Insomni’hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni’hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup

Autopsy:

Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit

Then after searching, you can learn some relevant content about credential extraction

https://github.com/SecureAuthCorp/impacket

Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -security ../SECURITY -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:230c30b271c944c2d5e2e122906c6f4415b8d92a7c50668bcbe78abb095d21ab78baf08c56812106fd8bfefef43fef379c68048b3207333f9aeea58ffdc55c0cc49031033aa4fa9569e847d54b79a5ab65efc364b54f450a5f4dd85110caf41f1e8c9ae289eaf0f580c999c054494324c0920c1b5035ad11f46e16b161b80ad10c21cd3fc37ce34ede6697a4de01cf5f96bd80adc385f616396c149c42a2efee76a2ec4f7c5cd3d4c4d75d3317cdfc22ae52a83fd417b504afe973c05b0defcdc6f1412c07d83411b6cc546703a198c4509d6df470ac91a7f4a1d70caffc156eba4d0cc24a3700987991768806d91056
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf886ff495f92f889f3580bed92143aa26bdc300d
dpapi_userkey:0x3ea213645556520d1de3a38beaa29bf6dce646ee
[*] NL$KM 
 0000   AE 82 9A 9B 3F 82 34 D5  AE 77 E9 23 FC 42 EF A8   ....?.4..w.#.B..
 0010   D2 63 69 6E E4 08 FB BE  BF CB DC 3A 4D FD 08 0E   .cin.......:M...
 0020   7B F7 C3 EF E0 00 90 AA  04 9A 87 AB 65 BB A8 06   {...........e...
 0030   F4 01 4A 85 4C FE 13 39  A5 23 B9 51 F8 35 42 07   ..J.L..9.#.Q.5B.
NL$KM:ae829a9b3f8234d5ae77e923fc42efa8d263696ee408fbbebfcbdc3a4dfd080e7bf7c3efe00090aa049a87ab65bba806f4014a854cfe1339a523b951f8354207
[*] Cleaning up... 

crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -ntds ../ntds.dit -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d550dd0de3e2e8c1633034fd19049cef
[*] Reading and decrypting hashes from ../ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf7c9b980dd43ae8f651d02fe20ac915:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPERMAN$:1000:aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5e696d38da69b2597fd1039bea113486:::
inscorp.com\adm-drp:1103:aad3b435b51404eeaad3b435b51404ee:5c4dbe6a8a44446f8d2899ff08ea14f2:::
[*] Kerberos keys from ../ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247
Administrator:aes128-cts-hmac-sha1-96:2a3e3f78faa3f28b6ef4bac2273b305f
Administrator:des-cbc-md5:3862c83b865d80da
SUPERMAN$:aes256-cts-hmac-sha1-96:a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a
SUPERMAN$:aes128-cts-hmac-sha1-96:e5a8b63dcc276332a466f9502f548273
SUPERMAN$:des-cbc-md5:3bb910319efe2a16
krbtgt:aes256-cts-hmac-sha1-96:e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03
krbtgt:aes128-cts-hmac-sha1-96:a14abd37bd7767441e20166f032f94cf
krbtgt:des-cbc-md5:54409104e0263243
inscorp.com\adm-drp:aes256-cts-hmac-sha1-96:6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5
inscorp.com\adm-drp:aes128-cts-hmac-sha1-96:c7e5d32f0b9e7da9d4c8cabac07b9277
inscorp.com\adm-drp:des-cbc-md5:70ad4cdf7326dc62
[*] Cleaning up... 

After searching later, I found this article https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7

So get the script to generate keytab from https://github.com/dirkjanm/forest-trust-tools/blob/master/keytab.py

from struct import unpack, pack
from impacket.structure import Structure
import binascii
import sys

# Keytab structure from http://www.ioplex.com/utilities/keytab.txt
  # keytab {
  #     uint16_t file_format_version;                    /* 0x502 */
  #     keytab_entry entries[*];
  # };

  # keytab_entry {
  #     int32_t size;
  #     uint16_t num_components;    /* sub 1 if version 0x501 */
  #     counted_octet_string realm;
  #     counted_octet_string components[num_components];
  #     uint32_t name_type;   /* not present if version 0x501 */
  #     uint32_t timestamp;
  #     uint8_t vno8;
  #     keyblock key;
  #     uint32_t vno; /* only present if >= 4 bytes left in entry */
  # };

