Exploitation - NTLM capture and relay
Overview
The LLMNR and NBT-NS poisoning attack, combined with the SMB Relay attack, or NTLM Relaying, can be used to gain an authenticated access to servers by capturing local network SMB authentication traffic and relaying it to targets servers.
Even when the organization has good patch management practices, this reliable and effective attack can almost always be leveraged to obtain an initial foothold.
LLMNR and NBT-NS poisoning
The Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) protocols can be abused to intercept local network traffic.
These protocols allow machines on the same subnet to identify hosts when DNS resolution fails. A Windows machine first tries to resolve a hostname through the Domain Name System (DNS) protocol. If DNS resolution fails, then broadcast LLMNR and / or NBT-NS requests will be sent over the local network in an attempt to ask all other machines on the local network for the associated IP address.
An attacker can listen on a network for these LLMNR (UDP: 5355) or NBT-NS (UDP: 137) broadcasts requests and respond to them, thus pretending to be the requested host.
Note that following the Microsoft security bulletin MS16-077 (Security Update for WPAD), the location of the WPAD file (which provide the client its proxy settings) is no longer requested via broadcast protocols, such as LLMNR and NBT-NS, but only via DNS.
NTLM relaying
The NT LAN Manager v1 and v2 authentication process, used in by the Server Message Block (SMB) protocol can be subverted.
The attack unwinds as follow:
The victim tries to authenticates himself to a server (
SMB_COM_NEGOTIATERequest)The authentication request is intercepted by an attacker
The attacker initiates an authentication procedure to a targeted server and retrieves an authentication challenge (
NTLM_CHALLENGE_MESSAGE) from this serverThe attacker forwards this challenge to the victim
The victim answers the challenge to the attacker (
NTLM_AUTHENTICATION_MESSAGE)The attacker can then relay the victim challenge response to the targeted server to authenticate as the victim
If the victim has local admin rights on the server, an complete access can be acquire
Since MS08-068 you cannot relay a Net-NTLM hash back to the same machine you got it from (e.g. the 'reflective' attack) unless you're performing a cross-protocol relay.
For the attack to work, SMB Signing needs to be disabled on the targeted machine. While SMB packet signing is available in all supported versions of Windows, it is enabled by default on Domain Controllers.
NTLM authentication capture
LLMNR and NBT-NS poisoning in practice
LLMNR detection
If, after a while, no NTLM authentication are captured using the tools listed below, nmap and the Metasploit's auxiliary/scanner/llmnr/query module can be used to check whether or not hosts on the local subnetwork have the LLMNR protocol enabled.
Note that even if LLMNR is disabled, system have been hardened but NBT-NS may still be enabled.
To check if a specific host, identified by its hostname, has LLMNR activated:
Responder
Responder can be used to conduct the LLMNR and NBT-NS poisoning attack.
The original version of Responder on SpiderLab's Github repository isn't maintained so lgandx's fork should be prefered instead.
To capture and crack offline the hashes captured, Responder SMB and HTTP servers should not be disabled. The authentication attempt won't be transmitted to the relay servers and no NTLM relaying will be conducted.
Responder can be configured to automatically attempt to downgrade the authentication to use the NetNTLMv1 protocol against clients with a LMCompatibilityLevel attribute set to 2 or lower (which is usually the case for environment with Windows XP / Windows server 2003 operating systems). NetNTLMv1 hashes can be cracked in order to retrieve the client NTLM hash, with the exhaustion of all possibility in a matter of days on a modern crackstation. Additionally, www.crack.sh provides a rainbow table for NetNTLMv1 hashes obtained with the challenge 1122334455667788. Useable for free, this rainbow table allows crack.sh to achieve an average crack time of 25 seconds and a success rate of 99.5%.
Responder can be configured to make use of this specific authentication challenge:
NetNTLMv1 hashes follow the format <USERNAME>::<HOSTNAME>:<RESPONSE>: <RESPONSE>:<CHALLENGE>, with NTHASH:<RESPONSE> being the format accepted by www.crack.sh.
Otherwise, NetNTLMv2 hashes can be cracked using hashcat:
To relay NTLM authentication, Responder's SMB and HTTP servers should be disabled:
With those servers turned off, the authentication attempts captured can be automatically transmitted to MultiRelay.py or ntlmrelayx.py's SMB and HTTP servers for the relay attack.
Responder usage:
Inveigh
Inveigh is a PowerShell script that implements LLMNR, NBNS, mDNS / DNS spoofing capabilities and can capture NetNTLMv1 / NetNTLMv2 authentication requests over the SMB and HTTP / HTTPS protocols.
It can notably be used after the initial compromise of a Windows machine, and offer some spoofing and capture functionalities even if being run as an unprivileged user. While elevated privileges are required in order to capture authentication requests over the SMB and HTTPS protocols, the spoofing capabilities and capturing should work pra users will not
ADIDNS spoofing
In an Active Directory environment, the Domain Controllers will usually expose DNS services, that store their DNS zones in Active Directory Domain Services (AD DS). This DNS topology is known as Active Directory-Integrated DNS (ADIDNS).
