Decrypting the Breach: PCAP and Memory Forensics
The first and only student run multi-disciplinary lab of SRM University at Chennai and Amaravati.
The tryhackme challenge (Block) provides us with a PCAP(Packet Capture) file and a dump file LSASS(Local Security Authority Subsystem Service). We have to decrypt the encrypted SMB(Server Message Block) files to find solutions for the given questions.
Q1. What is the username of the first person who accessed our server?
To find the username of the first person we open the traffic.pcapng file in wireshark. There we can identify the two users mrealman and eshellstrop.
Q2. What is the password of the user in question 1?
To find solution of this question first we need to understand how authentication process works in NTLMv2.
LM- and NT-hashes are ways Windows stores passwords. NT is confusingly also known as NTLM. Can be cracked to gain password, or used to pass-the-hash. The NTLM protocol uses the NTHash in a challenge/response between a server and a client. The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available. And the v2 is the new and improved version of the NTLM protocol, which makes it a bit harder to crack.[source]
Now, to crack NTLMv2 we need to extract exact format from the packet.
Filter by ntlmssp and find the NTLMSSP_AUTH packet. after selecting it, copy out the domain name and user name to a text document. Drill down into the NTLM Response section to find NTProofStr and NTLMv2 response. Copy both of these out to the text document as a hex string. Since NTLMv2Response begins with the ntlmProofStr, so delete the ntlmProofStr from the NTLMv2Response. Enter ntlmssp.ntlmserverchallenge into the search filter this will highlight the NTLM server challenge copy its value into the text document as a hex string. Now arrange all the values in the given format and name the text document as cracked.txt.
Format - username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response
Now, download password list and save it.(rockyou.txt)
In terminal run, hashcat -m 5600 -D 1 cracked.txt rockyou.txt and it will give you the user’s password!(Blockbuster1)
I have used hashcat tool for password cracking.
Q3. What is the flag that the first user got access to?
We have the password of the first user, with the help of it we can decrypt the smb traffic.
Inside Wireshark, Click on Edit → Preferences → Protocols In protocols drop down section search for NTLMSSP and enter the password. SMB traffic for mrealman got decrypted.
Open File → Export objects → SMB… export the clients156.csv file and run command cat %5cclients156.csv
First flag - THM{SmB_DeCrypTing_…
Q4. What is the username of the second person who accessed our server?
The second user is eshellstrop.
Q5. What is the hash of the user in question 4?
To find the hash of the user eshellstrop we can use the command - pypykatz lsa minidump lsass.DMP | grep eshellstrop -A 10 -C 10 which extracts the surrounding and related details of the user eshellstrop.
Here, I used pypykatz which is a Python library and toolset designed for interacting with the Windows Security Authority Subsystem Service (LSASS), which can be used for extracting various authentication credentials and secrets, including plaintext passwords and password hashes.
This gives us the hash of the user. NT - 3f29138a04aadc19214e9c04028bf381
Q6. What is the flag that the second user got access to?
Lastly we need to decrypt the traffic for the second user and this article helped. It mentions that we can use key exchange key to decrypt the Encrypted session key and get the Random session key and use that to decrypt the SMB3 traffic.
To calculate Random session key we need -
username
domain
NTProofStr
NT hash
Encrypted session key
Write the Python script in the text document(ab.py) to calculate random session key
Run command - python3 ab.py -u eshellstrop -d WORKGROUP -n 3f29138a04aadc19214e9c04028bf381 -k c24f5102a22d286336aac2dfa4dc2e04
Random session key - facfbdf010d00aa2574c7c41201099e8
Now Session Id: 0x0000100000000045 needs to be converted into little endian from this site
We have random session key and session ID.
Edit → Preferences → Protocols in dropdown → SMB2 → Edit…
Put Random session key and session ID, the SMB traffic will get decrypted.
Previously, we exported the first file just like that export the second one.
and in terminal run the command - cat %5cclients978.csv
we will get the second flag - THM{No_PasSoRd….
And the challenge is done!
CONCLUSION
We completed this real world security challenge with combining network forensics and memory analysis. This challenge required multiple sources to find evidences. Wireshark, to analyse PCAP. Examined memory dump with pypykatz tool to find credentials in LSASS and hashcat to crack the recovered hashes. This challenge strengthens the understanding of network traffic and memory artifacts and gives an experience with forensic tools.
