Category Archives: Red Teaming

Taking A (Password) Hint

Recently on a red team engagement, I was given access to a customer environment via a MacBook Pro set up inside their corporate environment. To simulate a compromised machine, the customer ran my payload on this Mac (in this case, a JXA-based Mythic Apfell payload) and it phoned home to my C2 server. This is what’s commonly known as an “assumed breach” scenario.

In this case, the infected laptop was plugged into the office LAN, had the sleep function disabled, the screen locked, and was left sitting on a desk. From simple enumeration on the device itself, I knew the account whose context I was running in had sudo privileges (in macOS world, it was a member of GID 80, the admin group), but my customer point-of-contact hadn’t told me the password. I’m sure they would’ve told me the password had I asked, but I decided to go for realism and try to escalate privileges myself.

As this was basically a computer left by itself with no victim interacting with it, I wasn’t going to get the password via keystroke loggers or fake password prompts. There also wasn’t much in the way of user-created documents on the system to search through for credentials and it was running the latest version of macOS, with no publicly-known privilege escalation exploits either. I even tried some light brute-forcing via Apfell’s test_password function with common passwords to no avail.

One thing that did stick out in my mind was that the username of the compromised account I was running in was just the client company’s name, so it was a good bet this was a shared account, and employees usually don’t commit these sorts of credentials to memory. A feature of both the macOS and Windows GUI login screens is the “password hint” function, to jog a user’s memory. And while both OS’s are configured to not allow you to just put your plaintext password in that field, users often cheat and just give it away with slight modification. In the example below, the John Doe user has a password of simply “password”, and to get around the OS restriction, the hint is in pig Latin.

But I wasn’t sitting physically in front of this victim laptop and I otherwise had no access to the GUI, so I googled furiously for a way to see the user’s password hint from the command line. I actually came up empty-handed in my search, but ended up finding the answer almost by accident while enumerating other info on the system

Viewing Password Hints in macOS

By default, macOS uses its own LDAP implementation to store all user and group data, even just local accounts. The dscl utility can be used from the Mac terminal to interact with this directory service. One of the things you can do with it is view the LDAP data of any account on the system. And one of the values stored in users’ LDAP profiles is their password hint!

You can easily read it with the following command: dscl . -read /Users/[USERNAME] AuthenticationHint

Just to reiterate, as an unprivileged user, you can via the LDAP data of any other user on the system, so this also could be useful for lateral movement.

Sure enough, the account I was using had a password hint that made guessing the real password trivial, and I finally had root-level privileges on the machine!

Viewing Password Hints in Windows

Windows has also had a password hint system since Vista, but (unfortunately for pentesters and red teamers) it’s much better protected than it is in macOS. The password is stored as part of a Windows user’s data in the SAM hive and is only accessible by the NT AUTHORITY\SYSTEM user.

If you have SYSTEM-level access to a box, password hints could still be useful. Maybe its a shared account that doesn’t have administrator privileges (so you can’t just pass-the-hash with the user’s NTLM hash you could otherwise steal out of the SAM), but the same username/password might be reused on different machines that have RDP or SMB file share access enabled.

To view a user’s password hint, you can enter the following into a SYSTEM-level cmd.exe or PowerShell prompt: reg query HKLM\SAM\SAM\Domains\Account\Users\[USER ID] /v UserPasswordHint

The user ID will usually start with “000003” and then two additional hexadecimal numbers. The hint itself is stored as ASCII hex, padded with 00’s in between letters. In the above example, the hint decodes to “the usual”.

Remediation

In macOS, administrators can disable password hints from showing at the GUI login screen, but unfortunately this information is still recorded in users’ local LDAP information if they’ve set a password hint for themselves. Also, as far as I can tell, there isn’t any way to disable local password hints in Windows either.

But this is mostly a problem with local accounts. In both macOS and Windows, network logins, such as to an Active Directory domain, won’t even offer the option of password hints. For IT staff that might have local-only shared accounts on systems, it’s important to educate them on the dangers of using password hints and encourage them to use more secure solutions for sharing credentials instead, such as a password management platform.

My Red Team Everyday Carry (EDC)

I was inspired by a few past videos done by such YouTube physical security personalities as the Lock Picking Lawyer, DeviantOllam, and the Not So Civil Engineer and thought I’d share some of the things I tend to have in my pocket every day that can be used for red teaming/physical security types of activities.

The goals of my everyday carry (EDC) are roughly:

  • functionality: things I’ll actually use
  • lightness: things that don’t take up a ton of pocket space and don’t weigh a lot
  • TSA and government facility friendly: things that aren’t illegal to take on a plane or into a courthouse, so that rules out anything with a knife in it
Almost everything I carry on me, minus a face mask, wristwatch, and my wedding ring. Key bitting redacted.

