres:x:129:136:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mosquitto:x:130:138::/var/lib/mosquitto:/usr/sbin/nologin inetsim:x:131:139::/var/lib/inetsim:/usr/sbin/nologin _gvm:x:132:141::/var/lib/openvas:/usr/sbin/nologin kali:x:1000:1000:,,,:/home/kali:/usr/bin/zsh bpd01:x:1001:1001::/home/bpd01:/bin/sh bpd02:x:1002:1002:,,,:/home/bpd02:/bin/bash bpd03:x:1003:1003:,,,:/home/bpd03:/bin/bash bpd04:x:1004:1004:,,,:/home/bpd04:/bin/bash _galera:x:133:65534::/nonexistent:/usr/sbin/nologin bpd:x:1005:1005:BPD,,,,UPJS:/home/bpd:/bin/bash
!cat /etc/shadow
cat: /etc/shadow: Permission denied
!sudo cat /etc/shadow
root:$y$j9T$Cy7cqtAtmP6sZOBQGUCzs/$AAR8uFpsTbKO1WUpd4tI.l8Wap1RQvlTZlGgIjcHTm8:19627:0:99999:7::: daemon:*:19590:0:99999:7::: bin:*:19590:0:99999:7::: sys:*:19590:0:99999:7::: sync:*:19590:0:99999:7::: games:*:19590:0:99999:7::: man:*:19590:0:99999:7::: lp:*:19590:0:99999:7::: mail:*:19590:0:99999:7::: news:*:19590:0:99999:7::: uucp:*:19590:0:99999:7::: proxy:*:19590:0:99999:7::: www-data:*:19590:0:99999:7::: backup:*:19590:0:99999:7::: list:*:19590:0:99999:7::: irc:*:19590:0:99999:7::: _apt:*:19590:0:99999:7::: nobody:*:19590:0:99999:7::: systemd-network:!*:19590:::::: systemd-timesync:!*:19590:::::: messagebus:!:19590:::::: tss:!:19590:::::: strongswan:!:19590:::::: tcpdump:!:19590:::::: usbmux:!:19590:::::: sshd:!:19590:::::: dnsmasq:!:19590:::::: avahi:!:19590:::::: speech-dispatcher:!:19590:::::: pulse:!:19590:::::: lightdm:!:19590:::::: saned:!:19590:::::: polkitd:!*:19590:::::: rtkit:!:19590:::::: colord:!:19590:::::: nm-openvpn:!:19590:::::: nm-openconnect:!:19590:::::: mysql:!:19590:::::: stunnel4:!*:19590:::::: _rpc:!:19590:::::: geoclue:!:19590:::::: Debian-snmp:!:19590:::::: sslh:!:19590:::::: ntpsec:!:19590:::::: redsocks:!:19590:::::: rwhod:!:19590:::::: _gophish:!:19590:::::: iodine:!:19590:::::: miredo:!:19590:::::: statd:!:19590:::::: redis:!:19590:::::: postgres:!:19590:::::: mosquitto:!:19590:::::: inetsim:!:19590:::::: _gvm:!:19590:::::: kali:$y$j9T$thVUCcCzQozwQh.2JyVRs.$T0FS1BRAcGSTCGldig/Ji2CbWc3bLVV8Ym1wEPDcIw1:19590:0:99999:7::: bpd01:tZYKmfsWoO6pM:19627:0:99999:7::: bpd02:WlS9uXIapp.0Y:19627:0:99999:7::: bpd03:$1$Oiu7TFtk$ZTNbn5xTZHjlsZ7h4qmvB.:19627:0:99999:7::: bpd04:$1$qr12nWtW$YnX2Nq8a54oRPdlwvmq2s.:19627:0:99999:7::: _galera:!:19627:::::: bpd:$y$j9T$nEk.sb0dQCStri1kucPOv.$wnO6RDvyaW8ogbkXs7346C6fVsc0mr3RMIsEigNeKL9:19627:0:99999:7:::
!unshadow
Usage: unshadow PASSWORD-FILE SHADOW-FILE
!sudo unshadow /etc/passwd /etc/shadow | tee unshadowed.txt
root:$y$j9T$Cy7cqtAtmP6sZOBQGUCzs/$AAR8uFpsTbKO1WUpd4tI.l8Wap1RQvlTZlGgIjcHTm8:0:0:root:/root:/usr/bin/zsh daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:*:2:2:bin:/bin:/usr/sbin/nologin sys:*:3:3:sys:/dev:/usr/sbin/nologin sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/usr/sbin/nologin man:*:6:12:man:/var/cache/man:/usr/sbin/nologin lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:*:8:8:mail:/var/mail:/usr/sbin/nologin news:*:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:*:13:13:proxy:/bin:/usr/sbin/nologin www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin backup:*:34:34:backup:/var/backups:/usr/sbin/nologin list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:*:42:65534::/nonexistent:/usr/sbin/nologin nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:!*:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:!*:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:!:100:107::/nonexistent:/usr/sbin/nologin tss:!:101:109:TPM software stack,,,:/var/lib/tpm:/bin/false strongswan:!:102:65534::/var/lib/strongswan:/usr/sbin/nologin tcpdump:!:103:110::/nonexistent:/usr/sbin/nologin usbmux:!:104:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:!:105:65534::/run/sshd:/usr/sbin/nologin dnsmasq:!:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin avahi:!:107:112:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin speech-dispatcher:!:108:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false pulse:!:109:114:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin lightdm:!:110:116:Light Display Manager:/var/lib/lightdm:/bin/false saned:!:111:118::/var/lib/saned:/usr/sbin/nologin polkitd:!*:996:996:polkit:/nonexistent:/usr/sbin/nologin rtkit:!:112:119:RealtimeKit,,,:/proc:/usr/sbin/nologin colord:!:113:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin nm-openvpn:!:114:121:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin nm-openconnect:!:115:122:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin mysql:!:116:124:MySQL Server,,,:/nonexistent:/bin/false stunnel4:!