SMB, NTLM, & Google: SecDSM January MiniCTF Solution

SecDSM meets every third Thursday of the month at The Forge.

SecDSM has a mini-CTF challenge for the attendees to complete during their monthly meetups.

This month was a forensics challenge. The challenge site is still up so feel free to download the pcap and follow along in Wireshark.

Opening up the pcap and just looking through it, you can see that this is traffic from the user connecting to an SMB share and maybe doing other stuff. Full disclosure, I don't (or didn't, I know more now) know much about the inner workings of SMB or how to even begin to crack an SMB password using a pcap. Enter Google. I'm fairly certain the exact terms I typed in were "NTLM SMBv2 password cracking". Anyway, I found this handy article by shellgam3 with step-by-step instructions detailing exactly what I needed to do. You should read the article for more details on the steps I take here.

First, I'm going to filter down Wireshark to show me only the packets I need by filtering using "ntlmssp"
wireshark_ntlmssp

Let's begin by looking packet #15 and taking note of a few things: NTLM Response, User name, and Domain name.

NTLM Response (Copied as hex stream):

7a334cbeef274be92b992ff826e546fc010100000000000058115b33698dd301085c084956b3bb3400000000020014004d00520048005500470045004400490053004b00010014004d00520048005500470045004400490053004b00040002000000030014006d00720068007500670065006400690073006b000700080058115b33698dd30100000000

User Name:
secdsm

Domain Name:
NULL

Move to packet #14 and get the NTLM Server Challenge (Copied as value)
7d:91:12:f3:f7:e3:a3:d0

Putting this all together to create the NTLM hash, we end up with:

secdsm:::7d9112f3f7e3a3d0:7a334cbeef274be92b992ff826e546fc:010100000000000058115b33698dd301085c084956b3bb3400000000020014004d00520048005500470045004400490053004b00010014004d00520048005500470045004400490053004b00040002000000030014006d00720068007500670065006400690073006b000700080058115b33698dd30100000000

Notice that the spot where the Domain Name should go (between the 2nd and 3rd colons) is blank because Domain Name is NULL.

The next step is to run the hash through hashcat using a wordlist, but I didn't have a wordlist and the wordlist I tried (randomly from the internet) didn't work. That's when "This is a forensics challenge" clicked for me. There must be something else in the pcap to tell me what wordlist to use. So let's clear the 'ntlmssp' filter and take a look. Scrolling down the pcap, we see mention of a file called 00passwordlist.zip being created. In Wireshark, we can easily export files that are seen in the traffic.
File > Export Objects > SMB
pcap_carve
Now that we have the password list we need (after unzipping it), we can use it for hashcat. See the final result below.

ntlm-crack-gif

#Winning or Nah.

Very exciting to be the first one to solve the challenge and pick up a nice Palo Alto pull over in the process. However, that excitement was short lived because moments later there was another tweet.

Some people just want to watch the world burn. Back to work we go.

Looking through the same pcap, we really need to pay attention to what we're seeing in the traffic. What is the user doing? If we filter on the 'smb2' traffic and begin going through the packets, we see 'SMB2_FIND_ID_FULL_DIRECTORY_INFO Pattern: *'. A quick Google search will tell you that this command will list all of the files in a directory and their associated file ids. Looking at the Find Response, we noticed a familiar name -- 00passwordlist.

Let's convert that hex to ascii to get a better idea of what we're seeing.

X!q.
eÓÁÒJ
eÓ!q.
eÓ!q.
eÓ€À.XHÎ;ÓHÎ;Óù.n‘cÓù.n‘cÓ..`I'{‘cÓšOý‘cÓI'{‘cÓI'{‘cÓ€À@Recycleh؛45dÓ§–¦dÓÆÉç¡dÓÆÉç¡dÓ "€À.DS_Storepà‡dÓ<‚T¿<‚T¿<‚T¿€Àfbi_files_ZV9ixÿpíldÓ<‚T¿<‚T¿<‚T¿$€Àzapruder_film_dXN9xÁübdÓ<‚T¿<‚T¿<‚T¿$€Àufo_documents_Ym9ux‡¦dÓ<‚T¿<‚T¿<‚T¿"
€Àcia_missions_Z3tmx¦ÕdÓšX@GgÓ¦ÕdÓ¦ÕdÓr  $€À00passwordlist.zippRcšdÓ<‚T¿<‚T¿<‚T¿	€Ànsa_toolz_dXRfˆßŸo¹dÓ<‚T¿<‚T¿<‚T¿2€Àbitcoin_private_keys_ZmxhN%±\eÓ<‚T¿<‚T¿<‚T¿.€Àdirt_on_zoomequipd_YWxz

This is the point I got to before the first people got it. The rest is their solution

Now we can see the filenames and that they are follow by an underscore and 4 characters:
fbi_files_ZV9i
zapruder_film_dXN9
ufo_documents_Ym9u
cia_missions_Z3tm
nsa_toolz_dXRfˆ
bitcoin_private_keys_Zmxh
dirt_on_zoomequipd_YWxz

If you put the files in alphabetical order and then combine the trailing 4 characters you get a long string.

ZmxhZ3tmYWxzZV9idXRfYm9udXN9

I put this in a file and used the command line to base64 decode the string to find the flag.

$ base64 -D -i  base64hash.txt 
flag{false_but_bonus}

Tools

Wireshark (https://www.wireshark.org/)
HashCat (https://github.com/hashcat/hashcat)

References

Capturing And Cracking NTLMv2 Hashes On The LAN by shellgam3


Antoinette Stevens

Antoinette Stevens

Writing about tech and security.

comments powered by Disqus