The DNS zones replication to the different Domain Controllers is integrated to the overall Active Directory replication process. In multi-site Active Directory infrastructures, the replication between sites of DNS record modification may take up to three hours.
The following DNS-specific application directory partitions are created during AD DS installation:
A forest-wide application directory partition, called
ForestDnsZonesDomain-wide application directory partitions for each domain in the forest, named
DomainDnsZones
By default, any domain authenticated user may remotely add record to an ADIDNS zone through DNS dynamic updates (DNS specific protocol), thanks to the CreateChild right on the DomainDnsZones domain object. Existing records can be updated or deleted by privileged domain groups, such as the Domain Admins, Enterprise Admins, or DnsAdmins groups, as well as the owner (by default the creator) of the record.
While requiring valid domain credentials and potentially waiting for a replication time, spoofing ADIDNS records allows to target users and computers across the domain with out being limited to the local subnetwork.
The PowerShell Powermad module implements cmdlets that leverage the DNS dynamic updates functions to interact with ADIDNS zones:
IPv6 rogue DHCP server
By default, every Windows system (starting from Windows Vista) will request, upon booting and periodically, an IPv6 configuration through the Dynamic Host Configuration Protocol version 6 (DHCPv6) protocol by broadcasting a Solicit request. The mitm6 Python utility will listen on the network for such DHCPv6 requests and reply to the emitting hosts, assigning them an IPv6 address within the link-local range and setting the attacking machine's IP as their default IPv6 DNS server. As no IPv6 gateway is specified by mitm6, the victim hosts will not attempt to use IPv6 for communication with hosts outside the link-local network. The DNS server maliciously configured on a victim host will be preferred to the host's IPv4 DNS server and used to query for both A (IPv4) and AAAA (IPv6) DNS records.
In addition to listening for DHCPv6 requests, mitm6 will (by default, although optional) regularly broadcast ICMPv6 Router Advertisements (RA) messages to announce to the link-local network hosts that an IPv6 network is deployed and that an IPv6 address should be requested via DHCPv6.
Immediately after the attacking machine has been configured as the DNS server of a victim host, mitm6 will receive DNS requests from the victim host for a Windows Proxy Auto Detection (WPAD) service, in the form of DNS queries for wpad.<DOMAIN_FQDN | HOST_NETWORK_INTERFACE_SUFFIX>. mitm6 will respond to such queries by returning the attacking machine's IP as the requested WPAD host. As following the Microsoft security bulletin MS16-077 (Security Update for WPAD) authentication cannot be directly requested by the WPAD server, mitm6 will instead provide the victim host with a valid WPAD file that configure the attacking machine's IP as its proxy. Further HTTP requests made by the victim host will be intercepted and replied to with a HTTP 407 Proxy Authentication required HTTP response. The Internet Explorer (IE) / Edge and Chrome web browsers (which rely on IE's settings) will automatically authenticate to the proxy under the user identity using NTLM, while Firefox will not by default.
Note that in environment making use of WPAD, mitm6 will provide a WPAD wpad.dat file over the legitimate WPAD servers, which may cause connectivity issues on the victim hosts, such as an impossibility to reach the Internet. However, in order to minimize network impact, mitm6 defines a DHCP lease of 5 minutes and sends DNS records with a Time to Live (TTL) limited to only 100 seconds. Thus, a victim host configuration will be back to normal within a few minutes of mitm6 stopping.
mitm6 should be used in combination with the Impacket's ntlmrelayx.py utility, which will provide the WPAD server and relay the NTLM authentication request. Refer to the IPv6 WPAD relay section below for more information on how to execute ntlmrelayx.py.
MSRPC MS-RPRN "printer bug"
On a machine running the Spooler Service (which is the case by-default for all Windows systems), the RpcRemoteFindFirstPrinterChangeNotification(Ex) function of the Print System Remote Protocol, exposed on the MS-RPRN MSRPC interface, can be called by any domain user to force the machine to authenticate to the specified remote system.
The NTLM authentication can be thus be captured and eventually relayed. For more information on how to identify the MSRPC interface and call the RpcRemoteFindFirstPrinterChangeNotification function, refer to the [L7] MSRPC note.
MSRPC MS-EFSRPC - PetitPotam
Similarly to functions exposed by the MS-RPRN MSRPC interface, a number of functions of the MS-EFSRPC MSRPC interface can be abused to coerce hosts to authenticate to an arbitrary (and possibly controlled) machine.
Refer to the [L7] MSRPC note for more information and tooling (PetitPotam) to coerce authentications through the MS-EFSRPC interface.
Microsoft SQL Server (MSSQL)
The (undocumented) xp_dirtree, xp_fileexist and xp_getfiledetails SQL stored procedures can be used to access files on remote systems over SMB from a MSSQL service. By default, the account connecting to the database should only require the PUBLIC role to execute the procedures.
The account running the SQL service, be it a local or domain joined account, will authenticate to the SMB share by completing a Net-NTLMv1 or Net-NTLMv2 challenge. The challenge can be captured and eventually relayed.
