NTLM Relaying 101 - How to make your internal pentests pop
blindgamer7
64 views
28 slides
Jun 13, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
NTLM Relaying 101
Slide Content
Relaying 101
How to make your internal pentestspop
Jean-Francois Maes
How to make your internal pentestspop
Jean-Francois Maes
Practical Information
•Workbook link: https://jfmaes-1.gitbook.io/ntlm-
relaying-like-a-boss-get-da-before-lunch/setup
•VM downloads –
•Workbook link: https://jfmaes-1.gitbook.io/ntlm-
relaying-like-a-boss-get-da-before-lunch/setup
•VM downloads –
What this workshop is about / Who is this workshop for?
•This workshop is for internal pentests–no red team shenanigans here J
•This workshop does not care about detection –NTLM Relaying is very much
a jackhammer approach, not a surgical one
•The intended audience for this workshop are beginning pentestersor people
interested in learning about these attacks. If you already are comfortable with
relaying attacks, this workshop is likely not for you.
•This workshop is for internal pentests–no red team shenanigans here J
•This workshop does not care about detection –NTLM Relaying is very much
a jackhammer approach, not a surgical one
•The intended audience for this workshop are beginning pentestersor people
interested in learning about these attacks. If you already are comfortable with
relaying attacks, this workshop is likely not for you.
Agenda
•Introducing “DA LAB”
•A “classic” internal pentest scenario –Why care about relaying anyway?
•A brief look at NTLM authentication
•Broadcast traffic = best traffic –Why is relaying still successful?
•Respond to all the things!
•All hail RPC (and IPv6)
•Relay options and gotcha’s
•Q&A
•Introducing “DA LAB”
•A “classic” internal pentest scenario –Why care about relaying anyway?
•A brief look at NTLM authentication
•Broadcast traffic = best traffic –Why is relaying still successful?
•Respond to all the things!
•All hail RPC (and IPv6)
•Relay options and gotcha’s
•Q&A
DA LAB
Quite Simple setup really!
-1 Domain (ntlmrange.local)
-1 DC –Any Windows Server OS
-1 “FileServer” –Any Windows Server OS
-1 “victim” –Any Windows OS
-1 Attacker Controlled Machine
(any Linux distro u want)
Quite Simple setup really!
-1 Domain (ntlmrange.local)
-1 DC –Any Windows Server OS
-1 “FileServer” –Any Windows Server OS
-1 “victim” –Any Windows OS
-1 Attacker Controlled Machine
(any Linux distro u want)
Configuration
JUST KIDDING
Since Relaying doesn’t play well in the cloud,
we are going to use our local computer to run
the lab. VMs can be downloaded but can be
setup yourself as well, it is in the workbook. J
JUST KIDDING
Since Relaying doesn’t play well in the cloud,
we are going to use our local computer to run
the lab. VMs can be downloaded but can be
setup yourself as well, it is in the workbook. J
DA LAB
•Some setup required!
•MAKE SURE your VMS are in the same subnet and can ping eachother
•MAKE SURE your DCcan still reach the internet, use nator bridged and set the DNS server to primary
DNS DC and fallback DNS a well-known DNS provider like 8.8.8.8 or 1.1.1.1
•When joining the other VMs to the domain DO NOT use a secondary DNS, only set DNS to the DC IP
•Some setup required!
•MAKE SURE your VMS are in the same subnet and can ping eachother
•MAKE SURE your DCcan still reach the internet, use nator bridged and set the DNS server to primary
DNS DC and fallback DNS a well-known DNS provider like 8.8.8.8 or 1.1.1.1
•When joining the other VMs to the domain DO NOT use a secondary DNS, only set DNS to the DC IP
A “classic” internal pentest scenario
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”
WHAT DO YOU DO?
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”
WHAT DO YOU DO?
Thought process –What is the first step in both?
Reconnaissance
•AD Objects…
•LDAP interaction required!
•If you are lucky, you can null bind (anonymous read access)
•Usually disabled though, so no creds, no recon!
•Can sometimes be “bypassed” if they are using predictable naming conventions or
very short usernames like AA0000
•AD Objects…
•LDAP interaction required!
