SMBExec 2.0 and Cracking Domain Cached Credentials on oclHashcat

Recently, on one of my experimentation days, I decided to play with the “Cached Hashes” that are provided when using SMBExec 2.0. SMBExec is a good tool, so if you haven’t already used it it is highly recommended. For those of you who do though you may have seen output a little like this:

[+] 192.168.111.24 – Found 3 Local, 5 Cached, 0 in Memory
[+] 192.168.111.25 – Found 4 Local, 2 Cached, 1 in Memory
[+] 192.168.111.28 – Found 4 Local, 6 Cached, 0 in Memory

“Local” means the local SAM database, “Memory” means the plain text passwords extracted from the lsass process and “Cached” means Domain Cached Credentials. These cached hashes are the ones I am interested in for this post and are a special type of hash, unlike NetNTLM etc or plain NTLM hashes. The cached hashes file saved from SMBExec looks a little like this:

victim.user:3f793bb271a43c95a8***1a22f811241:targetdomain.localp:targetdomain

Just to add to any confusion – “Cached” in SMBExec 2.0 is the same thing as Domain Cached Credentials which is the same thing as MSCash hashes.

It would be easy to look at the hash and decide that it is just an MD5 or NTLM and infact if you were to tell oclHashcat that that is what it is, it would keep trying but would almost certainly never find the plain text. That is because MSCash passwords are in a different format and have had more work performed on them than a single pass algorithm such as MD5. MSCash hashes come in two varieties – Windows Vista and above have MSCashv2, where as earlier had MSCashv1.

To convert the above SMBExec hash to MSCashv1 you will probably want a command like the following:

cat cached_hashes_unique.txt | awk -F “:” {‘print $2″:”$1’} > mscashv1.txt

This will produce an output file that looks a little like this:

3f793bb271a43c95a8***1a22f811241:victim.user

To convert the above SMBExec hash to MSCashv2 you will probably want a command like the following:

cat cached_hashes_unique.txt | awk -F “:” {‘print “$DCC2$10240#”$1″#”$2’} > mscashv2.txt

This will produce an output file that looks a little like this:

$DCC2$10240#victim.user#3f793bb271a43c95a8***1a22f811241

In MSCashv1 the username is the salt for the final hash – this slows down cryptanalysis a little but is not too bad. In oclHashcat you want hashtype 1100 to crack these.

In MSCashv2 the begining part of the string (“DCC2”) is to denote it as MSCashv2, the second part (“10240”) is to indicate the number of cryptographic rounds it is configured for – strictly speaking this can be configured to any number, however the default is 10240. The username is still used as a salt in MSCashv2. In oclHashcat you want hashtype 2100 to crack these.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *