[UPD] Crackmapexec Download Share

While doing boxes from HTB and Vulnhub, I have come across the SMB service on several occasions with writable shares. I never had success using the smbmap tool's command execution feature. Out of interest as to why this was the case, I ran the following command against my Windows 10 machine, which has a writable share, in order to troubleshoot this:

In this next screenshot we see something very similar. Notable is the last column for path, which is what the attacker connected to (The C$ share) before pulling the file down. Here we can see the actual username of the user who connected. We can see that it is the Administrator account. Attackers will often use this account to move laterally as less mature environments tend to keep the password the same on every system. It is also easy to relay the password hash without needing the plaintext password. This screenshot shows Bro recording the mapping of of shares. We can see that both the C$ share and the IPC$ share were mapped by the attacker.

Crackmapexec Download Share

Download 🔥 https://urluso.com/2y3ApZ 🔥

Mimikatz is the go-to post exploitation action of most attackers. Harvesting credentials is what allows them to move to different systems. CrackMapExec has a module to run a Powershell version of Mimikatz on the target. It works by downloading the Invoke-Mimikatz over HTTPS and running the script, POSTing the results back over HTTPS. Aside from the artifacts mentioned above like the NTLM login and share mappings, Bro can pick up even more artifacts. Three source types in Bro, bro_x509, bro_notice, and bro_ssl can give you information about the SSL cert used when Mimikatz is downloaded. While the SSL certificate does not contain anything that is largely suspicious, it is unusually simple and contains a blank client issuer and client subject field.

With the release of CrackMapExec version 4, some changes were made to avoid detection. As anti-virus will often flag upon data being written to the Temp directory, CME was modified to no longer write the command output to the filesystem of the target when performing command execution. CME was modified to open an SMB share and have the victim write the output back to the attacker system.

In this article, we learn to use crackmapexec. This tool is developed by byt3bl33d3r. I have used this tool many times for both offensive and defensive techniques. And with my experience from this tool, I can say that the tool is so amazing that one can use it for situational awareness as well as lateral movement. You can download the tool from here.

With crackmapexec, you can also brute force the username that will match our correct password. We will be doing this on the whole network, that is why we will specify the IP range instead of just giving IP. We will do this, with the following command:

CrackMapExec is an amazing tool. This lets you specify a set of credentials and then blast through an entire network to determine what SMB shares they can access. It is often the case that insecure file permissions exist on these shares.

Now that we have our list of user names, we need to check which users exist in the Active Directory and which don't. To do this, we can use the -k option in crackmapexec. We can see that the tom account exists and that it is vulnerable to ASREP-Roasting.

Now that we've got a first domain account, we're going to be able to observe the active directory through Bloodhound, so we need to collect data. We can now do this with crackmapexec, which includes a collector for bloodhound.

Now that we've managed to authenticate on all the machines in the domain, we can look at the different shares present on the machines and identify an unusual share on machine SRV02. The name of the share also refers to crackmapexec's spider_plus module, which identifies potentially interesting files in file shares.

You can look at the permissions of this new account on file shares or in the active directory, but you won't find much. On the other hand, when you look at other services supported by crackmapexec, such as mssql, you can see that the hermione account is the administrator of the mssql database. this allows you to execute commands on the target server with xp_cmdshell, which is used with the -X (powershell) or -x (cmd) option.

1d. After setting up Responder to poison LLMNR and NBT-NS traffic, we wait for a user to access an SMB share with signing disabled. Below is an example of one of the domain users accessing an SMB server without signing required.

2a. Download Impacket, follow the setup guide and run ntlmrelayx.py using the following syntax: python ntlmrelayx.py -of -tf -smb2support. For the -tf flag, you will need to supply ntlmrelayx with a file that contains the list of SMB shares with signing disabled.

A Kali GUI machine and a target machine running a vulnerable SMB service are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target). Your task is to fingerprint the SMB service using the tools available on the Kali machine and then use the CrackMapExec tool to perform a post-exploitation on the SMB service and extract sensitive information i.e windows users hashes, LSA secrets, shared folders information, etc. Objective: Exploit the SMB service to get a meterpreter on the target and retrieve the flag!