•If you are lucky, you can null bind (anonymous read access)
•Usually disabled though, so no creds, no recon!
•Can sometimes be “bypassed” if they are using predictable naming conventions or
very short usernames like AA0000
Reconnaissance
So, if no null bind and no creds… AD
objects are out of the window...
Is there Anything else we can do?
So, if no null bind and no creds… AD
objects are out of the window...
Is there Anything else we can do?
NTLM Authentication
Domain
Controller
1. Requestauthentication
Service
Database Server
2. Challenge
3. Response
Client
Workstation
6. Authenticatedgranted/ denied
Theauthenticatingsystemusesthehashed
credentialtocalculatearesponsebasedon
thechallengesentbytheserver
Whentheadversaryobtainsachallenge/
response,offlinebruteforceattackscanbe
launchedtoidentifythehashedcredential
thatwasusedtogeneratetheresponse
4. Forward Chal+ Resp
5.Validation
Domain
Controller
1. Requestauthentication
Service
Database Server
2. Challenge
3. Response
Client
Workstation
6. Authenticatedgranted/ denied
Theauthenticatingsystemusesthehashed
credentialtocalculatearesponsebasedon
thechallengesentbytheserver
Whentheadversaryobtainsachallenge/
response,offlinebruteforceattackscanbe
launchedtoidentifythehashedcredential
thatwasusedtogeneratetheresponse
4. Forward Chal+ Resp
5.Validation
NTLM relaying in a nutshell
SMB
Broadcast Traffic = Best Traffic
•Most broadcast traffic are legacy DNS fallback protocols like LLMNR and NBT-NS
•If DNS doesn’t work, system sends broadcast message to ask if anyone knows who xxx is
•All we got to do is reply that we are xxx, and get that sweet authentication request
•Most broadcast traffic are legacy DNS fallback protocols like LLMNR and NBT-NS
•If DNS doesn’t work, system sends broadcast message to ask if anyone knows who xxx is
•All we got to do is reply that we are xxx, and get that sweet authentication request
Respond to all the things!
All hail RPC! (and IPv6)
•What if there is no broadcast traffic? Are we stuck?
•Nope JSeveral RPC calls can coerce authentication some have specific requirements though such
as a specific service that needs to be running example printspooler
•If the environment is not using IPv6 but systems are configured (default) for IPv6 Solicitation, we can
poison that also.
•What if there is no broadcast traffic? Are we stuck?
•Nope JSeveral RPC calls can coerce authentication some have specific requirements though such
as a specific service that needs to be running example printspooler
•If the environment is not using IPv6 but systems are configured (default) for IPv6 Solicitation, we can
poison that also.
Relay Options and gotcha’s
Relay Options and gotcha’s
Option 0: Just listen
Option 0: Just listen
Relay Options and gotcha’s
Option 1: Taking a dump
Option 1: Taking a dump
Relay Options and gotcha’s
Option 2: Are you wearing socks?
Option 2: Are you wearing socks?
Relay Options and gotcha’s
Option 3: Authenticated recon baby!
Option 3: Authenticated recon baby!
Relay Options and gotcha’s
Option 4: RBCD
Option 4: RBCD
Relay Options and gotcha’s
Option 5: Shadow credentials
Option 5: Shadow credentials
A “classic” internal pentest scenario
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”
WHAT DO YOU DO?
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”
WHAT DO YOU DO?
A “classic” internal pentest scenario
RELAY ALL THE THINGS!
+
RELAY ALL THE THINGS!
+
Q&A
SHOUTOUTS
•Hack n Do
•Bytebleeder
•Hacker Recipes
•Specterops
•Dirkjan( and fox-it )
•MdSec
•James ForShaw
•Klezvirus
•pythonresponder
•All contributors to impacketand responder
•And many manymore…
•Hack n Do
•Bytebleeder
•Hacker Recipes
•Specterops
•Dirkjan( and fox-it )
•MdSec
•James ForShaw
•Klezvirus
•pythonresponder
•All contributors to impacketand responder
•And many manymore…
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 64
- Slides 28
- Age 548 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
38 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
41 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
37 views
14
Fertility awareness methods for women in the society
Isaiah47
35 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
33 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
36 views