Pass the Hash

Abusing LLMNR/NBT-NS in Active Directory Domains.

Relaying vs Passing (the HASH)

• You CAN perfrom Pass-The Hash attacks with NTLM hashes.
• You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

NTLM hashes are the type of hashes that we capture with tools like SecretsDump.py to extract the contents of a SAM database. These types of hashes are stored in a machine and cannot be relayed over the network. However, you can take a hash in this format and pass it to another machine using a tool like PTH-WinExe.
Net-NTLM hashes cannot be passed around the network. This means that inorder to use this type of hash to authenticate to another machine, we must capture this has while it is in transit and then relay it to the destination machine, which we intend to control.

Overview of the Attack

We use a tool like responder to intercept and LLMNR broadcast on the network. By responding to these requests, we are able to capture Net-NTLM hahses from the computer that initiates the broadcsast request. Replaying this hash uses the same method, except, instead of presenting the hash to us (the attacker), we relay it to a different machine that we’d like to get control of. As long as the hash we captured belongs to a user who has admin rights on our target machine (the one which we intent to get control of), we should be able to get command execution to take control of that machine.

Pre-reqs for this attack to work.

• We must be in the same network as the victim(s)
• LLMNR must be enabled in the network.(enabled on Windows by default)
• SMB Signing must be disabled/not required on the target machine. (By default, all Windows workstations have this disabled/not required, whereas all Windows servers have this set to Enabled and Required). This means that we cannot use this attack to get control of a server machine.
• The Net-NTLM hash we capture must belong to an elevated user on the target machine, in order for us to get command execution.

Setting up the attack

By default, on Kali, responder is installed in /usr/sbin directory. We need to edit the responder config file at /etc/responder/Responder.conf and set the SMB and HHP Server to OFF. After this step, we run responder with responder -I eth0 -dvw With responder running, we need to now configure NTLMRelayx so that we can forward and captured Net-NTLM hashes to a target of our choosing. We do this with impacket-ntlmrelayx -t target-ip -smb2support. Instead of targeting a single machine, we can use the -tf targets.txt flag to provide a list of targets to ntlmrelayx.

With both responder and ntlmrelayx running we have out attack setup. We now sit back and let LLMNR do it’s thing. If we wanted to give it a little push, we can manually browse to a file share that does not exists, from a machine other than the one we are targeting. At this point, the hash of the user accounts we issued the request from, will be captured and relayed to our specified target(s). If this user happens to be a local administrator account on the target, ntlmrelayx will dump the SAM database by default. We could also execite a command on the target machine with the -c flag, like impacket-ntlmrelayx -t 10.0.3.7 -c "whoami"

Mitigations

• Disable LLMNR protocol in your network. It LLMNR wasn’t running, we would not be able to get the hashes so easily. However, this isn’t a foolproof solutions since there are other ways to intercept these hashes in a network.
• Enable and Enforce SMB signing on the network.
• Don’t give users local admin rights, especially not on multiple machines.