Block
Encryption? What encryption? - by hadrian3689
Last updated
Encryption? What encryption? - by hadrian3689
Last updated
The following post by 0xb0b is licensed under CC BY 4.0
The Challenge provides us with a PCAP file and a dump of LSASS. We start by analyzing the PCAP file and finding encrypted SMB traffic. The description of the room indicates that it needs to be decrypted. The questions of the challenge ask us to find the username, password, or password hash and the flag (possibly the content of the transferred files) of the respective users. This should all be possible via the PCAP file and the LSASS dump.
We find the first username in the 11th packet, the Session Setup Request. We could have also queried for the ntlmssp
packet, which reveals us both Session Setup Request happening.
The filter ntlmssp
in Wireshark is used to display only packets that contain NTLM (NT LAN Manager) Security Support Provider (SSP) protocol data. NTLMSSP is a security protocol used in various Microsoft network authentication protocols, particularly in environments where Kerberos cannot be used. We are able to identify the users mrealman
and eshellstrop
.
For the password, the LSASS dump was first examined using pypykatz. Unfortunately, this did not give a positive result for the first user - more on that later. Neither hash nor plain text passwords were available for the first user in the dump. We will therefore probably obtain these from the PCAP. We have the option of doing this manually and by taking a closer look at the session setup requests. Or using a tool to extract the hashes.
Extract the following:
Username: The user's account name. [found in 11th packet]
Domain: The domain or workgroup name (often referred to as the target name). [found in 11th packet]
Server Challenge: The 8-byte challenge sent by the server. [found in 10th packet]
NT Proof String (NTLMv2 Response): The first 16 bytes of the NTLMv2 response, which is the HMAC-MD5 hash. [found in 11th packet]
Challenge Blob: The remaining part of the NTLMv2 response, including the timestamp, client challenge, target information, etc. [found in 11th packet - NTLM Response]
Then concatenate the the necessary items to a NTLMv2 structure:
The PCredz tool allows us to extract the hashes from the PCAP file.
We just need to provide the PCAP file and be able to retrieve the NTLMv2 hashes of mrealman
and eshellstrop
.
With Hashcat we are able to retrieve the password of mrealman
. Unfortunately, the hash of eshellstrop
is not crackable with the rockyou.txt
wordlist.
We now have to decrypt the encrypted SMB traffic to get to the transferred artifacts and extract and view them. Here I came across the following source: a very good writeup on decrypting SMB traffic using only the information we have available in a PCAP.
The encrypted session key found in the packet can be decrypted by using the key exchange key, which can be derived from the contents of the PCAP file.
The following list of items is necessary to generate the session key (and shows the general approach), which can then be inserted into Wireshark with the matching session ID to decrypt the traffic. We have to do this for each user. The writeup also provides us with a Python script to calculate it. We already have the username, password and domain. We still need the NTProofStr
and the response key
The NTProofString
can also be found in the ntmlssp
packet...
... as well as the encrypted session key.
We use the Python script from Maveris Labs
for this, but adapt it so that it runs for Python3 and extend it so that not only passwords but also the hashes can be used directly. This is relevant for the second user, as we were unable to crack the hash for this user.
The following shows the modified script:
Next, we just need to run it with our extracted information and be able to retrieve the session key.
To decrypt the encrypted SMB traffic, we also need the related session ID. This can also be extracted from the ntlmssp
packet.
Now, we only have to insert the session ID and the calculated session key into the protocol settings at Edit->Preferences->Protocols->SMB2
. But the option expects a different representation than the one in the packet, as shown below.
After applying the settings, the packets related to the user mrealman
are decrypted.
We are then are able to extract the transmitted files using File -> Export Objects -> SMB
.
In this CSV file, we find the first flag.
Recalling the investigation of the first user, we are able to retrieve the username and all the later necessary information from the ntlmssp
packet.
Recalling the hash retrieval from the first user, we were not able to crack the hash, so we need the NTLM hash to decrypt the SMB traffic. For this, we can make use of pypykatz to analyze the LSASS dump.
There we will find the NThash of eshellstrop
.
We recall the steps taken on retrieving the flag of the first user and trying to decrypt the SMB traffic of eshellstrop
to retrieve the transmitted files.
We retrieve the NTProofStr ...
... And the encrypted session key.
As already mentioned, we modified the script to also accept hashes, not only passwords. This was a simple modification, since the script just hashed the provided password. We provide the hash via the parameter -ph
.
We now then need the session ID of eshellstrop'
s session.
And repeat the steps as already known of first user.
The SMB traffic gets decrpypted.
We find another CSV file.
Which contains the second flag.