Metasploit + Python implements NTLMv2 attacks

SMBRelay attacks are a good penetration technology. Even if the target server is frequently patched, SMBRelay attacks may still penetrate into your important servers.

NTLM is a challenge/response verification mechanism. In SMBRelay attacks, attackers must perform mitm attacks. The attacker waits for someone to verify the target server on his network. In this way, the vulnerability scanner + administrator can automatically verify the host script. When an automated process is connected to an attacker, It authenticates through another system on the Network (or a server. The target will generate a challenge and send it to the attacker. The attacker sent the challenge back to the original scan system. Scan the system to encrypt the hash value. The Hash Value of the correct password will be sent to the attacker. The attacker passes the correct encrypted response to the target and verifies the response.

POC:

Attacker IP-10.10.12.10

Target IP address-10.10.12.20

IP address of the scanner per night-10.10.12.19

Using Metasploit's smb_relay module, attackers 10.10.12.10 and Metasploit is as follows:

 

A simple Windows for loop is used to simulate scanning of the server's network. Run the following command.

 

When the scanner (10.10.12.19) is connected to 10.10.12.10 (My Metasploit listener), the verification attempt is passed to the target server (10.10.12.20 ).

Metasploit automatically uses the authentication SMB session, and Meterpreter initiates payload on the target.

As shown in, pay attention to Metasploit. When the inventory scanner sends an "Access Denied", it tries to connect to 10.10.12.10. However,

We get a target (10.10.12.20) for running the Meterpreter shell on an attacker's machine ).

 

Metasploit's SMBRelay only supports NTLMv1. Therefore, you can change the settings to protect yourself from such attacks (you can enter secpol. msc )...

 

Change to NTLMv2 and try Metasploit again

 

Run Metasploit exploit and get the "Failed to authenticate (Verification Failed)" error message.

From this point of view, the DRAT security protocol has defeated our plan.

However, don't worry. Now a foreign security team has developed a python-implemented javasxec module and IMPACKET module integrated body: SMBRELAYX. PY.

The SMBRELAYX. PY script in the IMPACKET module is supported by NTLMv2!

Download the IMPACKET module of the latest version to start running. To solve the path problem, I put all the instances and other modules in the same directory, and then changed the import to specify the correct directory. SMBRELAYX runs executable files on the remote host after authentication is required. Let Meterpreter use msfpayload to create an EXE file and set SMBRELAYX. Smbrelayx. py requires two parameters:

-H is the host you want to attack, and-e is to start the process on the remote host.

With these options, sit down and wait, and the night list scanner (10.10.12.19) connects to your system.

Below, the Meterpreter executable file I created is called and smbrelayx. py is called to execute msfpayload:

 

Because we use meterpreter reverse shell, we must also set Metasploit. Therefore, the target is executed only after receiving the payload connection.

Multi/handler

 

Now, we try to connect (10.10.12.19) to the attacker's Linux (10.10.12.10 ).

 

The System administrator may question the error "System cannot find the path specified (the System cannot find the specified path, why does the path not exist until the user name and password have no target work. The information sent by the smbrelayx. py script is returned to the Administrator. More concealed Metasploit information is not likely to be noticed. We can see the script happening in smbrelayx. py immediately. It verifies 10.10.12.20. 10.10.12.19 use the username and password to start the Meterpreter service process.

 

After payload is passed to the target, NTLMv2 verification is complete. To ensure shell stability, we need to quickly migrate to another more stable process (we can use a migration script in Meterpreter to help automate migration ).

 

The new Meterpreter shell is a Python module. You can include this script in your own automatic attack tool.

Address: http://pen-testing.sans.org/blog/pen-testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python