⚔️
DWSec Wiki
  • Welcome to the DWSec Notes
  • Windows Privilege Escalation
  • Active Directory
    • Fundamentals
      • Introduction
      • Protocols
      • Authentication
      • Glossary of terms
      • Objects
      • AD CS
    • Pentest Methodology
    • Insecure Logins
    • Bloodhound & ldapdomaindump
    • NTLMRelaying (445)
    • SMB Coercing (445)
    • Pre2k
    • DACL Abuse
    • Kerberoasting
    • Utility Tools
    • Powershell
  • Networking
    • Fundamentals
    • Pivoting, Tunneling and Portforwarding
    • DNS
    • Ligolo-ng
    • Toolbox
    • Protocols
      • 80/443 - HTTP/HTTPS
      • 389 - LDAP
      • 445 - SMB
  • Web
    • Active Enumeration
    • Passive Enumeration
  • ADPwn
  • Tools
    • Tools overview
Powered by GitBook
On this page
  • Basics
  • Attack
  • ntlmrelay.py

Was this helpful?

  1. Active Directory

NTLMRelaying (445)

Basics

NTLM Relaying is a method of intercepting the NetNTLM hash, sent by a client to authenticate against an SMB server.

For this attack to be successful, a number of prerequisites must exist in a domain. It is essential that a domain resolves server names using Link Local Multicast Name Resolution (LLMR) or the NetBIOS Name Resolution (NBT-TS). In addition SMB Signing must be deactivated. These can the checked during previous enumeration. To check if a domain resolves names via LLMR or NBT-TS you can use responders in analyze mode.

If these prerequisites are met, you can use Responder to poison such a request to send the IP of our malicious SMB server address to the clients. More Information can be found in the attack section of this site.

Attack

ntlmrelay.py

Analyze network traffic to check for LLMR / NBT-TS

sudo Responder -I <INTERFACE> -A

PreviousBloodhound & ldapdomaindumpNextSMB Coercing (445)

Last updated 3 months ago

Was this helpful?