This post is regarding an internal network test for a client I did earlier in the year. This client’s network is a tough nut to crack, and one I’ve tested before so I was kind of apprehensive of going back to do this test for them in case I came away without having “hacked in”. We had only just managed it the previous time.这篇文章是关于作者在早些时候为客户做的内部网络测试。 这个客户的网络是一个难以解决的难题,而且之前我已经测试过,所以我有点担心要回去为他们做这个测试,以防我在没有“入侵”的情况下离开。 我们以前只是管理它。

The first thing I run on an internal is the Responder tool. This will grab Windows hashes from LLMNR or NetBIOS requests on the local subnet. However, this client was wise to this and had LLMNR & NetBIOS requests disabled. Despite already knowing this fact from the previous engagement, one of the things I learned during my OSCP course was to always try the easy things first – there’s no point in breaking in through a skylight if the front door is open.

我在内部运行的第一件事是Responder工具。 这将从本地子网上的LLMNR或NetBIOS请求中获取Windows散列。 但是,此客户端明智,并且禁用了LLMNR和NetBIOS请求。 尽管已经从以前的参与中了解到这一事实,但我在OSCP课程中学到的东西之一就是总是先尝试简单的事情 – 如果前门打开,通过天窗就没有任何意义。

So I ran Responder, and I was surprised to see the following hash captured:

所以我跑了Responder,我惊讶地看到下面的哈希值被捕获:

reponder

Note of course that I would never reveal client confidential information on my blog, therefore everything you see here is anonymised and recreated in the lab with details changed.

当然要注意,我永远不会在我的博客上透露客户机密信息,因此您在此处看到的所有内容都会在实验室中匿名化并重新创建,并且细节已更改。

Here we can see the host 17.16.157.133 has sent us the NETNTLMv2 hash for the account FRONTDESK.

在这里,我们可以看到主机17.16.157.133向我们发送了帐户FRONTDESK的NETNTLMv2哈希值。

Checking this host’s NetBIOS information with Crack Map Exec (other tools are available), we can check whether this is a local account hash. If it is, the “domain” part of the username:

使用Crack Map Exec检查此主机的NetBIOS信息(其他工具可用),我们可以检查这是否是本地帐户哈希。 如果是这样,用户名的“域”部分:

[SMBv2] NTLMv2-SSP Username : 2-FD-87622\FRONTDESK

i.e. 2-FD-87622 should match the host’s NetBIOS name if this is the case. Looking up the IP with CME we can see that the name of the host matches:

i.e. 2-FD-87622 应该与主机的NetBIOS名称匹配(如果是这种情况)。 用CME查找IP,我们可以看到主机的名称匹配:

netbios

So the next port of call we to try and crack this hash and gain the plaintext password. Hashcat was loaded against rockyou.txt and rules, and quickly cracked the password.

所以下一个端口我们试着破解这个散列并获得明文密码。 Hashcat被加载反对rockyou.txt和规则,并迅速破解密码。

hashcat -m 5600 responder /usr/share/wordlists/rockyou.txt -r /usr/share/rules/d3adhob0.rule

hashcat

Now we have a set of credentials for the front desk machine. Hitting the machine again with CME but this time passing the cracked credentials:

现在我们有一套前台机器的凭证。 再次用CME击中机器,但这次传递了破解的证书:

cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth

admin on own machine

We can see Pwn3d! in the output showing us that this is a local administrator account. This means with have the privileges required to dump the local password hashes:

我们可以看到Pwn3d! 在输出显示我们这是一个本地管理员帐户。 这意味着具有转储本地密码散列所需的权限:

cme smb 172.16.157.133 -u FRONTDESK -p 'Winter2018!' --local-auth --sam

SAM hashes

Note we can see

FRONTDESK:1002:aad3b435b51404eeaad3b435b51404ee:eb6538aa406cfad09403d3bb1f94785f:::

This time we are seeing the NTLM hash of the password, rather than the NETNTLMv2 “challenge/response” hash that Responder caught earlier. Responder catches hashes over the wire, and these are different to the format that Windows stores in the SAM.

