So this post is basically about why it is important to use Kerberos instead of NTLM and use SMB Signing as well. NTLM Relaying is a common man-in-the-middle attack with a high success-rate.

SMB and NTLM Relaying is dangerous, as anybody with access to the network can capture traffic, relay it and get unauthorized access to servers, applications and data.

In most enterprise cases, when a user visits a webserver, the webserver sends a 401 challenge back to our user, then browser responds and submits SSO NTLM credentials.

In this scenario the malicious webservice is hosted on our Kali attack box, where a Responder/Relaying agent is listening and waiting to grab the NTLM hash.
This NTLM auth token is then relayed and passed on via SMB connection to our victim. From this stage it is easy to get a shell via built in SMB Client or even execute a powershell command upon sucessfull relay, that bypasses endpoint security by creating a reverse TCP shell back to our attack host.

The NTLM we receive and grab is a net-ntmlv2 hash which can´t be used in PassTheHash techniques – AFAIK, BUT instead we are relaying the creds, still gaining unauthorized access to other windows services.

For attacking multiple targets at once, a multi handler would be setup e.g Metasploit or PowerShell Empire. Every target would connect back and popup shell sessions upon successfull relay.

In the below PoC video, following components exists with IPs in an isolated Lab environment:

a. Kali Box (Attacker) , ends with IP .57
b. Windows Client ( Victim 1 ), ends with IP .71
c. Windows Server ( Victim 2), ends with IP .173

So we start by setting up following on attacker side:

  • nc -lnvp 1337 (grabbing the reverse shell with netcat – could have used metasploit payload and handler but this is faster)
  • ntlmrelayx.py (Starting our Impacket relay agent)
  • python -m SimpleHTTPServer 8080 (delivering our payload to victim)
    • PowerCat.ps1 – PS payload that connects back to the netcat listener for cmd shell  – several other payloads could also be delivered, but i found this to be least noisy.

On Windows Box (B) – Victim 1 :

  • User receives “wellknown” web application url, but with an open redirection parameter injection.
  • URL redirects our user to our Kali attack box, supplying Windows credentials in NTLMv2 format.

The NTLM hash is retrieved and relayed to our final target Windows Server (Victim 2), upon successfull relay, a Powershell reverse shell is executed and connecting back to our Kali listener on port 1337. Root/system shell obtained.
To perform this attack successfully, SMB Signing would need to be disabled on the victim, additionally NTLM creds would need to be submitted. User would need to be tricked into visiting our malicous website or smb share, several options exists here; XSS, Open Redirection, PDF file etc. etc.
(Note. crackmapexec can quicky scan a subnet and log all windows hosts with smb signing off)

High-level Overview :

SMB-Relay-v2

Video PoC:

In this video, we are simulating that an end-user is visiting an malicious web site, with open redirection against our attacker box.

BadPDF Method:

In this video, we are simulating that an end-user receives a PDF file and ignores the warning pop-up box, thus connecting via SMB to our attacker box.

Summary:

Notes:

Other protocols can also be relayed if not secured properly as LDAP, SMTP, SQL, HTTP etc…

XSS – Could be used for Cookie Hijacking and Account takeover, or simply redirect users to a malicious site.

Open Redirect – Could be part of a phishing attack where user gets redirected to a malicious site for credentials sniffing.

Mitigation:

Move to Kerberos as authentication protocol and use SMB Signing.
For the web vulnerabilities mentioned here, always sanitize and validate user input – never trust user input.

NTLM and SMB Relay Attack
Tagged on: