We covered a corporate espionage scenario where two two previous employees used their non-deactivated accounts to login into the company network and access the SMB shares to retrieve intellectual property. The SOC team pulled network packet captures & memory dump of the lsass process to investigate and prove evidence of logging in from these two accounts. Wireshark was used to analyze the packet capture, decrypt the SMB3 packets and retrieve session keys. This was part of TryHackMe Block room.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
SSH Protocol: The Ultimate Guide
Scenario
One of your junior system administrators forgot to deactivate two accounts from a pair of recently fired employees.
We believe these employees used the credentials they were given in order to access some of the many private files from our server, but we need concrete proof.
The junior system administrator only has a small network capture of the incident and a memory dump of the Local Security Authority Subsystem Service process.
Fortunately, for your company, that is all you need.
Investigation Steps
-1 Extract users from the packet capture
2-Extract NTLM hashes from lsass.dmp
3- Decrypt the SMB packets
Tools used in the investigation:
- Wireshark: performing deep SMB packet inspection, extracting key information such as ntproofstr, users’ domain, usernames, session IDs, session keys.
- Pypykatz: Used to extract NT hashes of the users.
pypykatz lsa minidump lsass.DMP
- Python script used to combine the information collected from the previous two steps to find the random session key.
- John-The-Ripper: used to crack the NT hashes.
Resources:
- First python script that you will use to extract the random session key for the user mrealman:
import hashlib
import hmac
import argparse
# Stolen from impacket. Thank you all for your wonderful contributions to the community
try:
from Cryptodome.Cipher import ARC4
from Cryptodome.Cipher import DES
from Cryptodome.Hash import MD4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
cipher = ARC4.new(keyExchangeKey)
cipher_encrypt = cipher.encrypt
sessionKey = cipher_encrypt(exportedSessionKey)
return sessionKey
###
parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u", "--user", required=True, help="User name")
parser.add_argument("-d", "--domain", required=True, help="Domain name")
parser.add_argument("-p", "--password", required=True, help="Password of User")
parser.add_argument("-n", "--ntproofstr", required=True, help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k", "--key", required=True, help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")
args = parser.parse_args()
# Upper Case User and Domain
user = str(args.user).upper().encode('utf-16le')
domain = str(args.domain).upper().encode('utf-16le')
# Create 'NTLM' Hash of password
#passw = args.password.encode('utf-16le')
#hash1 = hashlib.new('md4', passw)
password = hash1.digest()
# Calculate the ResponseNTKey
h = hmac.new(password, digestmod=hashlib.md5)
h.update(user + domain)
respNTKey = h.digest()
# Use NTProofSTR and ResponseNTKey to calculate Key Exchange Key
NTproofStr = bytes.fromhex(args.ntproofstr)
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()
# Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey, bytes.fromhex(args.key))
if args.verbose:
print("USER WORK: " + user.decode('utf-16le') + "" + domain.decode('utf-16le'))
print("PASS HASH: " + password.hex())
print("RESP NT: " + respNTKey.hex())
print("NT PROOF: " + NTproofStr.hex())
print("KeyExKey: " + KeyExchKey.hex())
print("Random SK: " + RsessKey.hex())
- Second python script that you will use to extract the random session key for the user eshellstrop:
import hashlib
import hmac
import argparse
# Stolen from impacket. Thank you all for your wonderful contributions to the community
try:
from Cryptodome.Cipher import ARC4
from Cryptodome.Cipher import DES
from Cryptodome.Hash import MD4
except Exception:
print("Warning: You don't have any crypto installed. You need pycryptodomex")
print("See https://pypi.org/project/pycryptodomex/")
def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
cipher = ARC4.new(keyExchangeKey)
cipher_encrypt = cipher.encrypt
sessionKey = cipher_encrypt(exportedSessionKey)
return sessionKey
###
parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u", "--user", required=True, help="User name")
parser.add_argument("-d", "--domain", required=True, help="Domain name")
parser.add_argument("-n", "--ntproofstr", required=True, help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k", "--key", required=True, help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("--ntlmhash", required=True, help="NTLM hash of the User's password (provide Hex Stream)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")
args = parser.parse_args()
# Upper Case User and Domain
user = str(args.user).upper().encode('utf-16le')
domain = str(args.domain).upper().encode('utf-16le')
# Use provided NTLM hash directly
password = bytes.fromhex(args.ntlmhash)
# Calculate the ResponseNTKey
h = hmac.new(password, digestmod=hashlib.md5)
h.update(user + domain)
respNTKey = h.digest()
# Use NTProofSTR and ResponseNTKey to calculate Key Exchange Key
NTproofStr = bytes.fromhex(args.ntproofstr)
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()
# Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey, bytes.fromhex(args.key))
if args.verbose:
print("USER WORK: " + user.decode('utf-16le') + "" + domain.decode('utf-16le'))
print("NTLM HASH: " + password.hex())
print("RESP NT: " + respNTKey.hex())
print("NT PROOF: " + NTproofStr.hex())
print("KeyExKey: " + KeyExchKey.hex())
print("Random SK: " + RsessKey.hex())
Room Answers | TryHackMe Block
What is the username of the first person who accessed our server?
mrealman
What is the password of the user in question 1?
Blockbuster1
What is the flag that the first user got access to?
THM{SmB_DeCrypTing_who_Could_Have_Th0ughT}
What is the username of the second person who accessed our server?
eshellstrop
What is the hash of the user in question 4?
3f29138a04aadc19214e9c04028bf381
What is the flag that the second user got access to?
THM{No_PasSw0Rd?_No_Pr0bl3m}
Video Walkthrough | TryHackMe Block