Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • Pass the Ticket
      • Pass the Ticket (PtT) from Windows
      • Pass the Ticket (PtT) from Linux
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
    • AS-REP roasting
    • Kerberosting
      • Kerberos "Double Hop" Problem
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • BloodHound
    • Bloodhound CE
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Miscellaneous Misconfigurations
    • Attacking Active Directory & NTDS.dit 1
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • NTLM relay on SMB services
  • NTLM relay Mitigation
  • NTLM relay Attack Detection
  1. Active Directory

SMB/ NTLM Relay Attacks

PreviousLLMNR PoisoningNextPass the Ticket

Last updated 5 months ago

The principle of NTLM authentication is as follows: First, the client tells the server that it wants to authenticate. The server then responds with a challenge, which is nothing more than a random string of characters. The client then encrypts this challenge with its secret (NT hash of its password), and sends the result back to the server.

Finally, the server performs the same operation with the password hash corresponding to the domain name and the user name wishing to authenticate. It then compares the result with the one sent by the client. If the comparison is valid, the client is authenticated on the server. This operation is possible because Windows stores the condensed (NT and LM) local and remote user passwords in the SAM (Security Account Manager) database.

The advantage of this exchange is that it enables authentication without disclosing the user’s password. This is known as zero-knowledge proof, which enables users to prove that they really do hold their secret without ever sharing it.

A relay attack is the act of intercepting information passing over a network and relaying it to a target, which is none other than the legitimate recipient of the information. The NTLM protocol carries out the challenge/response in clear text because the password hash is designed to protect this secret. It is therefore possible for a malicious user in a Man In The Middle position to intercept all the challenges/responses circulating on the network. So if an attacker intercepts a valid response and relays it to the target, he finds himself authenticated instead of the legitimate client.

NTLM relay on SMB services

A well-known protocol targeted by this type of attack is the SMB (samba) protocol. SMB is a file exchange protocol which natively supports NTLM authentication and which, by default (on SMBv1 and SMBv2) does not implement the signature, a protection against relay attacks. SMB signing is disabled by default on workstations but enabled on Servers by default.

To attack the network’s SMB services, we modify the configuration file of the Responder program so that it does not start its SMB server.

nano /etc/responder/Responder.conf

We can use Nmap to identify where SMB signing is disabled and make a targets.txt file

We can also use crackmapexec to automatically generate targets.txt file

crackmapexec smb --gen-relay-list smb_targets.txt 192.168.145.1/24

Now, launch Responder

We’ll use the “ntlmrelayx” tool to relay challenges/responses between vulnerable SMB services and victim clients

As with the previous attack, following a user’s blunder (searching for a non-existent network location or a chrome search), a network link that is no longer resolved by the internal DNS or, if the audit allows, a link sent because of a phishing campaign; an LLMNR or NBT-NS request is sent to the network. Our Responder tool will proceed to poison it.

The challenge proposed by the server is relayed to the victim and its response to the server. If the response is validated by the target server, the session opening by Ntlmrelayx succeed and we see the SAM dump.

We can also get an interactive shell by adding -i in the end

Similarly, we can directly run commands as well

NTLM relay Mitigation

NTLM relay Attack Detection

LogoNTLM relay attack detectionHack The Box