Passwords in the OS
In this tutorial, we’re gonna be discussing where we can find different kinds of passwords in the operating system.
This subject is particularly interesting for administrators and also security experts and the reason why is because from the administrator’s perspective you should know where to look for different types of information, where the password can be. Maybe you’re wondering what kind of password was there configured?
You will learn how we are able to extract it, so this is that part, and for security specialists, that will be a nice summary for interesting places where, during the penetration tests, you can find different types of credentials that you can use later.
Within this episode, I will show you all these places where the password can be in and how we are able to extract it.
My screen right now looks just like the image above. If you’re wondering about where we can find passwords in the operating system, let’s start with something maybe a little bit less obvious which is hashes. In order to list them, we need to use, for example, PsExec to elevate to a local system.
We have it right now. The next thing will be to use our tool which is called CQHashDumpV2 in order to reach, of course, some database, but also to have access to the system registry hive.
>> Download the CQHashDumpV2 tool <<
The password to open the zip is CQUREAcademy#123!
I’m going to get into CQ Tools where we’ve got CQ Hash Dump Version 2 and then /samdump. What we see above is a list of local accounts with their NT hashes. These are the ones that start from E19. That was actually quite easy.
Some more interesting places to find passwords in the operating system
What about some harder things? Is it possible to list, for example, passwords from the service accounts? Of course.
We can do that if we get into the service system as seen above. We can spot over here that’s there is this service running as the local administrator. What we’re going to do is CQSecretDumper /service pjservice, and that gives us some access to the password over here.
>> Download the CQSecretDumper<<
The password to open the zip is CQUREAcademy#123!
There is another place, this time in the registry, where we can find the password of the service account.
If we go to regedit, this kind of data can be found in “Policy” hive; then we’ve got “Secrets”. This is where we can find the password. The testservice, of course, is encrypted. That’s why we’ve written a tool in order to be able to decrypt it.
Where else? Well, for this purpose, I want to switch to a different machine.
I’ve got a couple of other things ready in order to, for example, be able to list passwords from the application pool. This is actually quite an easy task that everyone should know how to do. When we get into application pools on the web server, we’ve got an application pool called App1 that is running on a CQURE\fkrueger account. We’re going to get into, in this case, Windows, System32 and inetsrv because this is the place where we’ve got appcmd.exe. Appcmd apppool App1 /text:* will display all of that possible data that we can have over here.
As you can see here, we have the Freddy Kreuger and the password in clear text. Well, it’s originally not in a clear text. When we have a look at the IIS cryptography, it’s machine based; and if you follow the other articles and recordings, I’m also talking about data protection API. In this case, it’s a data protection API but of system. It’s not really stored in a clear text in applicationHost.config file but it can be decrypted, of course, as long as we’ve got access to the Windows Process Activation Service and IIS configuration.
Another interesting part, in this case, I get a PowerShell script behind, but when are we going to use it? We’re going to use it in the following situation. In IIS, we’ve got this setting that is called centralized certificates. That’s the place where we store our private keys, but in order to get access to private keys, we need to get access to private key passwords.
That’s why we’ve got here edit features settings. We can see over here that that’s the way we’re going to be accessing it, for example, to share where the certificates are. That’s the place where we configure that private key password.
Okay, but that’s like dots. Probably they have it stored somewhere. Well, yes, they are stored in the registry, but in encrypted form.
If we get into regedit again, at this stage as you see over here, we’re going to go to Software, Microsoft, IIS, and CentralCertProvider. There is a private key password and that private key password is stored like that.
Of course, when we change it, which is also an interesting case, to whatever abcabc, what is interesting is that when we go to edit feature settings, those dots are here mentioned. We can quickly change it, and in the moment, we will be able to export that private key.
Let’s do that. Have a look. Let’s go to Windows, then Microsoft.NET. We’ve got a certain version of the framework and then we’ve got v4.0.30319 and then we’ve got aspnet_regiis and then we’ve got the option that is called -px.
We can just do it like this. We got a PX container file and then we’re going to export it. That’s going to be quite interesting. We’ve got the minus px and then we will specify, of course, a container which is called issWasKey and then the file.
Of course, we can just do a test.xml because this is an output file and then we just do -pri for the private key. We got it in the test.xml file. Here we go.
Last, of course, we can use the cryptography that IIS is using. Let’s read it on private key password that we’ve got over here. Lovely. We will need to reverse the array that we are importing from the registry and apply the decryption function.
Let’s just see. This is what we have. These are the places where we can see all these passwords.
There are more users and system secrets to be uncovered. Take 2-hours CyberBytes training and learn how to extract cybersecurity data.
