00:00:00
In this video, I'm gonna hack Michael's
password on his Windows computer,
00:00:03
and I'm gonna show you how it will
involve grabbing his password hash and
00:00:06
cracking it with tools from Callie Lennox.
00:00:08
So we're gonna wait for
him to go to the bathroom.
00:00:10
He normally lays his computer unlocked,
which is really bad. Don't do that.
00:00:13
So we're gonna wait and watch and then
we're gonna rush in there. All right,
00:00:15
there he goes. Let's go to the bathroom.
All right, this is our window. Come on,
00:00:18
come on, come on, let's go. I forgot
about coming. Okay. Okay, now we can hack.
00:00:24
Almost built it. Wait, what now?
00:00:29
Disclaimer,
00:00:29
what I'm about to show you is a real
hacking technique and should only be used
00:00:33
ethically.
00:00:34
Meaning you have explicit permission
and you're following all the rules.
00:00:37
And in this situation, I'm
Michael's boss, so I make the rules.
00:00:40
So right now I do have full access to
Michael's desktop, but only for a moment.
00:00:44
If I want to have it forever,
I need to find his password.
00:00:47
But there is one problem though.
Windows doesn't just store his password.
00:00:50
Plain text on the system.
It's stored inside a hash,
00:00:53
like most modern systems
in the applications that
when you set up a password,
00:00:56
they don't store that password
the way you see it like this. No,
00:00:59
they don't do that. They take it and
they put it through a hashing algorithm.
00:01:03
And in the case of Microsoft, it's
the MD four hashing algorithm.
00:01:06
So they hashed it up to where it
will look something like this.
00:01:09
And that's what they store as your
password. It's not your password,
00:01:12
it's a hashed version of it.
And when you try to log in,
00:01:15
they put that back through their little
calculation algorithm thing, their hash,
00:01:19
and if it spits out the same hash
that they have stored, you're in,
00:01:22
we want that hash, we need it.
00:01:24
And while it won't immediately tell us
his password, it will we'll crack it.
00:01:27
And actually later I'll show you how we
can just use the hash itself to do some
00:01:32
pretty gnarly things. It's kind of crazy.
00:01:34
Now to get his hash it's found in his
systems registry is in two places.
00:01:37
Let's get it real quick. I'll go to
my search bar and search for reg edit.
00:01:41
There it is right there. Notice
I am getting a UAC prompt.
00:01:45
I do have to be administrator. Good news
is Michael is an administrator here.
00:01:48
We're looking at the H key local machine
and we want the SAM and system keys.
00:01:53
Now I could export them here, but we
don't have time. We have to hurry up.
00:01:56
So we're gonna do it via command live.
00:01:57
I'm gonna launch my terminal
as administrator and with
one command I can grab
00:02:01
them. There'll be Reg
Save, specify the key hq,
00:02:04
L M Sam, and then I'll specify where to
save it. I'll just put it right here.
00:02:09
sam.save. Got it. Same thing for
the system. We'll grab system,
00:02:15
save at the system, save. And
we got it. Wait, is that him?
00:02:22
All right, I gotta be quick,
give you back at any time.
00:02:23
But I have to tell you how you can
protect yourself from bad passwords with
00:02:27
Dashlane.
00:02:27
Dashlane is my password manager of choice
and the sponsor of this video. Now,
00:02:31
I really hope that Michael has been
using Dashlane for his Windows password.
00:02:35
Actually, I kind of hope he has it.
00:02:36
It's gonna make my job so
much harder to hack it.
00:02:38
Now I love Dashlane because they make
it really easy to create complicated,
00:02:41
hard to hack passwords
for all your services.
00:02:44
And I'll tell you if
it's not a good password,
00:02:45
and I'll make sure you have a
unique password for everything.
00:02:48
That's probably the main
reason people get hacked.
00:02:49
I'm really curious what Michael's
password is. We're gonna find out. Now,
00:02:52
honestly,
00:02:52
I should already know if Michael is using
code passwords because I forced all of
00:02:56
my employees to use Dashlane
because I use it for my business,
00:02:58
I can look at their password
scores, make sure they're healthy,
00:03:01
and make sure their passwords
aren't compromised on the dark web.
00:03:04
So check it out, link below
dashlane.com/network. Chuck 50,
00:03:07
or you can use Code Network.
Chuck 50 and you'll get 50% off.
00:03:11
Don't be like Michael, don't get hacked.
Okay, he's, he's coming back soon.
00:03:14
Okay, let's look at, get this going.
00:03:16
Now all you gotta do is
put this on a flash drive,
00:03:18
which I'm just not realizing I don't
have. I'll be right back. Let's go.
00:03:24
There's a flash.
00:03:25
Drive. Uh, crap.
00:03:30
Crap crap, crap crap.
00:03:35
Got one. Okay, go, go, go, go, go.
00:03:39
No.
00:03:42
Okay. Alright. Okay.
00:03:46
I'll open up my finder right
here. Copy these two files,
00:03:52
save them to our flash drive, our
external hard drive and we're good to go.
00:03:58
All right, I.
00:03:58
Think, I think I hear.
00:03:59
Him coming. Get it.
00:04:07
He doesn't even know what a sucker.
00:04:12
Okay, I got 'em. I'm gonna go plug
'em in my computer's in my server room
00:04:20
And there it is. And there they
are. Sam, save system, save.
00:04:24
I'm gonna take those copy and I'll paste
them right here on my desktop. Bam.
00:04:27
There they are. I'll jump to my
desktop and my terminal CD desktop.
00:04:32
There's my two files. Now to
get the hash outta these guys,
00:04:34
we're gonna use a tool called Unpack
It Secrets Dump. It's a weird name.
00:04:38
It's built in the Cali, let's try it
out. And if you need to install it,
00:04:40
of course pseudo A P T.
00:04:42
Let's just do a search before unpack
it and you can find it pretty easily.
00:04:46
Here's the command, unpack it,
secrets dump. We'll do a dash sam,
00:04:49
which is where Windows actually
stores these Ntlm Hashes.
00:04:53
Ntlm is their net logon manager. It's,
00:04:56
it manages the password stuff and
we'll specify our files, Sam save.
00:04:59
And then we'll do dash system
and specify our system.
00:05:02
Save and local because we're
parsing local files right here.
00:05:05
And let's try it out. , do
you see all that? There's a lot here.
00:05:09
Let me uh, make this more legible for
you. We have the hashes by the way,
00:05:12
we got the administrator hash
and there's Michael right there.
00:05:15
The hash is actually right here.
This is what we need and we have it.
00:05:19
So I'm gonna grab this and save it.
Create a file called hashes dot txt,
00:05:24
paste it in there, control
xy, enter to save. We got it.
00:05:27
Now at this point we have the hash
and we need to crack the password.
00:05:31
And if you see my password cracking video,
00:05:33
which if you haven't yet go check it out.
00:05:34
I detail a lot of what password cracking
entails. This is what it normally is.
00:05:38
You have a password hash and now we have
to guess what a password might be for
00:05:41
that. If you recall from our example
earlier, we're kind of like Microsoft,
00:05:44
the Windows computer.
00:05:45
All we have is the hash and instead of
waiting for a user to put the password in
00:05:49
and go, yep, that's it.
00:05:50
We're gonna try a bunch of
passwords like a lot and try and
00:05:55
guess what the password.
00:05:57
Thankfully we have tools that can automate
that and they'll be able to tell us
00:06:00
what the right password is. But we
gotta do a few things to make it work.
00:06:03
First we'll need a list of passwords,
that could be Michael's password.
00:06:06
And when I say a list, I mean like
thousands, probably 20,000 passwords.
00:06:10
How do we do that? There's a tool for
it. I'll show you here in a second.