这一次,我们看到了密码的NTLM哈希值,而不是响应者之前捕获的NETNTLMv2“质询/响应”哈希值。 响应者通过网络捕获散列,这些与Windows在SAM中存储的格式不同。

The next step was to try the local administrator hash and spray it against the client’s server range. Note that we don’t even have to crack this administrator password, we can simply “pass-the-hash”:

下一步是尝试本地管理员散列并将其喷洒在客户端的服务器范围内。 请注意,我们甚至不需要破解这个管理员密码,我们可以简单地“传递哈希”:

cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth

admin password reuse

We can only pass-the-hash using the stored NTLM format, not the NETNTLMv2 network format (unless you look to execute an “SMB relay” attack instead).

我们只能使用存储的NTLM格式传递哈希值,而不是NETNTLMv2网络格式(除非您希望执行“SMB中继”攻击)。

To our surprise, it got a hit, the local administrator password had been reused on the STEWIE machine. Querying this host’s NetBIOS info:

令我们惊讶的是,它受到了重创,本地管理员密码已在STEWIE机器上重新使用。 查询此主机的NetBIOS信息:

$ cme smb 172.16.157.134 
SMB         172.16.157.134  445    STEWIE           
[*] Windows Server 2008 R2 Foundation 7600 x64 (name:STEWIE) (domain:MACFARLANE)
(signing:False) (SMBv1:True)

We can see it is a member of the MACFARLANE domain, the main domain of the client’s Active Directory.

我们可以看到它是MACFARLANE域的成员,它是客户端Active Directory的主要域。

So the non-domain machine had a local administrator password which was reused on the internal servers. We can now use Metasploit to PsExec onto the machine, using the NTLM as the password which will cause Metasploit to pass-the-hash.

所以非域名机器有一个本地管理员密码,它在内部服务器上被重用。 我们现在可以使用Metasploit将PsExec加入到机器上,使用NTLM作为密码,这将导致Metasploit传递哈希值。

metasploit options

Once ran, our shell is gained:

一旦运行,我们的外壳就会获得:

ps exec shell

We can load the Mimikatz module and read Windows memory to find passwords:

我们可以加载Mimikatz模块并读取Windows内存以查找密码:

mimikatz

Looks like we have the DA (Domain Admin) account details. And to finish off, we use CME to execute commands on the Domain Controller to add ourselves as a DA (purely for a POC for our pentest, in real life or to remain more stealthy we could just use the discovered account).

看起来我们有DA(域管理员)帐户详细信息。 最后,我们使用CME在域控制器上执行命令,将自己添加为一个DA(纯粹是为了我们的pentest,在现实生活中的POC或为了保持更隐蔽,我们可以使用已发现的帐户)。

cme smb 172.16.157.135 -u administrator -p 'October17' -x 'net user markitzeroda hackersPassword! /add /domain /y && net group "domain admins" markitzeroda /add'

add da

Note the use of the undocumented /y function to suppress the prompt Windows gives you for adding a password longer than 14 characters.

请注意使用未记录的/ y函数来禁止提示Windows为您添加超过14个字符的密码。

A screenshot of Remote Desktop to the Domain Controller can go into the report as proof of exploitation:

远程桌面到域控制器的屏幕截图可以作为利用证据进入报告:

da proof

So if this front desk machine had been joined to the domain, it would have had LLMNR disabled (from their Group Policy setting) and we wouldn’t have gained the initial access to it and leveraged its secrets in order to compromise the whole domain. Of course there are other mitigations such as using LAPS to manage local administrator passwords and setting FilterAdministratorToken to prevent SMB logins using the local RID 500 account (great post on this here).

因此,如果这台前台机器已加入到域中,它将会(从他们的组策略设置)中禁用LLMNR,并且我们不会获得对它的初始访问权并利用其秘密来破坏整个域。 当然,还有其他缓解措施,例如使用LAPS管理本地管理员密码,并设置FilterAdministratorToken以防止使用本地RID 500帐户进行SMB登录。

参考文献:

http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/