NTLM Relay

tags: AD ActiveDirectory Responder Impacket NTLM Poisoning MITM

What is NTLM

NTLM is an authentication protocol property of Microsoft and it started used in servers older than Windows 2000, before Kerberos became the successor for the authentication in Windows systems.

The NTLM authentication protocol authenticate users and computers based on a challenge/response mechanism that proves to server or domain controller that a user knows the password associated with and account.

Setting-up the environment

To prepare our AD lab we need:

• 1 DC
• 2 Windows 10

We are gonna set-up a relay attack, a NTLM relay attack consist in capture the LLMNR hashes and instead of go to cracking them we are gonna relay them to another machine and try to get more information.

First we have a local user account, in my case is Alex Mason:

Inside the Windows Server we have to open this, if you cant for some reason you can go to the containing folder and open from here.

Click on Edit

Open Computer Configuration and open Policies and then open Windows settings, next open security settings , we are gonna click on Local Policies and next on Security Options.

You have to search Microsoft network client: Digitally sign communications (always) and
the other that is equal execpt the end that says (if server agrees) and disable:

You have to double-click on the GPO and disable in both

Now you have to Reboot your machine, and remeber to change the name of the machine to easily identificate.

Now go to one of the 2 Windows 10 machines in my case i use the first machine called BRAVO, we are going to make Frank Woods a local Administrator because the account that we're relaying is an administrator or at least has access to this machine now.

So go to Computer Management -> Users & Local Groups -> Groups

Click on Administrators and add Frank Woods(fwoods)

With this config now we are gonna create a folder on C:\ called misions and share it only with Administrator Read/Write permissions and Frank Woods Read/Write Permissions.

Starting with NTLMRelay

Now think that this is a MITM technique so to understand it good you have to think that your are going to put your kali mahcine listening at the middle of the network and when somebody ask you for some resource you are gonna ask it to the SMB share that we configure before.

So with this clear it's time to use the Kali machine:

We have to edit the Responder conifg to disable SMB server and HTTP server.

we have to go to:

cd /usr/share/responder

And we have to edit Responder.conf

sudo nano Responder.con

With this config changed save the file and start responder like the past post:

sudo python3 Responder.py -I eth0 -w

-w Flag actives WPAD proxy

In this case we have HTTP & SMB Server off and with this we are listening to events to happen, and when we received the hash we're gonna use a tool called ntlmrellayx
and we are gonna use the tool to relay the ntlm hash and no have to crack it , we are gonna take the hash pass it to an SMB and try to gain access that way, and this is when the SMB signing is important because if you have disabled like we did it we could do this technique.

Now its time to go to your impacket example folder in a new terminal.

In my case i download it on opt , if you don't have you it you can do a git clone.

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

Inside the impacket folder create a file called target with the IP of the target that is the machine that share the folder , we can do it with the following command:

echo 192.168.1.201 > target

And with all of this ready we have to execute the ntlmrelayx.py script.
We're gonna use:

python3 ntlmrelayx.py -tf target -smb2support

-tf flag is for selecting the target file.

-smb2support simply is for adding SMB2 support to the relay.

When we start the script it should look like this.

With all of this prepared login into CHARLIE as Frank Woods:

Now on the search bar of a folder put the Responder IP:

After that you should receive the hashes on the terminal:

Now we can see that received the connection from 192.168.1.202 and it attacks to 192.168.1.201.

Conclusions

And that's all, the ntlmrelay technique is complete, the connections was made and the machine dumped local SAM hashes, with this we can try to log in with the Alex Mason hash to gain access on the computer, and we can try to pass this hashes on the network to see what can do or finally you can try to crack it as we did in the last post with hashcat.

In other post we are gonna explain how to obtain a shell using the SMB Relay technique.