00:06:13
But what we're doing here,
00:06:14
getting a list of passwords and trying
them all with a tool that's called a
00:06:18
dictionary attack. And it's what
most password crackers hackers use.
00:06:22
So when you hear about a data breach and
people you know have their emails and
00:06:25
their passwords compromised, it's normally
an email address and a password hash.
00:06:28
And these hackers will do
what I'm doing right now,
00:06:31
get a bunch of well known passwords or
randomly generated passwords and just
00:06:34
start going at it automated.
Let's try it real quick. Now,
00:06:37
to generate our list of passwords,
we're gonna use a tool called Cup,
00:06:41
which is really, really fun. Check it
out. Let's see if I have it installed.
00:06:44
Nope, , do I wanna install
it? Sure, yes. Cool, that was easy.
00:06:48
So what we'll do here is we'll type in
cup dash I for interactive mode and what
00:06:52
this will do is ask us questions about
our target name, date, birth date,
00:06:56
significant other hobbies, keywords.
00:06:59
And we'll use that information to
generate a random list of passwords. Well,
00:07:03
not so random, so let's try it
out. First name Michael surname,
00:07:07
wall nickname Michael, we wanna do
birthday partner's. Name Amanda Panda.
00:07:12
Asher pet's name, Bree
Company name Network Shock.
Don want some keywords? Sure,
00:07:17
let's do um Beatles. He likes the Beatles.
00:07:20
Summer 2023 Monkeys Bible.
00:07:24
Jesus. Okay, I think we're good.
Special characters. Sure, yeah,
00:07:28
let's do that leap mode. Dunno what
that is saying. No. Okay, ,
00:07:31
do you see that? That was so fast.
00:07:33
It just generated 17,000 words and put
it inside a file called Michael Txt.
00:07:38
Let's, um, let's cat that real
quick. Cat Michael txt .
00:07:42
Look at all that possible
passwords that he might have.
00:07:44
So now let's see if he has that password.
00:07:46
For this we're gonna use a
very popular cracking tool,
00:07:49
password cracking tool called Hash Cat.
00:07:51
I go deeper into how to use this
in my password hacking video.
00:07:53
So we'll start our command,
we'll do a pseudo hash cat,
00:07:57
we'll do a dash m to specify our hash
type. We're doing ntlm so it'll be 1000.
00:08:01
That's again what Windows uses. I
know this from reading the man page.
00:08:04
Then we'll specify our hashes.
00:08:06
We created a hash file called hashes
txt with Michael's hash in it.
00:08:09
And then finally our dictionary,
our word list, Michael Txt.
00:08:13
Let's see how this works. Ready, set,
go. 17,000 passwords. Let's try it. Okay,
00:08:18
there we go. Status cracked.
00:08:20
Let's do that same command and we'll do
a dash dash show and it should output
00:08:23
for us the hash and the password
in its database. Okay, there it is.
00:08:26
That should be his password. So we
have his hash, we have his password.
00:08:30
Now what do we do? We hack
him , we get in.
00:08:33
We can use tools like Evil dash win rm,
00:08:36
which is as fun as it sounds. We'll
do a dash. I specify his IP address.
00:08:41
Now I do happen to know this because
he's here at my office, right?
00:08:44
And I could've figured that out doing
IP config while I was at his computer.
00:08:47
So that's his IP address.
Do use your name,
00:08:49
Michael dash P I'll put in that password
we found and let's see what happens.
00:08:54
Shell right there. Who am I? I'm
Michael, I'm in his computer right now.
00:09:00
Yep, that's his IP address. That's a
Windows machine. Pretty crazy, right?
00:09:03
We can do something better. Let
me exit outta there. We can uh,
00:09:07
RDP with a tool X,
00:09:08
free rdp do a forward slash B
for the computer slash u for the
00:09:13
user password.
00:09:18
And that should be all I need. Let's
try it out. Seems to be working .
