This post is regarding an internal network test for a client I did earlier in the year. This client’s network is a tough nut to crack, and one I’ve tested before so I was kind of apprehensive of going back to do this test for them in case I came away without having “hacked in”. We had only just managed it the previous time.這篇文章是關(guān)于作者在早些時候為客戶做的內(nèi)部網(wǎng)絡(luò)測試。 這個客戶的網(wǎng)絡(luò)是一個難以解決的難題,而且之前我已經(jīng)測試過,所以我有點擔(dān)心要回去為他們做這個測試,以防我在沒有“入侵”的情況下離開。 我們以前只是管理它。

The first thing I run on an internal is the Responder tool. This will grab Windows hashes from LLMNR or NetBIOS requests on the local subnet. However, this client was wise to this and had LLMNR & NetBIOS requests disabled. Despite already knowing this fact from the previous engagement, one of the things I learned during my OSCP course was to always try the easy things first – there’s no point in breaking in through a skylight if the front door is open.

我在內(nèi)部運行的第一件事是Responder工具。 這將從本地子網(wǎng)上的LLMNR或NetBIOS請求中獲取Windows散列。 但是,此客戶端明智,并且禁用了LLMNR和NetBIOS請求。 盡管已經(jīng)從以前的參與中了解到這一事實,但我在OSCP課程中學(xué)到的東西之一就是總是先嘗試簡單的事情 – 如果前門打開,通過天窗就沒有任何意義。

So I ran Responder, and I was surprised to see the following hash captured:

所以我跑了Responder,我驚訝地看到下面的哈希值被捕獲:

reponder

Note of course that I would never reveal client confidential information on my blog, therefore everything you see here is anonymised and recreated in the lab with details changed.

當(dāng)然要注意,我永遠不會在我的博客上透露客戶機密信息,因此您在此處看到的所有內(nèi)容都會在實驗室中匿名化并重新創(chuàng)建,并且細節(jié)已更改。

Here we can see the host 17.16.157.133 has sent us the NETNTLMv2 hash for the account FRONTDESK.

在這里,我們可以看到主機17.16.157.133向我們發(fā)送了帳戶FRONTDESK的NETNTLMv2哈希值。

Checking this host’s NetBIOS information with Crack Map Exec (other tools are available), we can check whether this is a local account hash. If it is, the “domain” part of the username:

使用Crack Map Exec檢查此主機的NetBIOS信息(其他工具可用),我們可以檢查這是否是本地帳戶哈希。 如果是這樣,用戶名的“域”部分:

[SMBv2] NTLMv2-SSP Username : 2-FD-87622\FRONTDESK

i.e. 2-FD-87622 should match the host’s NetBIOS name if this is the case. Looking up the IP with CME we can see that the name of the host matches:

i.e. 2-FD-87622 應(yīng)該與主機的NetBIOS名稱匹配(如果是這種情況)。 用CME查找IP,我們可以看到主機的名稱匹配:

netbios

So the next port of call we to try and crack this hash and gain the plaintext password. Hashcat was loaded against rockyou.txt and rules, and quickly cracked the password.

所以下一個端口我們試著破解這個散列并獲得明文密碼。 Hashcat被加載反對rockyou.txt和規(guī)則,并迅速破解密碼。

hashcat -m 5600 responder /usr/share/wordlists/rockyou.txt -r /usr/share/rules/d3adhob0.rule

hashcat

Now we have a set of credentials for the front desk machine. Hitting the machine again with CME but this time passing the cracked credentials:

現(xiàn)在我們有一套前臺機器的憑證。 再次用CME擊中機器,但這次傳遞了破解的證書:

cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth

admin on own machine

We can see Pwn3d! in the output showing us that this is a local administrator account. This means with have the privileges required to dump the local password hashes:

我們可以看到Pwn3d! 在輸出顯示我們這是一個本地管理員帳戶。 這意味著具有轉(zhuǎn)儲本地密碼散列所需的權(quán)限:

cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth --sam

SAM hashes

Note we can see

FRONTDESK:1002:aad3b435b51404eeaad3b435b51404ee:eb6538aa406cfad09403d3bb1f94785f:::

This time we are seeing the NTLM hash of the password, rather than the NETNTLMv2 “challenge/response” hash that Responder caught earlier. Responder catches hashes over the wire, and these are different to the format that Windows stores in the SAM.

