Relay attacks
1. NTLM Relay
New Technology Lan Manager (NTLM) remains one of the most common authentication protocols used in Windows environments. NTLM is supported in several protocols, for example SMB, HTTP(S), LDAP, IMAP, SMTP, POP3 and MSSQL. Even though Kerberos offers enhanced security features over NTLM, many systems and functions still depend on NTLM, making it impossible for most organizations to move away from it entirely.
Attacker techniques have evolved, and new NTLM exposures have been identified, resulting in various iterations of the NTLM relay attack. At a basic level, the attacker uses man-in-the-middle techniques to listen in on network traffic, ideally listening for some form of authentication challenge being exchanged between the client and server.
1.1 ntlmrelayx
With ntlmrelayx, you can use and reuse sessions instead of executing a one-shot attack.
1.2 Relaying NTLM to SMB
The below command creates an SMB relay server that targets the IP 10.10.10.1, meaning any credentials that the SMB server recieves, gets relayed to that IP to attempt to authenticate and execute โwhoami /allโ
In order for the SMB server to recieve credentials to relay, dementor.py can be used to trigger a forced authentication from the IP itโs targeting to an attacker controlled SMB server.
1.3 Relaying NTLM to LDAP
1.4 NTLMRelay2Self over HTTP (Webdav)
Escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.
To authenticate to itself to port 80 (HTTP), requires the WebClient service and the Printer Spooler service to be running.
To start the WebClient service, we can start responder and use net use on the target:
Start responder
On the target run:
This will fail, but start the WebClient service. To check if the service is running, you can run:
Port forward port 80 to attacker IP
Run ntlmrelayx to set shadow credentials
Coerce the system to authenticate to itself to port 80 (HTTP)
If the msDS-KeyCredentialLink is already set, you can patch ntlmrelayx to first remove the value and then set it again:
1.5 NTLMRelay2Self WebDav without PrinterSpooler & DNS
Situation: We compromised host MS01 and have a shell with low privileges. We will let MS01 authenticate to itself over HTTP and relay the request trough a socks proxy and forward port 80 in order to set shadow credentials. Many times with printerbug.py and PetitPotam.py you need to provide the Net-BIOS name in order for it to work, but using the proxy, we will not need it!
1.5.1 Tools
Chisel https://github.com/jpillora/chisel
Socat https://github.com/tech128/socat-1.7.3.0-windows (zip the files and unzip at host)
1.5.2 Setup proxy & forward port 80
1.5.3 Start WebDav
If WebDav is not started yet:
Check if WebDav is running remotely:
1.5.4 Setup ntlmrelayx over proxychains
Run ntlmrelayx over proxychains to relay to DC over LDAP
If msDS-KeyCredentialLink is already set, patch it with https://github.com/fortra/impacket/pull/1402 and use "-i" parameter with ntlmrelayx
1.5.5 PetitPotam.py to proxy
1.5.6 Results
Inside ntlmrelayx:
Because we used "-i" it will start a interactive ldap shell. We can connect to it using nc:
Using the github patch from the shadow creds in ntlm_relayx, we can first clear the shadow creds that were set before and then set them ourselves:
Last updated