z3tssu
  • README
  • Cybersecurity Certifications & Notes
    • Cybersecurity Knowledge Base
      • IPPSEC's Video Search for Hacking Methods
      • Finding Someone's Location with Seeker
      • Nishang Project
      • Hacktricks
    • ๐Ÿ“œCertifications & Courses
      • ๐ŸŸขHackthebox - CPTS
        • Getting Started
          • General
          • Tmux
          • Vim
          • Service Scanning
        • Penetration Testing Process
        • Network Enumeration with Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving the Nmap Scanning Results
          • Service Enumeration
          • Nmap Scripting Engine
            • Update the Scripting Engine
            • Nmap Script Locations
          • Performance Tags
          • Firewall and IDS/IPS Evasion
        • ๐Ÿ‘ฃFootprinting
          • ๐Ÿ”ŽHost-Based Service Enumeration
            • FTP [21]
              • Basics
                • vsFTPd Detailed Output
                • Hiding IDs - YES
              • Footprinting FTP
                • Nmap FTP Script Scanning
                • Service Interaction
              • FTP Commands
            • SMB [139/445]
              • Basics
                • Default Configuration
                • Create and Manage Samba Share
                • smbstatus
              • Footprinting SMB
                • SMB Nmap Scan
                • Smbclient
                • RPCclient
                  • Useful Commands
                  • Basic Enumeration
                  • Enumerate Users
                  • Group Information
                  • Bruteforcing User RIDs
                • smbmap
                • CrackMapExec
                • Enum4Linux-ng
            • NFS [111,2049]
              • Basics
                • Default Configuration of NFS
                • Creating an NFS Entry
                • Dangerous Settings
              • Footprinting NFS
                • nmap
                  • Basic Scan
                  • NFS Script Scan
                • Mount an NFS Share
                • Unmount NFS
            • DNS [53]
              • Basics
                • DNS Records
                • Default Configuration
                • Dangerous Settings
              • Footprinting DNS
                • DIG - NS QUERY
                • DIG - Version Query
                • DIG - Any Query
                • DIG - AXFR Zone Transfer
                • DIG - AXFR Zone Transfer - Internal
                • Subdomain Bruteforcing (For Loop with Seclists)
                • Subdomain Bruteforce (DNSenum)
            • SMTP (25,587)
              • Telnet SMTP
                • Telnet - HELO/EHLO
                • Telnet - VRFY
                • Telnet - Send an Email
              • Nmap Telnet
              • FTP User Enumeration
            • IMAP/POP3 [110,995,143,993]
              • Default Configuration
            • SNMP[161]
            • MySQL [3306]
            • MSSQL [1433]
            • Oracle TNS [1521]
            • IPMI [623]
            • SSH [22]
            • Rsync [873]
            • R-Services [512, 513, 514]
            • RDP [3389]
            • WinRM [5985, 5986]
            • WMI [135]
          • Introduction
            • Enumeration Principles
            • Enumeration Methodology
          • Infrastructure Enumeration
            • Domain Information
            • Cloud Resource
            • Staff
        • ๐Ÿ•ธ๏ธWeb Information Gathering
          • ๐Ÿคทโ€โ™‚๏ธWHOIS
          • ๐ŸงฌDNS
            • ๐ŸงฌDIG
          • ๐Ÿ“šSubdomain Enumeration
            • DNS Zone Transfer
            • Sub Domain Bruteforcing
            • Virtual Hosts
              • Gobuster vhosts brutefoce
              • Add Vhosts to /etc/hosts
            • Certificate Transparency Logs
          • ๐Ÿ–๏ธFingerprinting
            • Banner Grabbing
            • Web Application Firewall (Wafw00f)
            • Nikto
          • Crawling
            • robots.txt
            • .Well-Known URIs
            • Popular Web-Crawlers
              • Scrapy (ReconSpider)
              • Apache Nutch (Scalable Crawler)
              • Burp Suite Spider
              • OWASP ZAP (ZED Attack Proxy)
          • ๐Ÿ”ฅAutomating Recon
            • FinalRecon
          • ๐Ÿ”Search Engine Discovery
            • ๐Ÿ”Google Dorking
            • ๐Ÿ”Search Operators
          • Web Archives
          • Questions
            • Question 4
            • Question 5
        • Vulnerability Assessment
          • Vulnerability Scanning Tools