00:09:23
What heck got him?
00:09:27
How cool is that though? Now let
me show you something crazier.
00:09:30
We cracked the password and I happen to
know Michael so I could have generated
00:09:33
that list and, and you know, had
a pretty good list of passwords,
00:09:36
but we don't need it. Check it out.
Our same command before Evil WIN rm,
00:09:39
we could just do a dash h. Let
me open up a new terminal and uh,
00:09:43
grab that real quick.
We'll grab that hash.
00:09:48
Oh wait, that's not it. It's
a capital H. Did you see that?
00:09:53
I logged in with the hash, not even the
password. That's kind of crazy, right?
00:09:58
It's called pass the hash. And we
can do the same thing with uh, rdp,
00:10:01
same command as before,
00:10:02
but instead of dash or slash p we'll
do a PT for pass the hash paste the
00:10:07
hash there , there's a fly in
here. Got here fly. But look, it worked.
00:10:11
How amazing is that? Oh, I lost it.
Try it again back again. .
00:10:16
He's gotta be freaking out right now.
00:10:17
So what I just showed you is how you can
get a hash from a Windows computer and
00:10:21
figure out the password from that hash
or just use the hash itself to get access
00:10:25
to a bunch of stuff. It's kind of
crazy. It's powerful, it's really fun.
00:10:29
But now let's move on to the
defensive side of things.
00:10:31
Let's talk about mitigation.
00:10:32
And this is actually good news for
security people because the method that I
00:10:35
used here is already documented pretty
well in the Mitre meter framework OS
00:10:39
credential dumping with
security account manager, sorry,
00:10:42
this flies driving me nuts.
You'll notice that hey,
00:10:44
we're dumping the same keys
that they're mentioning.
00:10:47
So it's documented and they're even
saying the tools that we may have used.
00:10:50
secrets dump What?
00:10:52
But what's cool is they do
offer mitigations disabling
or restricting N tlm,
00:10:56
putting in password
policies, user training,
00:10:58
and they also give you detection stuff
like you actually detect when people are
00:11:01
doing stuff with their registry
keys. So that's good news.
00:11:03
And also full disclosure,
00:11:05
we had to do a few things to
Michael's PC to make this work,
00:11:08
disable certain security features
that prevented us from doing things.
00:11:11
Now we did get the hash, no problem,
we didn't have to do anything for that.
00:11:14
But in order for me to do the
WIN RM command giving me a shell,
00:11:17
I had to disable his firewall,
the Windows firewall,
00:11:20
in order for me to do the
R dp. Same thing, firewall.
00:11:22
I also had to enable remote desktop
and add Michael to the allowed users to
00:11:26
access remote desktop and had to
disable a setting in the registry called
00:11:29
Disable restricted admin,
00:11:30
which was a flaw back in Windows
eight that they had to fix.
00:11:33
So we did have to do a few
things to make it work.
00:11:34
So if you try to do this
yourself and you're like, uh,
00:11:37
I'll put some information down below how
you can like do this yourself with your
00:11:40
own little lab, it's pretty fun.
00:11:41
But just know default security
posture of windows, it's pretty good.
00:11:45
Now it doesn't mean that what I've done
here cannot be done by a pretty good
00:11:48
hacker or that a user may just
have a computer that's wide open.
00:11:53
So I hope in this video you saw another
window into windows of how
00:11:57
vulnerable we kind of are, but
also how secure we are as well.
00:12:00
And also I wanted to address something
because back in my password hacking
00:12:03
video, now I talked about, oh we
can, we can crack hashes, but you're,
00:12:06
the number one question I got was
how do you get those hashes? Well,
00:12:09
in this video I showed you how you could
get those hashes at least a potential
00:12:12
way. And by the way, I've only scratched
the surface of what you can do here.
00:12:16
This is a very basic example, a basic
demo. There's a whole big world to this.
00:12:20
That's all I got. I'll
catch you guys later.