  # counted_octet_string {
  #     uint16_t length;
  #     uint8_t data[length];
  # };

  # keyblock {
  #     uint16_t type;
  #     counted_octet_string;
  # };

class KeyTab(Structure):
    structure = (
        ('file_format_version','H=517'),
        ('keytab_entry', ':')
    )
    def fromString(self, data):
        self.entries = []
        Structure.fromString(self, data)
        data = self['keytab_entry']
        while len(data) != 0:
            ktentry = KeyTabEntry(data)

            data = data[len(ktentry.getData()):]
            self.entries.append(ktentry)

    def getData(self):
        self['keytab_entry'] = b''.join([entry.getData() for entry in self.entries])
        data = Structure.getData(self)
        return data

class OctetString(Structure):
    structure = (
        ('len', '>H-value'),
        ('value', ':')
    )

class KeyTabContentRest(Structure):
    structure = (
        ('name_type', '>I=1'),
        ('timestamp', '>I=0'),
        ('vno8', 'B=2'),
        ('keytype', '>H'),
        ('keylen', '>H-key'),
        ('key', ':')
    )

class KeyTabContent(Structure):
    structure = (
        ('num_components', '>h'),
        ('realmlen', '>h-realm'),
        ('realm', ':'),
        ('components', ':'),
        ('restdata',':')
    )
    def fromString(self, data):
        self.components = []
        Structure.fromString(self, data)
        data = self['components']
        for i in range(self['num_components']):
            ktentry = OctetString(data)

            data = data[ktentry['len']+2:]
            self.components.append(ktentry)
        self.restfields = KeyTabContentRest(data)

    def getData(self):
        self['num_components'] = len(self.components)
        # We modify the data field to be able to use the
        # parent class parsing
        self['components'] = b''.join([component.getData() for component in self.components])
        self['restdata'] = self.restfields.getData()
        data = Structure.getData(self)
        return data

class KeyTabEntry(Structure):
    structure = (
        ('size','>I-content'),
        ('content',':', KeyTabContent)
    )

# Add your own keys here!
# Keys are tuples in the form (keytype, 'hexencodedkey')
# Common keytypes for Windows:
# 23: RC4
# 18: AES-256
# 17: AES-128
# Wireshark takes any number of keys in the keytab, so feel free to add
# krbtgt keys, service keys, trust keys etc
keys = [
    (23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
    (18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
    (17, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
    (18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
    (23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')
]

nkt = KeyTab()
nkt.entries = []

for key in keys:
    ktcr = KeyTabContentRest()
    ktcr['keytype'] = key[0]
    ktcr['key'] = binascii.unhexlify(key[1])
    nktcontent = KeyTabContent()
    nktcontent.restfields = ktcr
    # The realm here doesn't matter for wireshark but does of course for a real keytab
    nktcontent['realm'] = b'TESTSEGMENT.LOCAL'
    krbtgt = OctetString()
    krbtgt['value'] = 'krbtgt'
    nktcontent.components = [krbtgt]
    nktentry = KeyTabEntry()
    nktentry['content'] = nktcontent
    nkt.entries.append(nktentry)

data = nkt.getData()
if len(sys.argv) < 2:
    print('Usage: keytab.py <outputfile>')
    print('Keys should be written to the source manually')
else:
    with open(sys.argv[1], 'wb') as outfile:
        outfile.write(data)

Then fill in the key obtained above into the keys of lines 112-118 of the script

keys = [
    (23, '5e696d38da69b2597fd1039bea113486'),#krbtgt
    (18, 'e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03'),
    (17, 'a14abd37bd7767441e20166f032f94cf'),
    (23, 'cf7c9b980dd43ae8f651d02fe20ac915'),#Administrator
    (18, 'dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247'),
    (17, '2a3e3f78faa3f28b6ef4bac2273b305f'),
    (23, 'c9c59098f8f050ad394b7369b76986f1'),#SUPERMAN$
    (18, 'a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a'),
    (17, 'e5a8b63dcc276332a466f9502f548273'),
    (23, '5c4dbe6a8a44446f8d2899ff08ea14f2'),#inscorp.com\adm-drp
    (18, '6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5'),
    (17, 'c7e5d32f0b9e7da9d4c8cabac07b9277')
]

Run to get the keytab file required for decryption, and then import it into wireshark

After successful import, it can be found that the TaskScheduler traffic has been successfully decrypted and some plaintext can be seen

There are not many streams, so you can find the flag at stream number 16303

then got flag –> INS{N1c3_j0b_Dud3_y0u_F0und_m3!}

Hope u like this writeup