# Server Info
Server info: srvinfo
# Users enumeration
List users: querydispinfo and enumdomusers
Get user details: queryuser <0xrid>
Get user groups: queryusergroups <0xrid>
GET SID of a user: lookupnames <username>
Get users aliases: queryuseraliases [builtin|domain] <sid>
# Brute-Force users RIDs
for i in $(seq 500 1100); do
rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
#Groups enumeration
List groups: enumdomgroups
Get group details: querygroup <0xrid>
Get group members: querygroupmem <0xrid>
#Aliasgroups enumeration
List alias: enumalsgroups <builtin|domain>
Get members: queryaliasmem builtin|domain <0xrid>
#Domains enumeration
List domains: enumdomains
Get SID: lsaquery
Domain info: querydominfo
#Shares enumeration
Enumerate all available shares: netshareenumall
Info about a share: netsharegetinfo <share>
#More SIDs
Find SIDs by name: lookupnames <username>
Find more SIDs: lsaenumsid
RID cycling (check more SIDs): lookupsids <sid>
RID vs SID
A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects.
The SID for the NAME_DOMAIN.LOCAL domain is: S-1-5-21-1038751438-1834703946-36937684957.
When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
Domain user john with a RID:[0x457] Hex 0x457 = decimal 1111, will have a full user SID of: S-1-5-21-1038751438-1834703946-36937684957-1111.
# Impacket
$ impacket-smbserver share . -smb2support
# Static share on host
$ sudo adduser --system shareuser
Adding system user `shareuser' (UID 130) ...
Adding new user `shareuser' (UID 130) with group `nogroup' ...
Creating home directory `/home/shareuser' ...
$ sudo mkdir share
$ sudo chmod 777 share
$ sudo chown -R shareuser:nogroup /srv/share
$ sudo vim /etc/samba/smb.conf
$ cat /etc/samba/smb.conf
[global]
client min protocol = SMB2
client max protocol = SMB3
[share]
path = /srv/share
writable = yes
browsable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser
$ service smbd restart
Download files Reclusively
smbclient \\\\10.10.11.152\\Shares
Enter WORKGROUP\voids password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
\Dev
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
\HelpDesk
. D 0 Mon Oct 25 17:48:42 2021
.. D 0 Mon Oct 25 17:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 16:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 16:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 16:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 16:57:44 2021
smb: \> prompt off
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (23.0 KiloBytes/sec) (average 23.0 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (3627.9 KiloBytes/sec) (average 2656.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (886.7 KiloBytes/sec) (average 2270.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (963.6 KiloBytes/sec) (average 1548.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (507.0 KiloBytes/sec) (average 1438.0 KiloBytes/sec)bas
Windows Shortcuts: Creating a shortcut with the icon property pointing to a UNC path will trigger an NTLM authentication attempt when it's viewed in Explorer (it doesn't even have to be clicked).
NTLM authentication uses a 3-way handshake between a client and server.
The client makes an authentication request to a server for a resource it wants to access.
The server sends a challenge to the client - the client needs to encrypt the challenge using the hash of their password.
The client sends the encrypted response to the server, which contacts a domain controller to verify the encrypted challenge is correct.
If on-premise a NTLM relay attack is usually quite trivial where we intercept or capture the first authentication request with tools like Responder and ntlmrelayx to impersonate the user.
However it's not as easy in an environment like this, where there are multiple network. Port 445 is always bound and in use by Windows - even local admins can't arbitrarily redirect traffic bound to this port or bind another tool to this port.
It's still possible to do with Cobalt Strike, but requires the use of multiple capabilities simultaneously.
Use a driver to redirect traffic destined for port 445 to another port (e.g. 8445) that we can bind to.
Use a reverse port forward on the port the SMB traffic is being redirected to. This will tunnel the SMB traffic over the C2 channel to our Team Server.
The tool of choice (ntlmrelayx) will be listening for SMB traffic on the Team Server.
A SOCKS proxy is required to allow ntlmrelayx to send traffic back into the target network.
The flow looks something like this:
PortBender is a reflective DLL and Aggressor script specifically designed to help facilitate this through Cobalt Strike. It requires local admin access in order for the driver to be loaded, and that the driver be located in the current working directory of the Beacon. It makes sense to use C:\Windows\System32\drivers since this is where most Windows drivers go.