These days, more and more organizations are becoming vulnerable to outside threats due to weak password policies and insecure password management systems. Credentials provide a gateway into various accounts and systems, which can potentially give access to additional targets on the network and lead to the extraction of confidential data from these targets. Therefore, as part of a penetration test, it is important to discover and present credential data that compels organizations to strengthen and enforce complex password policies to prevent vulnerabilities like password reuse and weak passwords.
As part of your credentials audit, you want to identify weak passwords, the most commonly used passwords, and top base passwords. You will also want to reuse valid credentials, so that you can identify the impact of the stolen credentials across a network.This will help an organization understand their current posture, identify how they can strengthen password policies, and enforce passwords requirements that meet industry best practices.
To help you understand how credentials are obtained, stored, and managed by Metasploit Pro, the following section will provide an overview of the key concepts and terms you must know before working with credentials.
Understanding Credential Terminology
Typically, when you think of a credential, you think of a username and password. In Metasploit Pro, a username is referred to as a public, and the password is known as a private; therefore, a credential can be a private, public, or a credential pair.
To summarize the key credential terms:
- Public - The username that is used to log in to a target.
- Private - The password that is used to authenticate to a target. It is usually a plaintext password, an SSH key, NTLM hash, or nonreplayable hash. Since the private can be an SSH key or hash, the term 'password' is not broad enough to cover these private types.
- Credential pair - A public and private combination that can be used to authenticate to a target.
- Private type - Refers to whether the private is a plaintext password, an SSH key, NTLM hash, or nonreplayable hash.
- Nonreplayable hash - A hash that cannot be replayed to authenticate to services. For example, any hash that was looted from
/etc/shadowis a nonreplayable hash.
- NTLM hash - A hash that can be replayed to authenticate to SMB.
- Realm - Refers to the functional grouping of database schemas to which the credential belongs. A realm type can be an Active Domain Directory, a Postgres database, a DB2 database, or an Oracle System Identifier (SID). A public, private, or credential pair can have a realm, but it is not mandatory.
- Incomplete public - A public that does not have a private. It can have a realm, but it is not required.
- Incomplete private - A private that does not have a public. It can have a realm, but it is not required.
- Login - A username and private combination that is associated with a particular service. A login indicates that you can theoretically authenticate to a service using the credential pair. Metasploit Pro creates logins when it collects evidence from an exploited target and when it successfully bruteforces a target.
During exploitation, if a host is successfully looted, Metasploit Pro will attempt to create logins based on the type of credential that was captured. For example, if NTLM hashes were looted, then a login for SMB will be added for each hash. For example, a credential pair, such as admin/admin, that can be used to authenticate to a service, like telnet, is a login.
- Origin - Identifies how the credential was obtained or added to the project, such as through Bruteforce, manual entry, or an imported credentials list. A origin can be manual, import, session, service, or cracked password.
- Validated credential - A credential that has successfully authenticated to a target.
There are a few ways that you can obtain credentials. The main methods of acquiring credentials include exploiting a vulnerability and dumping the credentials from the compromised target; bruteforcing targets using weak and common default credentials; and searching publicly available resources for stolen credentials. The method you use depends on the level of access that you have to a target.
Metasploit enables you to leverage multiple attack methods to acquire credentials, such as exploiting unpatched vulnerabilities. For example, if you are able to discover a Windows system that is vulnerable to MS08-067, you may be able to exploit that target and log in to the system to gather information from it. With access to the system, you can extract data such as password hashes, plaintext passwords, and domain tokens.
Many information systems are configured to use passwords as the first, and sometimes only, line of defense. And oftentimes, the passwords are easy to guess passwords or even blank passwords. This means that if you have the username, you can try to guess the password to log in to the target. For example, a Windows domain account that uses a weak or blank password can be easily guessed via bruteforce.
Additionally, many systems are configured with the default account settings. These accounts usually share the same password across multiple instances, which means that if you know the default account settings for one account, you will be able to leverage those credentials to compromise other targets across the network as well. In this case, you can manually add common default credentials and use the Quick Validation feature to validate the account credentials. If any credentials successfully authenticate to a target, you can run Credential Reuse to find additional targets on which the credentials are valid.
To summarize the methods that you can use to obtain credentials with Metasploit:
- You can find vulnerabilities and exploit them to obtain access to the target. Once you have access to a target, you can dump credentials and other confidential data from the exploited target.
- You can run Bruteforce to guess commonly used, weak, and default credentials on services like AFP, DB2, FTP, HTTP, HTTPS, MSSQL, MySQL, POP3, PostgreSQL, SMB, SNMP, SSH, telnet, VNC, and WinRM.
- You can manually add or import credentials to a project and run Quick Validation or Credential Reuse to find targets that can be authenticated. This method is useful when you have a set of commonly used credentials or known credentials you want to try on a set of targets.
Every credential added to a project has an origin, which refers to the source of the credential. An origin can be one of the following:
- Manual - Indicates that you manually added the credential from the Manage Credentials page.
- Import - Indicates that you imported the credential by uploading a CSV file or PWDump to the project.
- Service - Indicates that the credential was obtained using Bruteforce.
- Session - Indicates that the credential was collected from a session on an exploited target.
- Cracked password - Indicates that Metasploit was able to crack the hash during evidence collection and decipher the plaintext password.