Capture Windows Passwords on Network Pentester Guide

1Capture Windows Passwords Guide

We are going to discuss how to capture windows passwords. In the Kali Linux world, there is more than one way to set up an SMB listener (to capture windows passwords), but now’s a good time to bring out the framework that needs no introduction: Metasploit. The Metasploit Framework will play a major role in attacks throughout the book, but here we’ll simply set up a quick and easy way for any Windows box on the network to attempt a file- sharing connection.

We start up the Metasploit console with:

# msfconsole

The Metasploit Framework comes with auxiliary modules – they aren’t exploiters with payloads designed to get you shell, but they are wonderful sidekicks on a pen test as they can perform things such as fuzzing or, in our case here, server authentication captures. You can take the output from here and pass it right along to a cracker or to an exploit module to progress in your attack. To get a feel for the auxiliary modules available to you, you can type this command in the MSF prompt:

show auxiliary

We’ll be using the SMB capture auxiliary module. Before we configure the listener, let’s consider a real world pen test scenario where this attack can be particularly useful.

A real-world pentest scenario to capture windows passwords

You have physical access to a facility by looking the part: suit, tie, and a fake ID badge.  Walking around the office, you notice a multifunction printer and scanner. During the course of the day, you see employees walk up to the device with papers in hand, punch something into the user interface, scan the documents, and then walk back to their desks.  What is likely happening here is that the scanner is taking the images and storing them in a file share so that the user can access them from his or her computer.

In order to do this, the printer must authenticate to the file share. Printers are often left with default administrator credentials, allowing us to change the configuration. The accounts used are often domain administrators, or at the very least, have permissions to access highly sensitive data. How you modify the printer’s settings will depend on the specific model. Searching online for the user guide to the specific model is a no-brainer.

The idea is to temporarily change the destination share to the UNC path of your Kali box. When I did this, I kept a close eye on the screen; once I captured authentication attempts, I changed the settings back as quickly as I could to minimize any suspicion. The user’s documents never make it to the file share; if it only happens once, they’ll likely assume a temporary glitch and think nothing of it. But if multiple users are finding they consistently can’t get documents onto the share, IT will be called.



Please enter your comment!
Please enter your name here