這一次,我們看到了密碼的NTLM哈希值,而不是響應(yīng)者之前捕獲的NETNTLMv2“質(zhì)詢/響應(yīng)”哈希值。 響應(yīng)者通過網(wǎng)絡(luò)捕獲散列,這些與Windows在SAM中存儲的格式不同。

The next step was to try the local administrator hash and spray it against the client’s server range. Note that we don’t even have to crack this administrator password, we can simply “pass-the-hash”:

下一步是嘗試本地管理員散列并將其噴灑在客戶端的服務(wù)器范圍內(nèi)。 請注意,我們甚至不需要破解這個管理員密碼,我們可以簡單地“傳遞哈?!保?/span>

cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth

admin password reuse

We can only pass-the-hash using the stored NTLM format, not the NETNTLMv2 network format (unless you look to execute an “SMB relay” attack instead).

我們只能使用存儲的NTLM格式傳遞哈希值,而不是NETNTLMv2網(wǎng)絡(luò)格式(除非您希望執(zhí)行“SMB中繼”攻擊)。

To our surprise, it got a hit, the local administrator password had been reused on the STEWIE machine. Querying this host’s NetBIOS info:

令我們驚訝的是,它受到了重創(chuàng),本地管理員密碼已在STEWIE機器上重新使用。 查詢此主機的NetBIOS信息:

$ cme smb 172.16.157.134 
SMB         172.16.157.134  445    STEWIE           
[*] Windows Server 2008 R2 Foundation 7600 x64 (name:STEWIE) (domain:MACFARLANE)
(signing:False) (SMBv1:True)

We can see it is a member of the MACFARLANE domain, the main domain of the client’s Active Directory.

我們可以看到它是MACFARLANE域的成員,它是客戶端Active Directory的主要域。

So the non-domain machine had a local administrator password which was reused on the internal servers. We can now use Metasploit to PsExec onto the machine, using the NTLM as the password which will cause Metasploit to pass-the-hash.

所以非域名機器有一個本地管理員密碼,它在內(nèi)部服務(wù)器上被重用。 我們現(xiàn)在可以使用Metasploit將PsExec加入到機器上,使用NTLM作為密碼,這將導(dǎo)致Metasploit傳遞哈希值。

metasploit options

Once ran, our shell is gained:

一旦運行,我們的外殼就會獲得:

ps exec shell

We can load the Mimikatz module and read Windows memory to find passwords:

我們可以加載Mimikatz模塊并讀取Windows內(nèi)存以查找密碼:

mimikatz

Looks like we have the DA (Domain Admin) account details. And to finish off, we use CME to execute commands on the Domain Controller to add ourselves as a DA (purely for a POC for our pentest, in real life or to remain more stealthy we could just use the discovered account).

看起來我們有DA(域管理員)帳戶詳細信息。 最后,我們使用CME在域控制器上執(zhí)行命令,將自己添加為一個DA(純粹是為了我們的pentest,在現(xiàn)實生活中的POC或為了保持更隱蔽,我們可以使用已發(fā)現(xiàn)的帳戶)。

cme smb 172.16.157.135 -u administrator -p 'October17' -x 'net user markitzeroda hackersPassword! /add /domain /y && net group "domain admins" markitzeroda /add'

add da

Note the use of the undocumented /y function to suppress the prompt Windows gives you for adding a password longer than 14 characters.

請注意使用未記錄的/ y函數(shù)來禁止提示W(wǎng)indows為您添加超過14個字符的密碼。

A screenshot of Remote Desktop to the Domain Controller can go into the report as proof of exploitation:

遠程桌面到域控制器的屏幕截圖可以作為利用證據(jù)進入報告:

da proof

So if this front desk machine had been joined to the domain, it would have had LLMNR disabled (from their Group Policy setting) and we wouldn’t have gained the initial access to it and leveraged its secrets in order to compromise the whole domain. Of course there are other mitigations such as using LAPS to manage local administrator passwords and setting FilterAdministratorToken to prevent SMB logins using the local RID 500 account (great post on this here).

因此,如果這臺前臺機器已加入到域中,它將會(從他們的組策略設(shè)置)中禁用LLMNR,并且我們不會獲得對它的初始訪問權(quán)并利用其秘密來破壞整個域。 當(dāng)然,還有其他緩解措施,例如使用LAPS管理本地管理員密碼,并設(shè)置FilterAdministratorToken以防止使用本地RID 500帳戶進行SMB登錄。

參考文獻:

http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/