On penetration testing engagements, I’ve come to find that you either get domain admin easily in the first few hours, or you will spend the entire engagement struggling and using much more complex attack techniques. There is no middle ground. This entry into this public brain book will be a succinct and focused exploration into the former. Due to a lack of today’s best practices, many companies network’s are still vulnerable to tools like responder and hashcat, and when they are we can achieve domain admin while our morning coffee is still hot. Or at least, tepid.
The fight begins with queuing up responder, using Kali Linux in this walk-through, within the environment you’re engaged with in analyze mode (with -A) on the interface of choice (with -I). This should really always be the mode you boot into first to get an idea of whats flying around before you act:
responder -A -I eth0
Once you feel like you have a good idea of whats going on, and you’re feeling embolden, its time for a responder command with a little more bravado:
responder -rfPF --basic --lm -I eth0
Lets break down the command above in detail: (each of these could also be written as -r -f -F -P)
- -r = enables answers for netbios wredir suffix queries
- -f = fingerprinting, allows you to fingerprint the host that issued an NBT-NS or LLMNR query
- -F = ForceWpadAuth, Forces basic authentication on wpad.dat file retrieval, and may cause a login prompt
- -P = ProxyAuth, forces NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn’t need to be ON. Highly effective when combined with -r
- –basic = return a basic HTTP authentication
- –lm = forces LM hashing downgrade for Windows XP/2003 and earlier.
If the target system sends out an LLMNR (Link-local multicast name resolution) or NBNS (NetBIOS name service) broadcast to find and authenticate with a resource that doesn’t exist, we take advantage of the built-in blind trust of these protocols and responder simply pretends to then be that non-existent resource. The responses we seek out of those we get back are responses containing a hashed password value. And eventually in this misconfigured environment, we get one:
Hey hey, we got an NTLMv2 hash. And we see the username too. Get excited, but not too excited. We want hashes that belong to users with admin privileges or this method is arguably just as difficult as utilizing any other vector. We’re getting ahead of ourselves, first lets crack that thing:
Though hashcat is not difficult to use, the initial command and accompanying options can get a little heavy.
hashcat -m 5600 --session=<example_name_1> --potfile-path=/home/<example_name_1>/cracked_hashes.pot -r /usr/local/bin/hashcat/rules/rockyou-30000.rule /home/<example_name_1>/<location_of_hash> /usr/local/bin/wordlists/breachwords.txt
Alright, we will break down each command above like we did responder but first its worth it to point out that there is a TON of information in the hashcat -h. Its all gold, but you will have to use grep to quickly find what you’re looking for to tweak the command we used above. One example would be:
hashcat -h | grep -i ntlm
Here in this example we see the strange 5600 from our command to denote the type of hash we wish to crack. So, the break down of the lengthy hashcat command is:
- -m 5600 = the hash we want to crack and its identifier we determined from grepping
- –session = this command is optional but useful in an environment where you wish to have separate sessions running, perhaps while others are on the machine
- –potfile = this is the typical output file, just a weird way to specify it. This is where cracked hashes will go upon cracking. You can specify the name of that file with .pot at the end
- -r = one of the more important keys to cracking successfully. This denotes the rules list you want to employ. The rules list is what will mangle your provided wordlist list to allow for millions of more possibilities.
- The last two lines are identifiable by their words alone. location of hash and wordlist
Hit enter on that command and lean back. Depending on your hardware this could take awhile, lets hope your setup has a lot of purr.
35 minutes and 32 seconds later… we have a cracked hash
We have our password now and combined with that username from capturing the hash in the first place, we have creds. lets verify these things. Get Metasploit humming, for it contains a useful auxiliary module
Set these parameters to what you need to and hope you get this screen after you do.
Where the blur is on my picture you will see ‘domain\username:password’ followed by Administrator. We’ve done it.
Armed with clear text credentials and confidence in our stride, we setup proxychains (a heavy enough topic for a separate walk-through) and queue up xfreerdp (in my case since I’m using Kali, there are many other options for whatever you’re using such as proxifier). We then enter:
proxychains xfreerdp /u:username /p:password /v:targetipaddress
If you’re greeted by the desktop of your target, you might have just pulled it off.
I do hope you got a lot from this, please do let me know how I can improve, that is all we seek in this field after-all.
Quick acknowledgements to _pipefish, my mentor, and B. Little who guided me on this specific engagement. Thank you fellas.