Is it possible to execute an SMBRelay attack that mounts a share instead of execute code? The application I am testing uses a non-administrative user but has access to several SMB shares. Only NTLMv2 is allowed so pass-the-hash doesn't work.
1 Answers
Yes, but for mounting shares you only need to use the NTLM Relay aka NTLM Reflection attack, not the full SMB Relay code-execution attack.
Due to the fleeting nature of NET-NTLMv2 authentication, I suggest the use of the -- https://github.com/purpleteam/snarf -- tool because it will hold the connection to the server, unlike Responder.py or InveighRelay which will only grab the NET-NTLM credentials on the wire (while BunnyTap and Quickcreds only require physical access with a USB drive). However, NET-NTLMv2 creds can be compared to stored-NTLMv2 creds, although wdigest, warm-boot memory acquisition, and other factors can easily widen the capabilities of stored-password attacks.
There are quite a lot of tweaks to these attacks as well as defenses that come into play. Feel free to bring up issues you run into, but the snarf tool above is one of the best starting points.
- 18,885
- 6
- 58
- 107