7MS #170: Pentesting in a Vacuum - Part 3

Brian Johnson -

I had some fun this weekend doing a subset of pentesting in the "vacuum" I've told you about. As a quick background for those of you just joining the series, I help manage (from a pentesting POV) 20 Kali boxes that are all in their own network silos. They can't talk to each other, they can't talk (freely) to the Internet, and I can only manage them from a Win7 VM via TCP 80, 443 and 22.

This weekend I was tasked with pentesting a subset of a few specific hosts, and also running some scenarios such as "An attacker has a presence on one of the machines, what can he do to further grab creds/info and use that to escalate permissions/privs in the environment?"

When looking at the hosts directly, there wasn't a ton of interesting stuff to tinker with because they were patched Windows 2012 servers. So I backed up a bit and put myself into the mode of, "Lets listen to the network a bit and see what we can hear, shall we?"

So I used my go to Responder tool to do the listening and cracking of some hashes. I've included snippets of the corresponding tools used below - these were pulled from my BPATTY document:

Responder

A network poisoner and fantastic for grabbing hashes for further cracking. Grab the tool and then take careful look at the help (responder.py -h) to ensure you're launching with the right flags, as stuff can break. I usually use:

python /opt/Responder/Responder.py -I eth0 -Ffr

Then, once things are getting poisoned, it's easy to "watch" the logs directory for .txt files of hashes by doing:

watch -n5 cat /opt/Responder/logs/*.txt

Now, I'm not interested in system accounts with "$" in them, so to see accounts without that character, you can do:

grep -v '\$' /opt/Responder/logs/*.txt

john (a.k.a. john the ripper)

A fantastic tool for cracking passwords. A fantastic reference for hashes and cracking is the Pentest Monkey cheat sheet but here's a few specific commands I've run to crack hashes:

john --format=netntlm hashes-i-collected.txt --wordlist=/usr/share/seclists/Passwords/rockyou.txt

hashcat

An awesome pw-cracking utility. I like that you can run it against a whole folder full of .rule files, so if I just want to throw a basic "kitchen sink" of wordlists against a .txt doc, I'd do:

hashcat -m 5500 -a 1 NTLM-hashes-2-be-cracked.txt /usr/share/hashcat/rules/*.rule

At the time of this writing, I have cracked about 3-4 accounts and am now salivating...can't wait to try some privesc!