When the Wire Whispered

Personal Rating: Hard

This forensics challenge was quite difficult, but very enjoyable to me. We start off with four files.

USERS.txt
PASSWORDS.txt
tls-lsa.log
capture.pcap

Decrypting the TLS Traffic

As you can imagine, the first two files contained wordlists of potentially compromised users and their passwords. Together with the pcap file, it was pretty clear that we would need to use the TLS log to decrypt some sort of TLS traffic in Wireshark.

Loading the file, I did just that. I found a nice guide that walks you through the process.

GitHub - mahyarx/RDP_Wireshark: inspect RDP traffic in WiresharkGitHub

I then prepared a filter to show the TCP conversations. There was only one.

Finding the Target User

It looked like most of the traffic was RDP, with some related authentication packages. I specifically searched for the initial authentication packages before the main RDP traffic to determine the user that logged in. As it turned out, it was "DESKTOP-6NMJS1R\stoneheart_keeper52".

I checked the packets before and after this one, but no plain password was to be seen.

Obtaining the User Password

Since the one I found contained an NTLMv2 hash, my idea was to recover it and crack it, using the password list from earlier. This article explains the different parts of such a hash and how to reconstruct it: https://www.801labs.org/research-portal/post/cracking-an-ntlmv2-hash/

These are the parts that I recovered from the CREDSSP frame:

Domain: DESKTOP-6NMJS1R
User: stoneheart_keeper52
NtProofStr: 460120880eecc460649883618863cea1
NTLMv2Response: 460120880eecc460649883618863cea1010100000000000060a10ae3f541dc01e803174c6a90ce7e0000000002001e004400450053004b0054004f0050002d0036004e004d004a0053003100520001001e004400450053004b0054004f0050002d0036004e004d004a0053003100520004001e004400450053004b0054004f0050002d0036004e004d004a0053003100520003001e004400450053004b0054004f0050002d0036004e004d004a0053003100520007000800379915e3f541dc0109004e007400650072006d007300720076002f004400450053004b0054004f0050002d0036004e004d004a0053003100520040004400450053004b0054004f0050002d0036004e004d004a005300310052000000000000000000

Deleting the proofstring from the NTLMv2 response:

010100000000000060a10ae3f541dc01e803174c6a90ce7e0000000002001e004400450053004b0054004f0050002d0036004e004d004a0053003100520001001e004400450053004b0054004f0050002d0036004e004d004a0053003100520004001e004400450053004b0054004f0050002d0036004e004d004a0053003100520003001e004400450053004b0054004f0050002d0036004e004d004a0053003100520007000800379915e3f541dc0109004e007400650072006d007300720076002f004400450053004b0054004f0050002d0036004e004d004a0053003100520040004400450053004b0054004f0050002d0036004e004d004a005300310052000000000000000000

This was all from package 11955. The last missing part was the Server Challenge. Package 11957 is the first response after the client message we dissected.

ServerChallenge: 378e0e0b4a481c08

With this information we can fully recover the NetNTLMv2 hash:

username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response

stoneheart_keeper52::DESKTOP-6NMJS1R:378e0e0b4a481c08:460120880eecc460649883618863cea1:010100000000000060a10ae3f541dc01e803174c6a90ce7e0000000002001e004400450053004b0054004f0050002d0036004e004d004a0053003100520001001e004400450053004b0054004f0050002d0036004e004d004a0053003100520004001e004400450053004b0054004f0050002d0036004e004d004a0053003100520003001e004400450053004b0054004f0050002d0036004e004d004a0053003100520007000800379915e3f541dc0109004e007400650072006d007300720076002f004400450053004b0054004f0050002d0036004e004d004a0053003100520040004400450053004b0054004f0050002d0036004e004d004a005300310052000000000000000000

Cracking it was hashcat was successful and we got the password of the user.

./hashcat.bin -a 0 'stoneheart_keeper52::DESKTOP-6NMJS1R:378e0e0b4a481c08:460120880eecc460649883618863cea1:010100000000000060a10ae3f541dc01e803174c6a90ce7e0000000002001e004400450053004b0054004f0050002d0036004e004d004a0053003100520001001e004400450053004b0054004f0050002d0036004e004d004a0053003100520004001e004400450053004b0054004f0050002d0036004e004d004a0053003100520003001e004400450053004b0054004f0050002d0036004e004d004a0053003100520007000800379915e3f541dc0109004e007400650072006d007300720076002f004400450053004b0054004f0050002d0036004e004d004a0053003100520040004400450053004b0054004f0050002d0036004e004d004a005300310052000000000000000000' ./PASSWORDS.txt

Investigating the RDP Session

Moving on, we might find a way to recover the clipboard history from the RDP session and even recover it as a video. This article proved to be incredibly helpful: https://www.haxor.no/en/article/analyzing-captured-rdp-sessions

With "File>Export PDUs to File>OSI Layer 7" and "File>Save As> pcap" I exported the layer7 data into a new pcap file.

Following this, I managed to convert the data into "PyRDP" Format. PyRDP is a powerful tool that enables a great amount of offensive techniques related to RDP.

git clone https://github.com/GoSecure/pyrdp.git
cd pyrdp
python -m venv .venv
source .venv/bin/activate
pip install .
cd .venv/bin

./pyrdp-convert -o /HTBfolder/forensics_when_the_wire_whispered/output /HTBfolder/forensics_when_the_wire_whispered/osi7.pcap

./pyrdp-player -> Choose the .pyrdp file that was generated earlier

The tool could be used to recover a video from the RDP traffic and also capture the clipboard containing passwords!