For more information, refer to the [L7] MSSQL note.
"Theft" files
Various file types can include content that will automatically trigger an access to a remote SMB network share (requiring an authentication), upon the opening of the file or a browsing to a folder containing the file.
This technic can be leveraged:
in phishing scenarios, both internal and external if the targeted entity allows outbound
SMBtrafficfrom an initial breach inside the internal network / Active Directory domain by uploading the file to a network share.
PingCastle's share module may be used to identify SMB network shares accessible by all domain users and that could be targeted by such attack. Refer to the [ActiveDirectory] AD scanners note for more information on how to use PingCastle.
The following file types and files can notably be used to trigger an access to the specified SMB service upon the browsing of an user to the directory containing the file:
Internet Shortcutfiles (.url)Windows Explorer Commandfiles (.scf) - not supported on recent Windows operating systems.autorun.inf/desktop.ini- not supported on recent Windows operating systems.
The following url and scf files may be used as a template:
url URL field
url IconFile field
scf
The ntlm_theft.py Python script allows for the generation of various "theft" files, such as url, scf, docx, xlsx, pdf, etc:
Exchange Web Services (EWS) SOAP API
TODO
NTLM authentication relay
Hosts with SMB signing disabled
First, a list of host with SMB signing must be gathered.
Either nmap, CMEv4 or PingCastle (personal favorite) can be used to gather a list of host with SMB signing disabled and output the result to a file:
Relay primitives to SMB, LDAP/S, MSSQL, HTTP/S services
The Impacket's ntlmrelayx.py or MultiRelay.py, that comes with the Responder toolkit for example, Python scripts can be used to relay the NTLM authentication.
By default, ntlmrelayx will dump the SAM base of the system the authentication is relayed to. As that functionality may sometimes fail, the execution of a unitary command could be preferred instead.
ntlmrelayx additionally implements the deployment of a SOCKS server that holds all the relayed sessions active and serves them to SOCKS clients. When started with the -socks option, ntlmrelayx will keep the authenticated sessions on hold, through protocols specific KeepAlive methods, and will allow SOCKS clients to connect to the targeted remote host through the SOCKS server by leveraging an active session. More information on the implementation can be found on the Impacket maintainer's blog: https://www.secureauth.com/blog/playing-relayed-credentials.
ntlmrelayx supports relaying NTLM authentication through the following protocols:
SMB/SMB2LDAP/LDAPSMSSQLIMAP/IMAPSHTTP/HTTPSSMTP
The authentication can be relayed to a specific service (such as smb://<TARGET_IP | TARGET_HOSTNAME>, ldaps://<TARGET_IP | TARGET_HOSTNAME>, etc.) or to all services (all://<TARGET_IP | TARGET_HOSTNAME>) of the targeted system.
IPv6 WPAD relay
The Impacket's ntlmrelayx.py utility can be used to relay NTLM authentication captured using the mitm6 utility.
Account takeover through relaying to Active Directory Certificate Services (ADCS)
If an Active Directory Certificate Services (ADCS) is configured in the environment, and a number of prerequisites are meet (detailed below), NTLM authentication can be relayed to ADCS to request a certificate under the identity of the relayed account. If an authentication for a Domain Controller is relayed, for instance by exploiting MS-EFSRPC RPC functions (PetitPotam attack), a certificate for the DomainController template may be obtained, and DRSUAPI replication (DCSync attack) further undertaken using the certificate.
The following conditions must be satisfied for the attack to be exploitable:
ADCSmust expose either theCertificate Authority Web EnrollmentorCertificate Enrollment Web Serviceservice.The web enrollment services must be exposed over
HTTP(and not onlyHTTPS) and theNTLMExtended Protection for Authentication (EAP)extension must not be required for theADCSwebservices. TheNTLMEAPextension, working only overHTTPS, add a binding for theSSL / TLScertificate (in theNetNTLM' response'sChannel Bindingsattribute) for which theNTLMauthentication was initially addressed. Upon reception of theNetNTLMresponse, the webserver supportingEAPwill be able to validate that the authentication was initially addressed to it (and not to another webserver and relayed to it).NTLMauthentication is not disabled at a domain level orADCSlevel.
For more information on the defensive mitigations that can be deployed in ADCS to prevent NTLM relaying, refer to the Microsoft KB5005413.
Machine takeover through relaying and Kerberos resource-based constrained delegations
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
ATTACK 4:RESOURCE BASED CONSTRAINED DELEGATION ANYONE?
Machine takeover through relaying and Shadow Credentials
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
Attack 5: LDAP is Fun, Especially With Shadow Credentials
References
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
https://www.secureauth.com/blog/playing-relayed-credentials
https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160954(v=msdn.10)?redirectedfrom=MSDN
https://github.com/NotMedic/NetNTLMtoSilverTicket
https://blog.netspi.com/exploiting-adidns/#adidnszones
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
https://www.synacktiv.com/publications/dissecting-ntlm-epa-with-love-building-a-mitm-proxy.html
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Last updated