Active Directory Attack - SMB Relay
The next common attack I am covering is SMB Relay. Using once again TCM Security's YouTube video as a guide, the setup is rather straightforward.
However, it should be noted that during the setup of the Domain, it is not mentioned to turn on Network sharing. This is an important step to allow this attack to work.
What is SMB Relay?
SMB Relay (using the tools Responder and ntlmrelayx) allows an attacker to pass-the-hash of a user that has local administrator rights on multiple computers to log in as that user on the endpoint we are attacking.
The scenario is this:
sudo nmap --script=smb2-security-mode.nse -p445 192.168.62.0/24
Note: Domain Controllers have SMB Signing ENABLED by default.
2. You modify the Responder.conf file to turn off the HTTP and SMB settings. This allows you to pass everything you find to ntlmrelayx, instead of the way we did it before with LLMNR poisoning.
3. Next, we start up Responder as we have done before and verify that the settings we turned off, are indeed, turned off.
sudo python3 Responder.py -I eth0 -dw -v
4. We can now create a targets.txt file for ntlmrelayx to use. It essentially tells the tool where to pass-the-hash.
5. Now we can use ntlmrelayx to "pass-the-hash" of the local admin user we capture. After we start the tool, we will wait for a user to access a share (like LLMNR poisoning, and for example purposes we are connecting directly to our Kali machine IP).
ntlmrelayx.py -tf targets.txt -smb2support
领英推荐
Taking the attack a step further..
Well, that was fun. What's next?
Get a shell, of course. There is a simple flag to add that will add an interactive shell to allow browsing and modification of the contents on the endpoint we compromised using the local admin credentials.
Here's how it works:
ntlmrelayx.py -tf targets.txt -smb2support -i
2. Using the netcat tool, we listen on localhost and the port number specified in the above output.
nc 127.0.0.1 11000
3. Now we can navigate through the directories and files of the endpoint we have compromised with admin rights.
use ADMIN$
ls
Overall, this was quite a bit of fun. I ran into some issues with trying to go too fast (excited!) and accidentally logged into the computers with the wrong accounts to make the attack work. Once I figured out that was the case, it was a simple matter to log into the machine that is "passing the hash" as my local admin user. The other endpoint was logged into as a local user without any admin rights.
Next up are defense strategies for LLMNR and SMB Relay for System Admins to use in an effort to prevent these attacks.
Network Field Technician | Penetration Tester | Security Researcher | Helping secure SMBs & individuals against cyber threats | eJPT | ISC2 CC
1 个月James S. This is a great demonstration on the simplicity of this attack. No wonder its commonly exploited when present.