            • Nessus
              • Installing and Starting Nessus
              • Nessus Scan Types
              • Nessus Polices
                • Creating a Nessus Policy
              • Nessus Plugins
                • Creating a Plugin Rule
              • Credentialed Scanning
                • HTB Credentials for Nessus
              • Exporting Nessus Scans
              • Scanning Issues
            • OpenVAS
              • Installing OpenVAS
              • OpenVAS Scan
              • Exporting Scans
            • Nexpose
            • Qualys
          • Security Assessments
          • Vulnerability Assessment
          • Assessment Standards
          • Common Vulnerability Scoring System (CVSS)
          • Common Vulnerabilities and Exposures (CVE)
            • Open Vulnerability Assessment Language (OVAL)
          • Reporting
        • ๐Ÿ“‚File Transfers
          • File Transfer Methods
            • Windows File Transfer Methods
              • โฌ‡๏ธDownload Operations
                • ๐ŸชŸ PowerShell Base64 Encode & Decode
                • ๐ŸŒ PowerShell Web Downloads -
                • ๐Ÿ“ฆ SMB Downloads
                • ๐ŸŒ FTP Downloads
              • โ†—๏ธUpload Operations
                • ๐Ÿ” Encode File Using PowerShell
                • ๐ŸŒ PowerShell Web Uploads
                • ๐Ÿงฌ PowerShell Base64 Web Upload
                • ๐ŸŒ SMB Uploads with WebDAV Twist
                • ๐Ÿ“ก FTP Uploads
            • Linux File Transfer Methods
              • Download Operations
                • ๐Ÿ“ฆ Base64 Encoding / Decoding for File Transfers
                • ๐ŸŒ Web Downloads with Wget and cURL
                • ๐Ÿ’ฃ Fileless Attacks in Linux โ€“ Execute Directly
                • ๐Ÿš Download with Bash using /dev/tcp
                • ๐Ÿ” SSH Downloads with scp
                  • More Usage on SCP
              • Upload Operations
                • ๐ŸŒ Web Upload with HTTPS ๐Ÿš€
                • ๐Ÿ› ๏ธ Quick Web File Transfer Method
                • ๐Ÿ”„ SCP Upload
            • Transferring Files with Code
              • Downloading Files
              • Uploading Files
            • Transfer Files with Netcat, Ncat, RDP
            • Powershell Session File Transfer
            • RDP File Transfer
            • Protected File Transfers
            • Sending Files over HTTP/S
            • Upload and Download with Built in OS Tools
          • Detect or Be Detected
            • Detection
            • Evade Detection
        • ๐ŸšShells & Payloads
          • The Shell Basics
            • Bind Shell
            • Reverse Shell
          • Creating Payloads
            • Introduction to Payloads
            • Metasploit Payloads
            • Crafting Payloads with MSFvenom
          • Infiltrating Windows
            • ๐Ÿ› ๏ธ MS17-010 EternalBlue
          • Infiltrating Unix/Linux
            • ๐Ÿ Spawning a TTY Shell with Python
            • Spawing Interactive Shells
          • Web Shells
            • ๐Ÿงช Laudanum โ€“ "One Web Shell to Rule Them All"
            • ๐Ÿง  Antak Webshell + ASPX Concepts
            • ๐Ÿ˜ PHP Web Shells
            • Shells & Payloads - The Live Engagement
          • Detection and Prevention
        • ๐Ÿ‘พMetasploit
          • Introduction
            • ๐Ÿงฐ Introduction to Metasploit Framework (MSF)
            • MSF Engagement Structure
          • MSF Components
            • ๐Ÿงฐ Modules
            • ๐ŸŽฏ Targets
            • ๐Ÿง  Payloads
            • ๐Ÿ”ง Encoders?
            • ๐Ÿ—„๏ธ Database
            • ๐Ÿ”Œ Plugins
          • MSF Sessions
            • ๐Ÿ” Sessions
            • ๐Ÿ› ๏ธ Meterpreter
          • Additional Features
            • ๐Ÿ› ๏ธ Installing & Importing Custom Metasploit Modules
            • ๐Ÿง  Porting Scripts into Metasploit Modules
            • ๐Ÿ’ฅ Introduction to MSFVenom
            • ๐Ÿ›ก๏ธ Firewall and IDS/IPS Evasion
        • โš”๏ธPassword Attacks
          • Where Credentials are Stored?
          • John The Ripper
          • Remote Password Attacks
            • ๐Ÿ–ฅ๏ธ Network Services
              • WinRM [5985, 5986]
              • SSH [22]
              • RDP [3389]
              • SMB [139,445]
              • Questions
            • ๐Ÿ” Password Mutations & Wordlist Generation
            • ๐Ÿ” Password Reuse & Default Passwords
          • Windows Local Password Attacks
            • Attacking SAM (Security Account Manager)
            • Attacking LSASS
      • TCM Security - PNPT
