Information
Challenge: Tame Dog
Category: Forensics
Files : forensics_tame_dog.zip 4.5 MB
capture.pcap 137 KB
database/ntds.dit 32 MB
database/SYSTEM 15 MB
Environment: Remnux VM
Walkthrough
1. PCAP Analysis
The inclusion of ntds.dit and the SYSTEM hive already hint at an AD challenge. Looking at the Protocol Hierarchy of the pcap in Wireshark, we can see that the packets consist of SMB2 protocol and Kerberos:
This reminded me of HTB’s Rogue challenge. I thought it would be easy peasy from there, but then I noticed that the SMB2 protocol is not over NTLM but Kerberos, which meant the previous method would not work.
Since I had no idea how this ‘mechanism’ works, I moved on to dumping credentials with impacket’s secretsdump.py.
2. Extracting Credentials
Secretsdump.py does the trick with the two given files:
secretsdump.py -ntds database/ntds.dit -system database/SYSTEM LOCAL
There are three users on RMCORP.local: jmiller, sjohns and ebrown.
We can use strings on the pcap to quickly identify which user initiated the session:
strings *pcap | egrep 'jmiller|sjohns|ebrown
Well now we know that jmiller is the user we need to focus on. I repeated the secretsdump.py command above and saved it to a text file – secrets.txt, while I tried to figure out how to decrypt the packets.
secretsdump.py -ntds database/ntds.dit -system database/SYSTEM LOCAL > secrets.txt
3. Packet Decryption
Some googling and I found this . Basically, my options were limited since we are dealing with this ‘locally’. The best one (and I guess the only one?) was to generate a Keytab, which would then decrypt the Kerberos Blobs. Otherwise, we could decrypt the Kerberos blobs with this script.
Using option 1, I followed the steps in the given link under ‘Offline Keytab Creation from Secrets.tdb’:
ktutil add_entry -password -p host/.@ -e aes256-cts-hmac-sha1-96 -k 1
This required modification, because:
– we do not have the password
– the key version is 3, not 1, as seen in packet 10 which is the Session Setup Request:
In blue, I annotated the encryption type, which remains unchanged.
First, we need to get jmiller’s aes256-cts-hmac-sha1-96 key:
cat secrets.txt | grep -F 'aes256-cts-hmac-sha1-96' | grep jmiller
Copy the key, and then we can create a keytab to decrypt Kerberos packets:
ktutil
#in shell
add_entry -key -p jmiller@ROMCORP.LOCAL -e aes256-cts-hmac-sha1-96 -k 3
#enter hex key 1fb1a8270e23174e60743dcc93ff01853fe3527cd82228ce865356f49af28b9d
write_kt jmiller.keytab
quit
Now, in Wireshark, we go to Preferences -> Protocols -> KRB5 and select ‘Try to decrypt Kerberos blobs’ and provide the path to the jmiller.keytab file:
Looking at Packet 10, we can now retrieve the Session Key:
The Session ID can be found in the next packet, the Response:
In the HTB Rogue Challenge, I learned the hard and loooong way that the Session ID is the actual hex value in the hexdump:
which is 21000008001c0000 in this case.
Now, all we have to do is provide the session ID and Key in Preferences -> Protocols -> SMB2
4. SMB2 Analysis
Now that we have decrypted the SMB3 Packets, there is a file named ‘Project_proposal.pdf’ that was requested:
We can save the file with File -> Export Objects -> SMB. Opening it with LibreOffice shows the flag in the Goals !
Flag: HTB{D1d_y0u_just_t4m3d_k3rb3r0s!?}
TLDR
– Kerberos Keys can be dumped using impacket’s secretsdump.py
– Decrypt Kerberos by creating a Keytab file from user secrets
– Load keytab in Wireshark, and then decrypt SMB3 packets with key + Session ID.
