Your hash is mine!

Transcript

1. Egor Karbutov @ShikariSenpai Security Meetup Mail.ru RuCTF

2. $WhoAmI @ShikariSenpai Penetration tester @ Digital Security Speaker Bug Hunter

3. Disclamer The information and expressed opinions are provided for educational

   research purposes only. The author is not liable in any way for the actions of other parties. Everyone is fully responsible for their own actions.

4. Windows network problem I've a project on Windows network hacking

   features: «NTLM. Book of the Dead» I'm continuing Alexey Turin work - «SMB Relay Bible» The project contains everything you may need to successfully pentest Windows networks (at least I think so:))

5. Agenda Theory Windows hash - what is it? Authentication mechanism

   Bruteforce Hash Stealing Windows Explorer Crafted Documents Browsers NetBios Spoofing Group Policy Hijacking Toolz

6. Theory

7. NTLM Working for: Keeping passwords Authentication Single-Sing-On Security Impact: Lots

   of Windows network Lots of tricks You can gain control over servers and users It’s an easy way

8. Crypt: LM Example: 299BD128C1101FD6 Algorithm: 1. Convert all lower case

   characters to upper case ones 2. Pad password to 14 characters with NULL characters 3. Split the password to two 7-character chunks 4. Create two DES keys from each 7-character chunk 5. DES encrypt the string "KGS!@#$%" with these two chunks 6. Concatenate the two DES encrypted strings. This is the LM hash.

9. Crypt: NT (NTLM) Example: B4B9B02E6F09A9BD760F388B67351E2B Algorithm: MD4(UTF-16-LittleEndian(password)) Starting with Windows

   Vista/Server 2008, LM is turned off by default. You may use rainbow tables!

10. NTLM V1 Example: u4-netntlm::kNS:338d08f8e26de933000000000000000 00000000000000000:9526fb8c23a90751cdd619b6ce a564742e1e4bf33006ba41:cb8086049ec4736c Algorithm: C = 8-byte

    server challenge, random K1 | K2 | K3 = LM/NT-hash | 5-bytes-0 response = DES(K1,C) | DES(K2,C) | DES(K3,C)

11. NTLM V2 Default in Windows since Windows 2000. Example: admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a006

    4958dac6:5c7830315c7830310000000000000b45c67103d07d7b95ac d12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 Algorithm: SC = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC2, domain name) v2-Hash = HMAC-MD5(NT-Hash, user name, domain name) LMv2 = HMAC-MD5(v2-Hash, SC, CC) NTv2 = HMAC-MD5(v2-Hash, SC, CC*) response = LMv2 | CC | NTv2 | CC*

12. Bruteforce statistics Hash Type Hardware Speed NetNTLMv2 GeForce GTX 770

    - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB NetNTLMv2 154.4MH/s GeForce GTX 770 - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB 35862.6MH/s 1559.7MH/s NetNTLMv1 GeForce GTX 770 - 512/2048 MB GeForce GTX 1080 - 2048/8192 MB NTLM 3449.7MH/s NTLM NetNTLMv1 1941.2MH/s 21724.4MH/s Thx @w34kp455 for statistics. Check weakpass.com We use

13. Bruteforce statistics Hash Type NetNTLMv2 Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R)

    Core(TM) i7-4790 3.60GHz NetNTLMv2 4.38MH/s Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R) Core(TM) i7-4790 3.60GHz 76.03MH/s 14.50MH/s NetNTLMv1 Intel(R) Core(TM) i7-3520M 2.90GHz Intel(R) Core(TM) i7-4790 3.60GHz NTLM 32.68MH/s NTLM NetNTLMv1 27.87MH/s 72.43MH/s Hardware Speed Thx @w34kp455 for statistics. Check weakpass.com We use

14. Bruteforce statistics Hash Type NetNTLMv2 GeForce GTX 1080 - 2048/8192

    MB Intel(R) Core(TM) i7-4790 3.60GHz NetNTLMv2 1559.7MH/s GeForce GTX 1080 - 2048/8192 MB Intel(R) Core(TM) i7-4790 3.60GHz 76.03MH/s 14.50MH/s NetNTLMv1 GeForce GTX 1080 - 2048/8192 MB Intel(R) Core(TM) i7-4790 3.60GHz NTLM 35862.6MH/s NTLM NetNTLMv1 21724.4MH/s 72.43MH/s Hardware Speed Thx @w34kp455 for statistics. Check weakpass.com We use
15. None