Once in, the first bit of exploration you can perform as a pen tester is to get the lay of the land. Just like I did with nessus in initial round of pen testing, I can also use crackmapexec to scan a subnet to see what else is out there.

I was having the same problem with smbclient, and I noticed that it went away when I manually selected the "Just Enable File Sharing" option on the File Sharing dialog you get after manually right-clicking on the folder you want to share.

We will be able to access the shares on 172.16.1.100 and 172.16.1.200 as a valid user by relaying their credentials from one machine to the other. We just need to wait for an event (mistyped share) from a user on either machine and then we will be in business!

This command will relay all requests from any IP in the list to all IPs in the list. If an account that gets relayed from one machine to another has permissions to access a share folder, then because we used the -i switch, this will create a bind port on the victim on port 11000 that can be accessed using netcat.

Because 172.16.1.5 has signing enabled, the attack failed against that machine. It still says a bind port was opened up for an SMB session on port 11000, however, if we access that port on our attacker machine we will not be able to do anything from the SMB shell. We also see that we were able to authenticate to a share on 172.16.1.100 and a bind port for that machine was opened on 11001. Lastly, we failed to authenticate to any shares on 172.16.1.200, which indicates there is likely no share files present on this host or that the request originated from this machine (which it did).

There is a lot we can do here from this shell; for example, if the user has full access to any of the the shares, then we can pivot from this shell to a proper reverse shell quite easily. The attacker can also list the shares that they can enumerate for sensitive files or even try to access files in the root of the filesystem (C$).

With ntlmrelayx running, we find that a local admin user on 172.16.1.100 mistyped a share on 172.16.1.200. This caused the request to get relayed and the above command to be executed. Checking the ntlmrelayx output, we can see something happened as it shows a command was executed.

Now that we have created our exploit, we need to start a netcat listener on port 443 again. After that, we need to use the following ntlmrelayx command to download the EXE onto the victim and execute it once a local admin mistypes a share:

WDigest authentication was used in older versions of Windows Server and stores plaintext passwords in memory. Because Microsoft focuses heavily on backward compatibility, this method of authentication is actually enabled by default on Windows operating systems prior to Windows 8 and Windows Server 2012 R2. Even worse, it is actually used as part of the process for domain authentication, meaning anytime a user on the network uses RDP to remote into a computer, SMB to authenticate to a file share, or physically enters their password into a console when WDigest is enabled, their plaintext credentials are stored in the memory space of the LSASS process and can be extracted by attackers.

Now you need a way to get the dump file to your local machine. If using RDP from Linux, xfreerdp is an excellent choice as you can automatically mount a shared drive to copy files using the following syntax:

Now that we have what appears to be a default password (remember, we found that via SMB enumeration) along with a list of valid users, I used crackmapexec to spray the password to see if any user was using that password.

Great, we have credentials, now what? Well, since we have credentials, are there any service accounts that we can kerberoast? What about potential ASREP roasting? We can use crackmapexec or Impacket to do these checks. In our case, there are no accounts to roast.

So we have our new class which authenticates on a network share, and can read a remote file with the methods mentioned. If we tell minidump to use this class instead of the classic open method, then minidump will read remote content without flinching.

Each of these directories is empty, but the directory list itself will make a nice user list to continue enumerating. There are many ways to do this, but the first idea that popped into my head was to mount the share and copy/paste/cut until I had a usable list.

I mounted the share with the mount -t cifs //$ip/profiles$ /mnt command. Once mounted, I copied the output to a users.txt file and used the cat users.txt | cut -d " " -f 10 > user_list command to output my list to a file called user_list.

I cannot log in with this user. I can, however, read more smb shares. Unfortunately, I find no more useful information. I really want to read the forensic share, partly because it is also called audit and we know there is an audit2020 user. Since I am at an impasse, I will employ BloodHound. 2351a5e196