Points to remember to avoid confusion when doing smbrelay: 1. NTLM hashes are stored in SAM database and on DC it's on NTDS.dit database 2. Until recent the NTLM hashes were combination of LM hash 'before' the semicolon, 'after' is the NT hash. After Win Server 2008, it's abolished and only NT hash is stored. 3. NTLM v2/ Net-NTLMv2 has different format and is based on challenges/ response algo and user's NT hash. They are n/w authentication protocols. 4. Pass-the-hash (PTH) attacks are not possible with NTLM v2 hashes, but with NTLM hashes. 5. NTLM hashes can be dumped from memory using Mimikatz type of tools and we can use NT hashes for PTH attack 6. We can get NTLM v1/2 hashes using tools like Responder. 7. We don't have to crack the hashes we get from Responder, we can directly relay them to other machine. 8. SMB signing prevents this sort of attacks 9. Tools to relay: Multirelay.py or ntlmrelayx.py with Impacket library Now steps
Trying to feel 'Secure' in the world of 'Insecurities' :)
Current Online Users: