In this tutorial I show how to test user credentials with CredNinja, a package created by Chris King of Mandiant.
Table of Contents
Here’s What You Need
- Kali Linux Instance (VirtualBox)
- CredNinja Package, find it here.
Nmap to CredNinja
# Setting a workspace keeps things organized
msf > workspace -a ehg_lab_demo
# db_nmap is useful for saving scan data
msf > db_nmap -A -O -sV 10.0.1.0/24db_nmap saves the results into the Metasploit database.
-A Enable script scanning and traceroute.
-O Turn on operating system detection.
-sV Get the service/version info from open ports.
# This will list available hostnames
msf > hosts
# This will list running services
msf > servicesHow It Works
At its core functionality CredNinja tries to access the C drive for a specified hostname using SMB. Logically you would use the results of Nmap scanning to satisfy an input to CredNinja. There are two required parameters user accounts and devices on the network. The format of these two inputs should be {domain\username} for the creds.txt file and ip or ip range for the ips.txt file. The lines must include one entry per line.
Concurrency is a highlight of the CredNinja program. By default it designates 10 threads to help perform its checks.
-Github.com/Raikia/CredNinja
‘Quickly check the validity of multiple user credentials across multiple servers and be notified if that user has local administrator rights on each server.’
Unix Tools at Work Underneath
The creativity of the CredNinja tool is that it checks user accounts on servers in a stealthy way. The mechanism by which it checks them is by connecting to a default share on the C:\ drive of a Windows server.
# check if SMB checking utility is installed
root@kali:~ which pth-smbclient
/usr/bin/pth-smbclientSuccess versus failure.
# success
# print the files of the C:\ directory of the server using the creds
root@kali:~ smbclient -U TESTDOMAIN.com\\\\Bob \\\\10.0.0.1\\c$ Password123 -c dir -m SMB3
# failure
session setup failed: NT_STATUS_LOGON_FAILURE
Run CredNinja
# run CredNinja
root@kali:~/CredNinja-master python CredNinja.py -a accounts.txt -s servers.txt
One of the values for the Response column is “LOCAL ADMIN! Valid”. Why the excitement over an account being a local admin? A local admin has full privileges on a machine. Think of the user, Administrator on your Windows host. This is the admin account of your computer, therefore it can do anything. It is a coveted set of credentials to possess for this one reason. CredNinja is useful in that it validates and emphasizes local admin credentials over other types. Not all credentials are created equal. Focus on the local admins.
