During larger pentests, it’s quite possible you’ll acquire logon credentials for tens, hundreds or even thousands of systems.\u00a0 After a while it becomes hard to track which systems you know usernames for, which ones you’ve got passwords for, etc.\u00a0 Yaptest can help you keep track of all your logon credentials.\u00a0 Here are some of its features:<\/p>\n
Examples of the type of query you can make include:<\/p>\n
Query results are all tab-delimitted so are easily cuttable and greppable.<\/p>\n
<\/p>\n
Yaptest currently knows how to parse usernames and the following types of password hashes from passwd and shadow files:<\/p>\n
It will also parse the output of tools like pwdump2 and fgdump and store the LANMAN and NT hashes in the database.<\/p>\n
Yaptest should be able to automatically determine the type of hash in the file, so you just need to tell it which host the passwords were found on and the name of the file, e.g:<\/p>\n
$ yaptest-credentials.pl add -i 10.10.0.1 -f passwd-file<\/pre>\n$ yaptest-credentials.pl add -i 10.10.0.1 -f shadow-dot-1<\/pre>\n$ yaptest-credentials.pl add -i 10.10.0.2 -f pwdump2-output.txt<\/pre>\nEntering Arbitrary Login Credentials<\/h3>\n
If you find a new username for a host but don’t yet know the password (e.g. via finger or SMTP user enumeration), you can enter just the username in the database.\u00a0 Note that you’ll need to specify what type of username you’ve found as many different types are supported:<\/p>\n
$ yaptest-credentials.pl add -i 10.10.0.1 --credtype os_unix --username bob<\/pre>\nLater you might find the password.\u00a0 The following will modify the original entry:<\/p>\n
$ yaptest-credentials.pl add -i 10.10.0.1 --credtype os_unix --username bob --password magic<\/pre>\nIn the section above, credentials were associated with only a host.\u00a0 Yaptest is also able to assiciate credentials with individual ports where appropriate.\u00a0 Here’s an example of how you could add an SNMP community string:<\/p>\n
$ yaptest-credentials.pl add -i 10.10.0.243 --port 161 --trans udp --credtype snmp_community --password private123<\/pre>\nParsing Group Membership Information<\/h3>\n
For Unix-based systems user and group information resides in the file \/etc\/passwd and \/etc\/group files respectively.\u00a0 First make sure that the usernames are imported:<\/p>\n
$ yaptest-credentials.pl add --ip 127.0.0.1 -f etc-passwd-127.0.0.1<\/pre>\nThen import group membership information as follows:<\/p>\n
$ yaptest-groups.pl add --group_ip 10.0.0.1 -f etc-groups-10.0.0.1<\/pre>\nFor Windows-based systems user and group information is imported from the output of enum4linux.pl<\/a> .\u00a0 First make sure that the usernames and hostnames are imported:<\/p>\n
$ yaptest-parse-nbtscan.pl nbtscan*<\/pre>\n$ yaptest-parse-enum4linux.pl enum4linux-10.0.0.1.out<\/pre>\nThen import group membership information as follows:<\/p>\n
$ yaptest-groups.pl add --group_ip 10.0.0.1 -f enum4linux-10.0.0.1.out<\/pre>\nNote that if you run yaptest-db-ips.sh, all your username and hostname informaiton is imported automatically.\u00a0 You only need to import the group information manually.<\/p>\n
To query who is in the Administrators group on 10.0.0.1:<\/p>\n
$ yaptest-groups.pl query --group_ip 10.0.0.1 --group_name Administrators<\/pre>\n10.0.0.1\u00a0 Administrators\u00a0 null\u00a0\u00a0\u00a0 10.0.0.1\u00a0 Administrator<\/pre>\nTotal records: 1<\/pre>\nThe IP address appears twice.\u00a0 This look sa bit strange, but is needed to represent Windows domains.\u00a0 The IP on the left is the IP that the group resides on (could be domain admins group on the domain controller). \u00a0 The IP address on the right is the IP the member resides on (e.g. Administrators group on a domain member).<\/p>\n
To query which groups \/ hosts have a user called ‘bob’:<\/p>\n
$ yaptest-groups.pl query --member_name bob<\/pre>\nLaunching John the Ripper<\/h3>\n
When you’ve collected a large number of hashes from a large number of hosts, it can be tricky to keep track of which hashed have been cracked and which which ones belong to which host.\u00a0 Yaptest can act as a wrapper around john the ripper to help you keep track..<\/p>\n
Launch john the ripper on any outstanding LANMAN hashes by running:<\/p>\n
$ yaptest-credentials.pl crack lanman<\/pre>\nWhen you’re fed up of waiting, kill john from another windows (don’t CTRL-C yaptest-credentials.pl):<\/p>\n
$ killall john<\/pre>\nyaptest-credendials.pl will then parse the john.pot file and update the crednetials database with all the newly found passwords.\u00a0 If both LANMAN hashes have been cracked for any passwords, yaptest will also recover the case of the password using the NT hash.\u00a0 List all the newly cracked passwords by running:<\/p>\n
$ yaptest-credentials.pl query<\/pre>\nNext time your run john the ripper, only the uncracked hashes will be used:<\/p>\n
$ yaptest-credentials.pl crack lanman<\/pre>\nI’ve also used yaptest-credentials.pl to crack des and NTLM hashes.\u00a0 Other types of hashes may or may not work as of v0.0.5.<\/p>\n
If you want to run a copy of John that’s not in your path or run the MPI version under mpiexec specify a different command line for john like this:<\/p>\n
$ yaptest-config.pl query yaptest_john_command<\/pre>\n$ yaptest-config.pl set yaptest_john_command 'mpiexec -n 4 \/path\/to\/john'<\/pre>\nYou might also need to change the location of John’s pot file like this:<\/p>\n
$ yaptest-config.pl query yaptest_john_pot<\/pre>\n$ yaptest-config.pl set yaptest_john_pot \/path\/to\/john.pot<\/pre>\nPassword Cracking with Rainbow Tables<\/h3>\n
As of v0.0.6 yaptest-credentials.pl can make use of rainbow tables to crack LANMAN and NTLM passwords.\u00a0 It calls out to rcrack<\/a> to acheive this.<\/p>\n