Responder

Introduction

Windows is the most predominant operating system in today’s world because of its easy-to-use GUI accessibility. About 85% of the market share has become a critical OS to attack. Furthermore, most organizations use Active Directory to set up their Windows domain networks. Microsoft employs NTLM (New Technology LAN Manager) & Kerberos for authentication services. Despite known vulnerabilities, NTLM remains widely deployed even on new systems to maintain compatibility with legacy clients and servers.
This lab focuses on how a File Inclusion vulnerability on a webpage being served on a windows machine can be exploited to collect the NetNTLMv2 challenge of the user that is running the web server. We will use a utility called Responder to capture a NetNTLMv2 hash and later use a utility known as john the ripper to test millions of potential passwords to see if they match the one used to create the hash. We will also be taking a deeper look at the working process of NTLM authentication and how the Responder utility captures the challenge. We believe that it’s crucial to understand the under the hood workings of a tool or a framework as it strengthens the foundation of one’s understanding, which aids in the real world exploit scenarios that one might face, which do not appear to be vulnerable at the first look. Let’s dive straight into it.

Windows是当今世界上最主要的操作系统，因为它易于使用的GUI可访问性。大约85%的市场份额已经成为攻击的关键操作系统。此外，大多数组织都使用Active Directory来设置其Windows域网络。Microsoft使用NTLM（新技术局域网管理器）和Kerberos进行身份验证服务。尽管存在已知的漏洞，NTLM仍然被广泛部署在新系统上，以保持与旧客户端和服务器的兼容性。
本实验室的重点是如何利用windows计算机上提供的网页上的文件包含漏洞来收集运行web服务器的用户的NetNTLMv2挑战。我们将使用一个名为Responder的实用程序来捕获NetNTLMv2哈希，然后使用一个称为john the ripper的实用程序测试数百万个潜在密码，看看它们是否与用于创建哈希的密码匹配。我们还将深入了解NTLM身份验证的工作过程，以及响应程序实用程序如何应对这一挑战。我们认为，理解一个工具或框架的幕后工作至关重要，因为它加强了人们理解的基础，有助于在现实世界中利用人们可能面临的场景，而这些场景乍一看并不脆弱。让我们直接切入。

Enumeration

We will begin by scanning the host for any open ports and running services with a Nmap scan. We will be using the following flags for the scan:

Nmap如何确定端口上运行的服务？
Nmap使用知名服务的端口服务数据库来确定在特定端口上运行的服务。它稍后还会向该端口发送一些特定于服务的请求，以确定服务版本和任何有关它的附加信息。
因此，对于特定端口的服务信息，Nmap大多是但并不总是正确的。

According to the results of the Nmap scan, the machine is using Windows as its operating system. Two ports were detected as open having Apache web server running on port 80 along with WinRM on port 5985 .

根据Nmap扫描的结果，该机器正在使用Windows作为其操作系统。检测到两个端口打开，Apache web服务器在端口80上运行，WinRM在端口5985上运行。

Website Enumeration

On opening Firefox and putting http://[target ip] , the browser returns a message about being unable to find that site. Looking in the URL bar, it now shows http://unika.htb . The website has redirected the browser to a new URL, and your host doesn’t know how to find unika.htb . This webserver is employing name-based Virtual Hosting for serving the requests.

打开Firefox并放入http://[target-ip]后，浏览器会返回一条无法找到该网站的消息。在URL栏中查看，它现在显示http://unika.htb。该网站已将浏览器重定向到一个新的URL，而您的主机不知道如何找到unika.htb。该Web服务器使用基于名称的虚拟主机来满足请求。

Name-Based Virtual hosting is a method for hosting multiple domain names (with separate handling ofeach name) on a single server. This allows one server to share its resources, such as memory and processor cycles, without requiring all the services to be used by the same hostname.
The web server checks the domain name provided in the Host header field of the HTTP request and sends a response according to that.

基于名称的虚拟托管是一种在单个服务器上托管多个域名（每个名称单独处理）的方法。这允许一台服务器共享其资源，例如内存和处理器周期，而不需要同一主机名使用所有服务。
web服务器检查HTTP请求的主机头字段中提供的域名，并根据该域名发送响应。
The /etc/hosts file is used to resolve a hostname into an IP address & thus we will need to add an entry in the /etc/hosts file for this domain to enable the browser to resolve the address for unika.htb .

/etc/hosts文件用于将主机名解析为IP地址&因此，我们需要在该域的/etc/host文件中添加一个条目，以使浏览器能够解析unika.htb的地址。

Entry in the /etc/hosts file :

1

echo "10.129.136.91 unika.htb" | sudo tee -a /etc/hosts

Adding this entry in the /etc/hosts file will enable the browser to resolve the hostname unika.htb to
the corresponding IP address & thus make the browser include the HTTP header Host: unika.htb in
every HTTP request that the browser sends to this IP address, which will make the server respond with the webpage for unika.htb .

在/etc/hosts文件中添加此条目将使浏览器能够将主机名unika.htb解析为相应的IP地址，从而使浏览器在向该IP地址发送的每个HTTP请求中都包含HTTP标头Host:unika.htb，这将使服务器以unika.h结核的网页进行响应。
On accessing the web page we are presented with a web designing business landing page.

在访问网页时，我们会看到一个网页设计业务登录页。

Checking the site out, we see nothing of particular interest. Although, we notice a language selection option on the navbar EN and changing the option to FR takes us to a French version of the website.

查看网站，我们没有发现任何特别感兴趣的东西。尽管如此，我们注意到导航栏EN上有一个语言选择选项，将该选项更改为FR会将我们带到该网站的法语版本。

Noticing the URL, we can see that the french.html page is being loaded by the page parameter, which may potentially be vulnerable to a Local File Inclusion (LFI) vulnerability if the page input is not sanitized.

注意到URL，我们可以看到french.html页面是由页面参数加载的，如果页面输入没有被清除，它可能会受到本地文件包含（LFI）漏洞的攻击。

File Inclusion Vulnerability

Dynamic websites include HTML pages on the fly using information from the HTTP request to include GET and POST parameters, cookies, and other variables. It is common for a page to “include” another page based on some of these parameters.

动态网站包括动态HTML页面，使用HTTP请求中的信息，包括GET和POST参数、cookie和其他变量。一个页面通常会根据其中一些参数“包含”另一个页面。

当攻击者能够使网站包含一个不打算作为此应用程序选项的文件时，就会发生LFI或本地文件包含。一个常见的例子是应用程序使用文件的路径作为输入。如果应用程序将此输入视为可信输入，并且未对此输入执行所需的卫生检查，则攻击者可以使用../字符串，并最终查看本地文件系统中的敏感文件。在某些有限的情况下，LFI也可以导致代码执行。

RFI或远程文件包含类似于LFI，但在这种情况下，攻击者有可能使用HTTP、FTP等协议在主机上加载远程文件。

We test the page parameter to see if we can include files on the target system in the server response. We will test with some commonly known files that will have the same name across networks, Windows domains, and systems which can be found here. One of the most common files that a penetration tester might attempt to access on a Windows machine to verify LFI is the hosts file, WINDOWS\System32\drivers\etc\hosts (this file aids in the local translation of host names to IP
addresses). The ../ string is used to traverse back a directory, one at a time. Thus multiple ../ strings are included in the URL so that the file handler on the server traverses back to the base directory i.e. C:\ .

我们测试页面参数，看看是否可以在服务器响应中包括目标系统上的文件。我们将使用一些常见的文件进行测试，这些文件将在网络、Windows域和系统中具有相同的名称，这些文件可以在此处找到。渗透测试人员可能试图在Windows机器上访问以验证LFI的最常见文件之一是hosts文件Windows\System32\drivers\etc\hosts（该文件有助于将主机名本地转换为IP地址）。../字符串用于一次遍历一个目录。因此倍数../字符串包含在URL中，以便服务器上的文件处理程序遍历回基本目录，即C:\。

1
2

http://unika.htb/index.php?
page=../../../../../../../../windows/system32/drivers/etc/hosts

Great, LFI is possible as we can view the contents of the C:\windows\system32\drivers\etc\hosts file in the response.

很好，LFI是可能的，因为我们可以在响应中查看C:\windows\system32\drivers\etc\hosts文件的内容。
The file inclusion, in this case, was made possible because in the backend the include() method of PHP is being used to process the URL parameter page for serving a different webpage for different languages. And because no proper sanitization is being done on this page parameter, we were able to pass malicious input and therefore view the internal system files.
在这种情况下，之所以可以包含文件，是因为在后端，PHP的include（）方法被用于处理URL参数页面，以便为不同语言的不同网页提供服务。由于没有对此页面参数进行适当的清理，我们能够传递恶意输入，从而查看内部系统文件。

What is the include() method in PHP?

1
2
3
4
5
6
7
8
9
10
11
12

File 1 --> vars.php
<?php
$color = 'green';
$fruit = 'apple';
?>
#############################################
File 2 --> test.php
<?php
echo "A $color $fruit"; // output = "A"
include 'vars.php';
echo "A $color $fruit"; // output = "A green apple"
?>

https://www.php.net/manual/en/function.include.php

What is NTLM (New Technology Lan Manager)?

NTLM is a collection of authentication protocols created by Microsoft. It is a challenge-response
authentication protocol used to authenticate a client to a resource on an Active Directory domain.
It is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login.

NTLM是由Microsoft创建的身份验证协议的集合。它是一种质询-响应身份验证协议，用于将客户端身份验证为Active Directory域上的资源。
它是一种单点登录（SSO），因为它只允许用户在登录时提供一次底层身份验证因素。

The NTLM authentication process is done in the following way :

1. The client sends the user name and domain name to the server.
2. The server generates a random character string, referred to as the challenge.
3. The client encrypts the challenge with the NTLM hash of the user password and sends it back to the server.
4. The server retrieves the user password (or equivilent).
5. The server uses the hash value retrieved from the security account database to encrypt the challenge string. The value is then compared to the value received from the client. If the values match, the client is authenticated.

NTLM与NTHash与NetNTLMv2

关于NTLM身份验证的术语很混乱，甚至专业人士也会不时滥用它，所以让我们定义一些关键术语：

• 散列函数是一种单向函数，它接受任意数量的数据并返回固定大小的值。
  通常，结果被称为散列、摘要或指纹。它们用于更安全地存储密码，因为无法将哈希直接转换回原始数据（尽管也有试图从哈希中恢复密码的攻击，我们稍后会看到）。因此，服务器可以存储您的密码散列，当您将密码提交到网站时，它会对您的输入进行散列，并将结果与数据库中的散列进行比较，如果它们匹配，它就会知道您提供了正确的密码。
• NTHash是用于在SAM数据库和域控制器中的Windows系统上存储密码的算法的输出。NTHash通常被称为NTLM哈希，甚至只是NTLM，这非常具有误导性/混淆性。
• 当NTLM协议想要通过网络进行身份验证时，它会使用如上所述的质询/响应模型。NetNTLMv2质询/响应是一个专门格式化为包括质询和响应的字符串。这通常被称为NetNTLMv2哈希，但实际上并不是哈希。尽管如此，它通常被称为哈希，因为我们以同样的方式攻击它。您将看到NetNTLMv2对象被称为NTLMv2，甚至被混淆为NTLM。

Using Responder