16. Hash Stealing

17. Files For local networks only File may contains files on

    SMB share https://google.com -> file://ip/mycats.jpg

18. Files Docx = zip Archive contains many interesting files

19. Explorer Good old tricks with link files: .LNK .URL desktop.ini

    Icon URL

20. Browsers What browsers are we talking about? Internet Explorer Edge

    Scheme file:// and many-many HTML tags <img> <link> <body> <table> <form> https://github.com/ShikariSenpai/Leak-NTLM-hash-via-HTML

21. Browsers

22. Browsers VladikSS habrahabr: https://habrahabr.ru/post/306810 W.I.T.C.H., you can test your VM

    Windows host: http://witch.valdikss.org.ru

23. Why do we need all this? Users Deanonymization NTLM Relay

    Password Brute force User services VPN Mail SMB Share AD PSExec (cmd) Microsoft account ….

24. NetBios Spoofing NetBIOS Name Service Let’s resolve the «Batya» name:

    Hosts file DNS NetBIOS Root of the problem - Broadcast request Anyone can respond to a request with address substitution https://github.com/SpiderLabs/Responder We use Responder

25. NetBios Spoofing NTLM relay attack Bruteforce!!! NetBIOS Spoofing, like DNS

    Spoofing - back to the past Resolve subdomain name (work for Win7) Incorrect subdomain name asdfa.domain.name Cookie Hijacking Session Fixation Set Cookie aaa.domain.name -> domain.name Cross-domain policies bypass *.domain.name Phishing

26. Mmmmm….RCE

27. Croup Policy Hijacking Group policy is Microsoft’s core infrastructure for

    managing the configuration of both a user and computer in an enterprise Windows domain. DNS – Used to find the nearest domain controller RPC – Used to establish a secure channel with the domain controller make various RPC calls LDAP – Used to query the high level group policy configuration and which GPOs should be applied SMB – Used to get the full GPO content for each applicable GPO GPO with System privilege!

28. Croup Policy Hijacking LDAP singing ? SMB singing ? By

    default only for AD! High load on the network

29. Croup Policy Hijacking Hacker Network ‘A’ User Domain Controller Network

    ‘B’ DNS LDAP RPC SMB DNS LDAP RPC SMB SMB Fake SMB DNS LDAP RPC 20-90 min

30. Tools MWRLabs private scripts - ???? That scripts are private!

    Hey! Intercepter-NG - limited customization Some other tools on Github?

31. Our Tool Path of least resistance: Redirect SMB traffic -

    IPTables SMB ports and share - Samba ARP Spoofing - not included (use your favourite tool, e.g. arpspoof) Payloads - Metasploit or your custom binary Payload delivery method - Apache or SMB share https://github.com/whitel1st/GP_Hijack - 2 years ago

32. Warning! ARP Spoofing is very destructive Use attack on a

    small segment of the network (like 4 IP) IPTables redirect all SMB traffic (yep, it’s too destructive) We need contributors, who know how we can find the packages at a low level by policy update signatures What do you want? It’s path of least resistance :)

33. Where it works? Windows version Windows XP Windows Vista Windows

    7 Windows 8.1 Windows 8 ? Vulnerable Windows 10 For systems with last updates No No No No ?

34. Where it works? Windows version Windows Server 2016 Windows Server

    2012 R No Windows Server 2012 Windows Server 2003 R2 Windows Server 2008 R2 ? Vulnerable Windows Server 2003 For systems with last updates No ? ? ?

35. Out of scope More Windows Vulnerability NTLM Relay Hash Dumping

    Horizontal privilege escalation Vertical privilege escalations Toolz-toolz-toolz Anything else?

36. Useful links Leak NTLM hash via HTML https://github.com/ShikariSenpai/Leak-NTLM-hash-via-HTML VladikSS habrahabr:

    https://habrahabr.ru/post/306810 W.I.T.C.H., you can test your VM Windows host: http://witch.valdikss.org.ru Dictionary for bruteforce https://weakpass.com Responder https://github.com/SpiderLabs/Responder GP_Hijack tool https://github.com/whitel1st/GP_Hijack

37. Questions? @ShikariSenpai More information about «NTLM. Book of the Dead»

    project will appear in my twitter: Special thx @w34kp455, @sergeybelove, @antyurin, @whitel1st, @igc_iv