*:995:995:stunnel service system account:/var/run/stunnel4:/usr/sbin/nologin _rpc:!:117:65534::/run/rpcbind:/usr/sbin/nologin geoclue:!:118:126::/var/lib/geoclue:/usr/sbin/nologin Debian-snmp:!:119:127::/var/lib/snmp:/bin/false sslh:!:120:128::/nonexistent:/usr/sbin/nologin ntpsec:!:121:131::/nonexistent:/usr/sbin/nologin redsocks:!:122:132::/var/run/redsocks:/usr/sbin/nologin rwhod:!:123:65534::/var/spool/rwho:/usr/sbin/nologin _gophish:!:124:134::/var/lib/gophish:/usr/sbin/nologin iodine:!:125:65534::/run/iodine:/usr/sbin/nologin miredo:!:126:65534::/var/run/miredo:/usr/sbin/nologin statd:!:127:65534::/var/lib/nfs:/usr/sbin/nologin redis:!:128:135::/var/lib/redis:/usr/sbin/nologin postgres:!:129:136:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mosquitto:!:130:138::/var/lib/mosquitto:/usr/sbin/nologin inetsim:!:131:139::/var/lib/inetsim:/usr/sbin/nologin _gvm:!:132:141::/var/lib/openvas:/usr/sbin/nologin kali:$y$j9T$thVUCcCzQozwQh.2JyVRs.$T0FS1BRAcGSTCGldig/Ji2CbWc3bLVV8Ym1wEPDcIw1:1000:1000:,,,:/home/kali:/usr/bin/zsh bpd01:tZYKmfsWoO6pM:1001:1001::/home/bpd01:/bin/sh bpd02:WlS9uXIapp.0Y:1002:1002:,,,:/home/bpd02:/bin/bash bpd03:$1$Oiu7TFtk$ZTNbn5xTZHjlsZ7h4qmvB.:1003:1003:,,,:/home/bpd03:/bin/bash bpd04:$1$qr12nWtW$YnX2Nq8a54oRPdlwvmq2s.:1004:1004:,,,:/home/bpd04:/bin/bash _galera:!:133:65534::/nonexistent:/usr/sbin/nologin bpd:$y$j9T$nEk.sb0dQCStri1kucPOv.$wnO6RDvyaW8ogbkXs7346C6fVsc0mr3RMIsEigNeKL9:1005:1005:BPD,,,,UPJS:/home/bpd:/bin/bash
!echo -n "Ahoj"| md5sum
457cec4d12a2efe9c8eb46b0baf67a29 -
!john -list=formats
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS, tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256, aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5, AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin, BitLocker, bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe, sha1crypt, sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django, django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32, dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp, electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256, Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa, hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain, keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs, krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS, MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash, mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12, multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf, Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1, Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3, Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7, Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP, skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, solarwinds, SSH, sspr, STRIP, SunMD5, SybaseASE, Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts, tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx, VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk, xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext, has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, dummy, crypt 414 formats (149 dynamic formats shown as just "dynamic_n" here)
!john -list=formats | grep -i "md5"
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS, aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5, django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32, 414 formats (149 dynamic formats shown as just "dynamic_n" here) mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12, net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1, solarwinds, SSH, sspr, STRIP, SunMD5, SybaseASE, Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts, tc_ripemd160, tc_ripemd160boot, ZIP, ZipMonster, plaintext, has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
!echo 457cec4d12a2efe9c8eb46b0baf67a29 >skuska
!john -format="Raw-MD5" skuska
Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst Proceeding with incremental:ASCII Ahoj (?) 1g 0:00:01:22 DONE 3/3 (2023-10-04 07:18) 0.01216g/s 21696Kp/s 21696Kc/s 21696KC/s AfNe..Ahuw Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed.
!wget https://ics.upjs.sk/~rkb/bpd1/hash1.txt
--2023-10-04 07:24:51-- https://ics.upjs.sk/~rkb/bpd1/hash1.txt Resolving ics.upjs.sk (ics.upjs.sk)... 158.197.62.49 Connecting to ics.upjs.sk (ics.upjs.sk)|158.197.62.49|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 34 [text/plain] Saving to: ‘hash1.txt’ hash1.txt 100%[===================>] 34 --.-KB/s in 0s 2023-10-04 07:24:52 (24.6 MB/s) - ‘hash1.txt’ saved [34/34]
!john --format="crypt" unshadowed.txt
Using default input encoding: UTF-8 Loaded 7 password hashes with 7 different salts (crypt, generic crypt(3) [?/64]) Loaded hashes with cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) varying from 0 to 2 Cost 2 (algorithm specific iterations) is 1 for all loaded hashes Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status bpd (bpd) kali (kali) Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst
!john -show unshadowed.txt