USING SMBRELAY WITH MICROSOFT ACCESS TOKENS
Introduction
Performing an effective yet time efficient internal assessment can be a challenge. Whether you as an auditor follow a methodology or simply “hack free style” there will always be the typical tasks and the more challenging complex ones that require more dedication. Some examples of what may be refereed to as typical attacks include:
- Running your favorite vulnerability scanner
- Firing up Metasploit to exploit your findings
- Running your brute force software
Other tasks that require more dedication may include:
- An SMBRELAY attack
- Pass the hash
- Token impersonation
- ARP poisoning
This article will focus on some shortcomings of the current SMBRELAY tools that are out there and how to use it in parallel to your typical tasks. We will demonstrate how with some tweaks on the tool, it would be possible to turn the SMBRELAY attack into a very simple task that you can run in the background throughout the assessment.
Here’s what will happen, you will run it, keep it on the side and start the other tasks in your assessment. Lets assume your assessment is 7 days long, in 7 days you may be lucky enough to relay a domain administrator’s hashes and become a domain admin without putting much effort and most importantly without having to perform any token abuse attacks.
The setup
Victim 1: A workstation that is part of the domain we are targeting. We will not compromise this workstation, instead we will use it to compromise another machine. The domain admin will be using this machine during the attack.
Victim 2: A workstation that is part of the domain we are targeting. We will be getting domain admin on that machine.
Attacker: The workstation of the attacker is not part of the domain
The scenario:
The end goal is that the attacker will make it seem like victim 1 is authenticating to victim 2. Below are some statements that would simplify the concept:
- In victim 1’s perspective, the attacker is simply a workstation which has a file being shared. victim 1 needs to download the file
- In victim 2’s perspective, the attacker is victim 2 trying to authenticate to it
Below are the steps of the process:
Step 1: The attacker will somehow trick victim 1 into opening a shared file on the attacker’s machine
Step 2: When victim 1 does so (with domain admin privileges), Microsoft Windows will automatically ask the attacker’s machine for a “challenge” string in order to authenticate as well as the cleartext username
Step 3: The attacker will attempt to connect to Victim 2 and request for a “challenge” (as if the attacker is victim 1). The attacker will also send the same username sent to him by victim 1
Step 4: Victim 2 will generate a random string which is the challenge and send it to the attacker
Step 5: The attacker will forward that same challenge to victim 1 (as if the attacker is victim 2)
Step 6: Victim 1 will use his password hashes to further hash the challenge (this is called the response)
Step 7: Victim 1 will forward the response to the attacker in an attempt to authenticate
Step 8: The attacker will simply forward the response to Victim 2 as if he is authenticating to victim 2
Step 9: Victim 2 will forward the response and challenge as well as cleartext username sent by the attacker.
Step 10: The domain controller has the domain admin’s hashes so it uses them to hash the received challenge (from victim 2) and compare the result with the received response (from victim 2). If they matched, the domain controller will will send a message to victim 2 indicating that authentication was succefull
Step 11: The attacker is now authenticated as a domain admin on Victim 2. He will use the MS file sharing to upload a backdoor
Step 12: The attacker will use MS service manager to create a service which simply runs the backdoor
Step 13: When the service starts, the backdoor runs and the attacker will gain access to the victim’s machine as a system admin
The problem with SMBRELAY
Most windows workstations nowadays are configured to authenticate through NTLMv2 challenge and response hashes. Unfortunately the SMBRELAY tool in Metasploit and SMBRELAY2 both don’t work on NTLMv2. After performing some testing we found an interesting project called SMBRELAYX. This tool is coded in Python and it works like a charm in relaying NTLMv2 hashes.