      • Cisco Ethical Hacker
      • Introduction to Hacking Methodology
    • Pentesting Services
    • Pentesting Web
      • CBBH
      • TCM Security - Practical Web Hacking
    • Pentesting Wi-Fi
      • OSWP
      • Wireless Penetration Test (WPA2)
    • Pentesting Cloud
    • Network Defense
      • Blue Team Level 1
    • ๐ŸScripting with Python
    • โ˜ข๏ธActive Directory Penetration Testing
      • Initial Attack Vectors
      • Post Compromise Enumeration
    • Cybersecurity Job Skills
      • Information Security Officer Guide
    • ๐Ÿ”IP Address Investigation
      • WHOIS
      • Reverse DNS
      • Geolocation of the IP
      • Check If IP is Active and has Services Running
      • Check the IP Reputation
      • Check Passive DNS History
      • Confirm the Actual Server Location
    • Cybersecurity Projects
      • Wireless Penetration Test (WPA2)
      • AWS Honeypot
      • SOC Analyst Home Lab
      • Threat Management with Wazuh SIEM
    • Cybersecurity Books
    • ๐Ÿ”„SOC
  • IT Certifications & Notes
    • Certifications
      • MS-900 Microsoft 365 Fundamentals
        • Describe Microsoft security and compliance capabilities
          • Describe the functions and identity types of Microsoft Entra ID
          • Describe access management capabilities of Microsoft Entra
            • Introduction
            • Describe Conditional Access
            • Describe Global Secure Access in Microsoft Entra
            • Describe Microsoft Entra roles and role-based access control (RBAC)
      • CISSP
      • ITIL
        • ITIL 4 Foundations
      • CCNA
        • David Bombal - Udemy
        • CCNA Training - Jeremy's IT Lab
          • Resources
          • Cisco Packet Tracer Labs
            • Cisco Packet Tracer Overview
            • Packet Tracer Lab 1
      • MCSE Certification Options
      • AZ-900
    • IT Projects & Training
      • Windows Server 2016 - Active Directory Lab Build
      • Windows Server 2022 Fundamentals
        • Introduction to Server Manager
          • Installing and Configuring Server Manager
          • Creating a VM on Microsoft Azure for Server 2022
        • Introduction to Active Directory
          • Active Directory and Setting up
          • Active Directory Overview
          • Delegation Rights for Active Directory
          • Active Directory Administrative Center
          • Common cmd commands for IT Support
        • Group Policy Management
          • How to apply basic GPO
        • Introduction to Share Folders
          • Creating Share Folders on Server Manager
          • Share Folder Permissions for Users
          • Map a Network Drive (locally)
          • Map a Network Drive through Active Directory
        • Understanding Windows/Common AD Issues
          • Installing RSAT Tools
          • Joining a PC to the Domain
        • Real Life IT Support Issues
          • When a User Gets locked out their accounts
          • Change Password of a User
      • Office 365 For IT Support
        • Office 365 Overview
      • Microsoft Azure Training
        • Getting Started in the Azure Portal
        • Introduction to Microsoft Azure Services
        • Basic Usage of Azure Services
        • Azure Deploy Sql Database Overview
        • Azure AD Connect Overview
        • Azure Microsoft File Share/Map Drives
        • Deploy Windows 11 to Azure
        • Microsoft Azure Basic Fundamentals (Azure Active Directory)
        • Introduction to Vnet (Overview)
        • Microsoft Azure Network/Security
        • Microsoft Azure Tagging (Final Course)
      • Networking Projects with Cisco Packet Tracer
        • Build a Basic Network
        • Webserver Project
      • Setup and Router and Switch
    • IT Knowledge Base
  • CTF/Box WRITEUPS
    • Tryhackme
    • HTB
      • Footprinting Lab - Easy
      • Footprinting Lab - Medium
      • Footprinting Lab - Hard
      • Nessus Skills Assessment
      • OpenVAS Skills Assessment
      • Tier 0
      • Tier 1
  • Cryptocurrency/Blockchain
    • Cryptocurrency Investigation
    • Certifications
      • Certified Blockchain Security Professional
Powered by GitBook
On this page
  • General Concept
  • Linux Credential Storage
  • Windows Authentication & Credential Storage
  • LSASS (Local Security Authority Subsystem Service)
  • SAM Database
  • Domain-Based Authentication
  • Credential Manager
  1. Cybersecurity Certifications & Notes
  2. Certifications & Courses
  3. Hackthebox - CPTS
  4. Password Attacks

