TryHackMe : Information Researching

Now I'm going to go astray from the actual questions, as this room is all about researching and gathering intelligence. I want to take this room to learn a good bit about Windows, finding Windows-based vulnerabilities and such.

A question that does pop up is -> What hash format are modern Windows login passwords stored in?

Resources:

• What hash format are Windows passwords stored in?
• The Security Account Manager (SAM) is a database file which stores passwords on Windows XP and above, which can be used to authenticate local and remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
• Storing and retrieving Windows hashed passwords.
• Using mimikatz to grab Windows passwords.
• Tutorial grabbing Windows passwords.
• mimikatz tutorial using Metasploit.

Using exploitation databases

Often in hacking you'll come across software that might be open to exploitation. For example, Content Management Systems (such as Wordpress, FuelCMS, Ghost, etc) are frequently used to make setting up a website easier, and many of these are vulnerable to various attacks. So where would we look if we wanted to exploit specific software?

The answer to that question lies in websites such as:

• ExploitDB
• NVD
• CVE Mitre

NVD keeps track of CVEs (Common Vulnerabilities and Exposures) – whether or not there is an exploit publicly available – so it's a really good place to look if you're researching vulnerabilities in a specific piece of software. CVEs take the form: CVE-YEAR-IDNUMBER (Hint Hint: It's going to be really useful in the questions!)

ExploitDB tends to be very useful for hackers, as it often actually contains exploits that can be downloaded and used straight out of the box. It tends to be one of the first stops when you encounter software in a CTF or pentest.

If you're inclined towards the CLI on Linux, Kali comes pre-installed with a tool called "searchsploit" which allows you to search ExploitDB from your own machine. This is offline, and works using a downloaded version of the database, meaning that you already have all of the exploits already on your Kali Linux!