Pass the Hash

Don't bother cracking, just pass it along.

Abusing LLMNR/NBT-NS in Active Directory Domains.

Relaying vs Passing (the HASH)

NTLM hashes are the type of hashes that we capture with tools like SecretsDump.py to extract the contents of a SAM database. These types of hashes are stored in a machine and cannot be relayed over the network. However, you can take a hash in this format and pass it to another machine using a tool like PTH-WinExe.
Net-NTLM hashes cannot be passed around the network. This means that inorder to use this type of hash to authenticate to another machine, we must capture this has while it is in transit and then relay it to the destination machine, which we intend to control.

Overview of the Attack

We use a tool like responder to intercept and LLMNR broadcast on the network. By responding to these requests, we are able to capture Net-NTLM hahses from the computer that initiates the broadcsast request. Replaying this hash uses the same method, except, instead of presenting the hash to us (the attacker), we relay it to a different machine that we’d like to get control of. As long as the hash we captured belongs to a user who has admin rights on our target machine (the one which we intent to get control of), we should be able to get command execution to take control of that machine.

Pre-reqs for this attack to work.

Setting up the attack

By default, on Kali, responder is installed in /usr/sbin directory. We need to edit the responder config file at /etc/responder/Responder.conf and set the SMB and HHP Server to OFF. After this step, we run responder with responder -I eth0 -dvw With responder running, we need to now configure NTLMRelayx so that we can forward and captured Net-NTLM hashes to a target of our choosing. We do this with impacket-ntlmrelayx -t target-ip -smb2support. Instead of targeting a single machine, we can use the -tf targets.txt flag to provide a list of targets to ntlmrelayx.

With both responder and ntlmrelayx running we have out attack setup. We now sit back and let LLMNR do it’s thing. If we wanted to give it a little push, we can manually browse to a file share that does not exists, from a machine other than the one we are targeting. At this point, the hash of the user accounts we issued the request from, will be captured and relayed to our specified target(s). If this user happens to be a local administrator account on the target, ntlmrelayx will dump the SAM database by default. We could also execite a command on the target machine with the -c flag, like impacket-ntlmrelayx -t 10.0.3.7 -c "whoami"

Mitigations