Gerber Shard

The Gerber Shard is a great little tool to keep on your keyring, even if you aren’t into physical security or locksport. It can function as a:

  • Pry bar
  • Small flathead screwdriver
  • Large flathead screwdriver
  • Philips screwdriver
  • Wire stripper and puller
  • Bottle opener (probably what I use it for the most)
  • Bonus: the pry bar side can also be used to cut open the seals on boxes and other things

And since there’s no knife blade or saw on it, it won’t get confiscated by TSA. I’ve had one on my keyring for years. I only recently replaced one I’d used for close to ten years because the bottle opener was getting worn out. I have an unpainted metal one, but it’s also more commonly available in black.

Phone

I feel like this is a pretty obvious one. Besides being a communications and Internet access device, modern smart phones come pre-equipped with plenty of useful apps that can make your phone function as a flashlight, level, measuring stick, distance finder, camera for light surveillance, and much more.

While my daily driver is an iPhone, a rooted Android phone or even one with the Kali NetHunter tool suite installed would offer tons of red teaming functionality on the go. If you’re really simulating an adversary and trying to do zero-attribution, it could even be a prepaid burner phone.

One iOS tool that not a lot of people know about is the old AirPort Utility app. I’m not sure how much longer it’s going to be around, since Apple discontinued its AirPort line of Wi-Fi routers in 2018, but it offers a simple Wi-Fi scanning tool you can use from a non-jailbroken iOS device!

While it’s not as feature-filled as something like Kismet or some of the Wi-Fi scanning tools available for rooted Android (for example, it can’t sniff and unmask hidden SSID’s), it’s great in a pinch if you’re trying to hunt down an AP’s physical location. It can even export a text file of the scan results.

Wallet

I have a very light Bellroy Note Sleeve wallet that I’ve been using for years. It offers a great balance between being able to carry a lot of stuff, but a nice slim profile so my butt isn’t sore after sitting on it for a long time. It has three slots for the cards you use most frequently (for me, my drivers license and two credit cards), plus an inner sleeve where you can throw your less-used cards, such as my insurance card, Sam’s Club membership card, etc. Though I don’t have any on me at the moment, if you’re going zero-attribution, it’s not a bad idea to carry around some prepaid credit or debit cards, and of course cash, for clandestine purchases.

I don’t own a ProxMark or do RFID attacks very frequently, but if you do, it might also be worth carrying common RFID card blanks or even a diagnostic card like the Not So Civil Engineer does.

Lock Picking Tools

In the aforementioned inner sleeve, I have a small vinyl holder where I keep an assortment of various lock picking and bypassing tools.

At the moment, I’m carrying around:

As trendy as Bogotá picks are, I honestly pop locks way faster with the traditional snake rake, which is why it’s a must-have for me. It’s come in handy on more than one real-life occasion, such as one time when my wife and I were locked out of an old rented condo, or when I used to teach a pentesting course at a local community college and they never unlocked the door to my classroom before I arrived.

I could probably strip this down even more, or swap out some of the tools for different ones, but it fits fine in my wallet so far without adding too much bulk. If you’re asking where the hooks and half-diamonds are, I leave those out in favor of rakes because I’m going for speed. If it takes more than a minute to rake, it’s probably not worth pursuing further. Plus, I suck at single-pin picking anyway.

Door Shim

I got this idea from the Not So Civil Engineer. I have a set of oversized super mica door shims in a fancy pouch that I bought off Sparrows years ago. One of the sheets I cut in half and folded over to make a roughly card-sized door shim that I stuff into the banknote pocket of my wallet. The corners are super sharp and I highly suggest you also use scissors to round them off, so you don’t accidentally slice your fingers the next time you’re reaching for your cash.

What this tool is used for is sliding between the doorframe and a locked door and popping open the latch, assuming it either lacks a dead latch or the door isn’t properly installed. The doorframes in my house are very tight, but this shim can still manage to easily slide in between and pop latches open. It does scratch mine up a bit, but these shims are cheap, easy to make, and made to be disposable.

Using the Sparrows mini jim as a guide, I also cut a little notch in one side of my shim so it can double as a jim for external-opening doors as well. I’ve considered making a larger notch, to approximate a Sparrows “hall pass” or “flex pass” jim, but I’m usually quicker and feel I have better control with the small notch. I might also just buy a flex pass, or make my own out of another piece of super mica shim material, in the future. Though I prefer a traveler hook, a shim with this modification is much more portable.

I hope you enjoyed seeing my EDC and I hope it gives you some inspiration for figuring out what tools you could be carrying with you on a daily basis!