On a recent engagement I encountered the chance to work with responder. This tool was created by SpiderLabs in 2014 and still does an awesome job. It can poison the network in order to retrieve authentication hashes and passwords. By default it will only respond to SMB requests. With a few more options, the tool can poison network traffic for specific targets and numerous protocols. This enables us to retrieve NTLM Hashes for pass-the-hash attacks and also crack those hashes.
This time, I did not get any results with the default settings. Therefore, the next step was to inject a WPAD file with my malicious proxy in order for the victim browser to answer an HTTP digest authentication. For me, this was a running instance of Burp Proxy to easily monitor and manipulate the incoming requests. So, how does Digest authentication actually work?
Let’s start with HTTP basic authentication. The server send a response with the TODO header and a realm distinguish the scope of the authentication. This header tells the browser to open login prompt. Subsequently, the variables are concatenated and base64 encoded before being sent off to the server with an HTTP request. By simply decoding the base64 string we can recover the username:password combination.
TODO: Screenshot
With Digest Authentication the whole thing gains in complexity. This time the server response also includes a nonce, a magic, … . The browser asks the user for credentials the same way. Subsequently, the browser encodes the variables and sends off the request.
TODO: example header
user:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$authThe subsequent client request includes a string separated by “$”. The particular fields therein are as follows. Here the magic is ‘$response$’
user:$MAGIC$response$user$realm$method$uri$nonce$nonceCount$ClientNonce$qopFirst, we intercepted the hash with Burp Proxy.
The resulting string is not supported by hashcat. To get cracking, we have to identify the correct hash and challenge parameters.
John-the-ripper supports the hash format out of the box.
$ cat ./htdigest
moi:$response$faa6cb7d676e5b7c17fcbf966436aa0c$moi$myrealm$GET$/$af32592775d27b1cd06356b3a0db9ddf$00000001$8e1d49754a25aea7$auth
user:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth
$ ./john ./htdigest
Loaded 2 password hashes with 2 different salts (HTTP Digest access authentication [HDAA-MD5])
kikou (moi)
nocode (user)
guesses: 2 time: 0:00:01:27 (3) c/s: 670223 trying: nocode