TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Your Password Is… wait for it… NOT Always Encrypted

BHIS · 2016-01-15 · Read original ↗

ATT&CK techniques detected

9 predictions
T1003.001LSASS Memory
100%
“, but a domain connected machine may yield others. mimikatz can also be used against a memory dump, or more specifically, a memory dump of the process that manages access to a windows system, lsass. exe. on a windows vista and later system you can use the built - in task manager …”
T1003.001LSASS Memory
99%
“executed in memory only ( very stealthy ). or, as is often the case in pentests, it can be executed via the ever popular metasploit meterpreter. first, we ’ ll show you how to do this using a meterpreter session setup between an external machine and an internal target. the meterp…”
T1003.001LSASS Memory
99%
“the quick and easy ways that we harvest passwords to use during a penetration test – including screenshots so you can try this too! and remember that many users reuse their passwords so these harvested passwords may unlock other accounts as well. oh – and if you really want to sp…”
T1003.001LSASS Memory
95%
“this test, we are running a windows 7 fully patched machine that is not joined to a domain. first download the executable from here. if you have a / v running it will probably get upset about this download so you will have to allow / whitelist it. then just run mimikatz from the …”
T1003.001LSASS Memory
84%
“powershell, download and then invoke the invoke - mimikatz script. lazagne ( get it here ) lazagne is a relatively new tool written by alessandro zanni that can dump many different passwords found on windows and linux / unix machines. it is able to extract passwords from web appl…”
T1552.001Credentials In Files
77%
“been posted. - look for password files stored on users ’ desktops. - check the contents of a user ’ s clipboard – it might just contain the last cut & paste password. if you have other ideas for extracting cleartext passwords we would love to hear about them. send an email to sal…”
T1552.006Group Policy Preferences
75%
“you can obtain these passwords by finding the files where they are stored and then passing the encrypted strings to the ruby script gpp - decrypt. there is also a metasploit post - exploitation module gpp that will harvest and decrypt in one step. both methods are demonstrated in…”
T1003.001LSASS Memory
75%
“/ powershell / tree / master / invoke - mimikatz - https : / / download. sysinternals. com / files / procdump. zip - https : / / github. com / alessandroz / lazagne ready to learn more? level up your skills with affordable classes from antisyphon! pay - forward - what - you - can…”
T1110.002Password Cracking
39%
“your password is … wait for it … not always encrypted your password is … wait for it … not always encrypted advisory : the techniques and tools referenced within this blog post may be outdated and do not apply to current situations. however, there is still potential for this blog…”

Summary

Sally Vandeven // As pentesters we LOVE passwords – they come in all shapes and sizes. A good password has 16+ characters and a mix of case, digits and special […]

The post Your Password Is… wait for it… NOT Always Encrypted appeared first on Black Hills Information Security, Inc..