Skip to main content

Posts

Showing posts from August, 2018

Some smbrelay points

Points to remember to avoid confusion when doing smbrelay:

1. NTLM hashes are stored in SAM database and on DC it's on NTDS.dit database

2. Until recent the NTLM hashes were combination of LM hash 'before' the semicolon, 'after' is the NT hash. After Win Server 2008, it's abolished and only NT hash is stored.

3. NTLM v2/ Net-NTLMv2 has different format and is based on challenges/ response algo and user's NT hash. They are n/w authentication protocols.

4. Pass-the-hash (PTH) attacks are not possible with NTLM v2 hashes, but with NTLM hashes.

5. NTLM hashes can be dumped from memory using Mimikatz type of tools and we can use NT hashes for PTH attack

6. We can get NTLM v1/2 hashes using tools like Responder.

7. We don't have to crack the hashes we get from Responder, we can directly relay them to other machine.

8. SMB signing prevents this sort of attacks

9. Tools to relay: Multirelay.py or ntlmrelayx.py with Impacket library

Now steps:

1. Responder inte…