Muddy Water

We caught a threat actor, called MuddyWater, bruteforcing a login for our Domain Controller. We have a packet capture of the intrustion. Can you figure out which account they logged in to and what the password is? Flag format is swampCTF{<username>:<password>}

Solution

get the ips

tshark -nr muddywater.pcap -Y "smb2" -T fields -e ip.src -e ip.dst | sort | uniq -c
   13670 192.168.122.1   192.168.122.73   18223 192.168.122.73  192.168.122.1

filter successfull auth

tshark -nr muddywater.pcap -Y "((ip.src == 192.168.122.1 || ip.src == 192.168.122.73) && (ip.dst == 192.168.122.1 || ip.dst == 192.168.122.73)) && smb2.cmd == 1 && smb2.nt_status == 0x0"

get the stream index

tshark -nr muddywater.pcap -Y "frame.number == 72069" -V -T json > frame-72069.json

Looking for NTLM authentication flow

tshark -nr muddywater.pcap -Y "tcp.stream eq 6670"
<...>
72064  65.215194 192.168.122.1 → 192.168.122.73 SMB2 212 Session Setup Request, NTLMSSP_NEGOTIATE 72065  65.215719 192.168.122.73 → 192.168.122.1 SMB2 401 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE 72069  65.220368 192.168.122.1 → 192.168.122.73 SMB2 546 Session Setup Request, NTLMSSP_AUTH, User: DESKTOP-0TNOE4V\hackbackzip
<...>

Build hashcat compatible hash for cracking: username::domain:challenge:NTLM_response

tshark -nr muddywater.pcap -Y "frame.number == 72064 || frame.number == 72065 || frame.number == 72069" -O smb2,ntlmssp -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmserverchallenge -e ntlmssp.ntlmv2_response.ntproofstr -e ntlmssp.ntlmv2_response

d102444d56e078f4 hackbackzip     DESKTOP-0TNOE4V         eb1b0afc1eef819c1dccd514c9623201        eb1b0afc1eef819c1dccd514c962320101010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000

crack the hash

hashcat -a 0 -m 5600 ntlm.hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

HACKBACKZIP::DESKTOP-0TNOE4V:d102444d56e078f4:eb1b0afc1eef819c1dccd514c9623201:01010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000:pikeplace