The first thing I run on an internal is the Responder tool. This will grab Windows hashes from LLMNR or NetBIOS requests on the local subnet. However, this client was wise to this and had LLMNR & NetBIOS requests disabled. Despite already knowing this fact from the previous engagement, one of the things I learned during my OSCP course was to always try the easy things first – there’s no point in breaking in through a skylight if the front door is open.
我在內部運行的第一件事是Responder工具。 這將從本地子網上的LLMNR或NetBIOS請求中獲取Windows散列。 但是,此客戶端明智,并且禁用了LLMNR和NetBIOS請求。 盡管已經從以前的參與中了解到這一事實,但我在OSCP課程中學到的東西之一就是總是先嘗試簡單的事情 – 如果前門打開,通過天窗就沒有任何意義。
So I ran Responder, and I was surprised to see the following hash captured:
所以我跑了Responder,我驚訝地看到下面的哈希值被捕獲:
Note of course that I would never reveal client confidential information on my blog, therefore everything you see here is anonymised and recreated in the lab with details changed.
當然要注意,我永遠不會在我的博客上透露客戶機密信息,因此您在此處看到的所有內容都會在實驗室中匿名化并重新創建,并且細節已更改。
Here we can see the host 17.16.157.133 has sent us the NETNTLMv2 hash for the account FRONTDESK.
在這里,我們可以看到主機17.16.157.133向我們發送了帳戶FRONTDESK的NETNTLMv2哈希值。
Checking this host’s NetBIOS information with Crack Map Exec (other tools are available), we can check whether this is a local account hash. If it is, the “domain” part of the username:
使用Crack Map Exec檢查此主機的NetBIOS信息(其他工具可用),我們可以檢查這是否是本地帳戶哈希。 如果是這樣,用戶名的“域”部分:
[SMBv2] NTLMv2-SSP Username : 2-FD-87622\FRONTDESK
i.e. 2-FD-87622 should match the host’s NetBIOS name if this is the case. Looking up the IP with CME we can see that the name of the host matches:
i.e. 2-FD-87622 應該與主機的NetBIOS名稱匹配(如果是這種情況)。 用CME查找IP,我們可以看到主機的名稱匹配:
So the next port of call we to try and crack this hash and gain the plaintext password. Hashcat was loaded against rockyou.txt and rules, and quickly cracked the password.
所以下一個端口我們試著破解這個散列并獲得明文密碼。 Hashcat被加載反對rockyou.txt和規則,并迅速破解密碼。
hashcat -m 5600 responder /usr/share/wordlists/rockyou.txt -r /usr/share/rules/d3adhob0.rule
Now we have a set of credentials for the front desk machine. Hitting the machine again with CME but this time passing the cracked credentials:
現在我們有一套前臺機器的憑證。 再次用CME擊中機器,但這次傳遞了破解的證書:
cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth
We can see Pwn3d! in the output showing us that this is a local administrator account. This means with have the privileges required to dump the local password hashes:
我們可以看到Pwn3d! 在輸出顯示我們這是一個本地管理員帳戶。 這意味著具有轉儲本地密碼散列所需的權限:
cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth --sam
Note we can see
FRONTDESK:1002:aad3b435b51404eeaad3b435b51404ee:eb6538aa406cfad09403d3bb1f94785f:::
This time we are seeing the NTLM hash of the password, rather than the NETNTLMv2 “challenge/response” hash that Responder caught earlier. Responder catches hashes over the wire, and these are different to the format that Windows stores in the SAM.
這一次,我們看到了密碼的NTLM哈希值,而不是響應者之前捕獲的NETNTLMv2“質詢/響應”哈希值。 響應者通過網絡捕獲散列,這些與Windows在SAM中存儲的格式不同。
The next step was to try the local administrator hash and spray it against the client’s server range. Note that we don’t even have to crack this administrator password, we can simply “pass-the-hash”:
下一步是嘗試本地管理員散列并將其噴灑在客戶端的服務器范圍內。 請注意,我們甚至不需要破解這個管理員密碼,我們可以簡單地“傳遞哈希”:
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
We can only pass-the-hash using the stored NTLM format, not the NETNTLMv2 network format (unless you look to execute an “SMB relay” attack instead).
我們只能使用存儲的NTLM格式傳遞哈希值,而不是NETNTLMv2網絡格式(除非您希望執行“SMB中繼”攻擊)。
To our surprise, it got a hit, the local administrator password had been reused on the STEWIE machine. Querying this host’s NetBIOS info:
令我們驚訝的是,它受到了重創,本地管理員密碼已在STEWIE機器上重新使用。 查詢此主機的NetBIOS信息:
$ cme smb 172.16.157.134
SMB 172.16.157.134 445 STEWIE
[*] Windows Server 2008 R2 Foundation 7600 x64 (name:STEWIE) (domain:MACFARLANE)
(signing:False) (SMBv1:True)
We can see it is a member of the MACFARLANE domain, the main domain of the client’s Active Directory.
我們可以看到它是MACFARLANE域的成員,它是客戶端Active Directory的主要域。
So the non-domain machine had a local administrator password which was reused on the internal servers. We can now use Metasploit to PsExec onto the machine, using the NTLM as the password which will cause Metasploit to pass-the-hash.
所以非域名機器有一個本地管理員密碼,它在內部服務器上被重用。 我們現在可以使用Metasploit將PsExec加入到機器上,使用NTLM作為密碼,這將導致Metasploit傳遞哈希值。
Once ran, our shell is gained:
一旦運行,我們的外殼就會獲得:
We can load the Mimikatz module and read Windows memory to find passwords:
我們可以加載Mimikatz模塊并讀取Windows內存以查找密碼:
Looks like we have the DA (Domain Admin) account details. And to finish off, we use CME to execute commands on the Domain Controller to add ourselves as a DA (purely for a POC for our pentest, in real life or to remain more stealthy we could just use the discovered account).
看起來我們有DA(域管理員)帳戶詳細信息。 最后,我們使用CME在域控制器上執行命令,將自己添加為一個DA(純粹是為了我們的pentest,在現實生活中的POC或為了保持更隱蔽,我們可以使用已發現的帳戶)。
cme smb 172.16.157.135 -u administrator -p 'October17' -x 'net user markitzeroda hackersPassword! /add /domain /y && net group "domain admins" markitzeroda /add'
Note the use of the undocumented /y function to suppress the prompt Windows gives you for adding a password longer than 14 characters.
請注意使用未記錄的/ y函數來禁止提示Windows為您添加超過14個字符的密碼。
A screenshot of Remote Desktop to the Domain Controller can go into the report as proof of exploitation:
遠程桌面到域控制器的屏幕截圖可以作為利用證據進入報告:
So if this front desk machine had been joined to the domain, it would have had LLMNR disabled (from their Group Policy setting) and we wouldn’t have gained the initial access to it and leveraged its secrets in order to compromise the whole domain. Of course there are other mitigations such as using LAPS to manage local administrator passwords and setting FilterAdministratorToken to prevent SMB logins using the local RID 500 account (great post on this here).
因此,如果這臺前臺機器已加入到域中,它將會(從他們的組策略設置)中禁用LLMNR,并且我們不會獲得對它的初始訪問權并利用其秘密來破壞整個域。 當然,還有其他緩解措施,例如使用LAPS管理本地管理員密碼,并設置FilterAdministratorToken以防止使用本地RID 500帳戶進行SMB登錄。
參考文獻:
http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/