NTLM Relay
Imagine we have a user that is Administrator in other computer. We could use its power to extract the SAM hashes, even execute remote commands.
For example:
Sara Ardila is now Administrator over Carlos Villamizar (computer).
crackmapexec smb 10.10.10.0/24 -u 'sara.ardila' -p 'Sar@91082'
Extract SAM hashes
We need to create a file of targets (in this case PC-CARLOS):
And then, update the Responder.py configuration:
From here https://github.com/lgandx/Responder
Now, execute ntlmrelayx:
So, knowing that Sara is administrator over Carlos, we need to wait for a connection from Sara with a service or task. Using that poisoning on the network, we can trick the connection to travel across the network and end in our Responder, this will lead to take the privileges from the user Sara over Carlos and will do the magic using the ntlmrelayx.py program.
In Responder:
And ntlmrelayx:
And we are dumping SAM hashes, with these we can do Pass-The-Hash.
Execute remote commands
From here https://github.com/samratashok/nishang
Take the line 20:
Copy its content to the bottom of the file and change the values:
Now, serve that file and start a listener in the 4460 port to receive the PowerShell Reverse Shell:
Now, execute ntlmrelayx:
With this, we are reaching the file in our server and importing its content, as we have the last line uncommented, that line will be executed after being imported.
Now, start our Responder (remember, with SMB and HTTP Off):
Wait for the connection from Sara to a invalid or down service/task/folder:
In our listener:
We are inside CarlosPC exploiting the privilege from Sara in CarlosPC :O
Last updated