Where Credentials are Stored?

PreviousPassword AttacksNextJohn The Ripper

Last updated 1 month ago

General Concept

Applications that implement authentication mechanisms compare user credentials against local or remote databases.

  • Local credential storage โžค Credentials are stored on the system.

  • Web applications โžค Vulnerable to SQL Injection attacks, which may expose sensitive data, including credentials in plaintext.

โš ๏ธ Example: The breach exposed 32 million user accounts due to storing credentials in plaintext. This led to the creation of the famous password wordlist rockyou.txt (~14 million passwords).

Linux Credential Storage

Linux manages everything as files โ€“ even credentials. Here's how credentials are stored and secured:

๐Ÿ“ /etc/shadow File

Encrypted credentials are stored in /etc/shadow:

root@htb:~# cat /etc/shadow

...SNIP...
htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::

Structure:

<username>:<encrypted password>:<last change>:<min age>:<max age>:<warning>:<inactivity>:<expiration>:<reserved>

Example Breakdown:

  • htb-student โžค Username

  • $y$j9T$3QSBB6CbHEu...f8Ms โžค Encrypted password

๐Ÿ” Hash Format:

$<id>$<salt>$<hashed_password>

Hash ID Types:

ID
Algorithm

$1$

MD5

$2a$

Blowfish

$5$

SHA-256

$6$

SHA-512

$sha1$

SHA1crypt

$y$

Yescrypt

$gy$

Gost-Yescrypt

$7$

Scrypt

๐Ÿ“ /etc/passwd File

Used for user info but not encrypted passwords anymore.

z3tssu@htb:~$ cat /etc/passwd
...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

Structure:

<username>:x:<uid>:<gid>:<comment>:<home dir>:<shell>

  • x means the password is stored in /etc/shadow

  • File is readable by all, hence moved encrypted passwords to /etc/shadow

โ— Misconfigured permissions on /etc/shadow can lead to privilege escalation.

Windows Authentication & Credential Storage

๐Ÿงฉ Authentication Process

Windows authentication is complex and modular:

๐Ÿ”„ Process Involves:

  • WinLogon.exe

  • LogonUI

  • Credential Providers

  • LSASS

  • Authentication Packages

  • SAM or Active Directory

๐Ÿ“œ Key DLLs (Authentication Packages):

DLL
Description

Lsasrv.dll

Enforces policies, selects NTLM/Kerberos

Msv1_0.dll

Local logons

Samsrv.dll

Local user accounts (SAM DB)

Kerberos.dll

Kerberos protocol

Netlogon.dll

Network logon

Ntdsa.dll

Active Directory registry interactions

LSASS (Local Security Authority Subsystem Service)

  • File: %SystemRoot%\System32\lsass.exe

  • Functions:

    • Authenticates users

    • Enforces security policies

    • Logs security audit events

LSASS is like the vault of Windows authentication systems.

SAM Database

  • Location: %SystemRoot%\System32\config\SAM (mounted on HKLM\SAM)

  • Stores:

    • Usernames

    • Passwords (in LM or NTLM hash format)

  • ๐Ÿ” Requires SYSTEM-level privileges to access

  • Protected with SYSKEY (introduced in Windows NT 4.0)

Domain-Based Authentication

If Windows is part of a Domain, credentials are validated against Active Directory stored in the NTDS.dit file.

๐Ÿ“ NTDS.dit File:

  • Location: %SystemRoot%\ntds\ntds.dit

  • Found on: Domain Controllers

  • Stores:

    • User, group, and computer accounts

    • Password hashes

    • Group policy objects

๐Ÿงช We will explore credential extraction methods from NTDS.dit.

Credential Manager

A built-in feature that stores saved credentials for:

  • Network resources

  • Websites

๐Ÿ“ Location:

C:\Users\[Username]\AppData\Local\Microsoft\Vault\
or
C:\Users\[Username]\AppData\Local\Microsoft\Credentials\

๐Ÿ” Credentials are encrypted and user-specific. Decryption methods exist and will be explored hands-on.

๐Ÿ“œ
๐ŸŸข
โš”๏ธ
RockYou