Bypassing Underlying Restrictions for launching successful-NTLM Relay attacks

Attacks that lead to obtaining reverse shells could be troublesome in case of restrictions enforced in the environment such as network level restrictions or system level restrictions, limited or proxy internet, port, and Arp filtering are common challenges that we observe during performing VAPT.

Such restrictions are cumbersome while performing Vulnerability Assessments, enumerations, exploitations, and post-exploitations.

1. Defining a scenario:

Considering the below environment, with the following listed restrictions/controls in place due to which the active enumeration isn’t possible

Environment

i) A Physical Linux based Machine connected with wireless access point isolated from the client’s infrastructure environment with the following restrictions

a. No sudo /root privileges

b. Firewall enabled, filtering incoming and outgoing communications

c. Whitelisted custom port only such as TCP 25000, to connect with the windows 10 VM running on the client’s infrastructure environment

ii) Windows 10 VM machine, running on the client’s infrastructure using the bridged interface, it’s the host VM for other virtual machines running inside it; Kali Linux and the other window 10 PT machine.

Note: Considering the above and similar scenarios, obtaining a reverse shell isn’t possible due to NAT Interfaces, MAC Binding & Filtering, and other possible restrictions:

2) Bypassing Restrictions:

Step -1 windows 10 Host VM

Spoofing the Mac of the host Machine either via HVM settings depicted below or via changing the interface MAC in the interface configuration file.

In this case, copy the MAC Address of the Host VM which is actually bind at the switch interface considering the port security.

VM Configuration

Step 2: Configuration — Kali Linux VM

Make sure the Kali Linux virtual machine is running on the bridged mode prior to going for any changes and clone it with the same MAC address set on the host windows 10 machine.

So basically the MAC address of the Host and the Linux machine running inside the host must be the same, this is also considered to be MAC spoofing.

VM Configuration

Spoofing the MAC address would allow us the bypass the port security on the switch, Yet the kali isn’t ready for successful enumeration, attacks, and obtaining reverse shell. The following steps will make it possible;

Step 3: Boot up the Kali linux machine:

There is a common behavior that when a MAC address is spoofed and any two devices having two same MAC address on the same subnet would make the DHCP server crazy.

Therefore, a manual IP address is to be assigned to the Kali Linux Interface as depicted below, once the IP address is assigned, this will make the two machines (Windows 10 Host VM and Kali Linux VM ) have the same MAC Address but different IPs on the same subnet.

This strategy would make the switch understand that traffic is actually from Windows 10 not from Kali Linux, however, in reality, the traffic is coming from Kali Linux.

Note: Prior to assigning any IP address, a free or unused IP address needs to be looked up, to do that we can use the arp-scan tool to grab the MAC and IP addresses respectively, snapshot below:

Step 4: Routing on the Kali Linux

Going forward, after assigning the IP Address on the Kali Linux machine, there are routing issues that possibly occur on performing MAC spoofing. Most commonly, routes are automatically detected once the IP address is assigned on the interface but if the issue is there and kali Linux is not able to communicate properly then follow the below commands

Route command will state all the outgoing traffic interfaces and subnets for the machine Kali Linux, this is obvious below the routing table must be changed as per the assigned IP address.

Add the following route if in case the routing table is not updated:

Ip route adds 0.0.0.0/32 via [default gateway of the bridged network Ip address]. Below depiction is a sample

3) Pivoting Technique used for Lateral Movement

Psexec utility can be used to achieve lateral movement, this utility use RPC calls to connect with the machines, especially on the servers where RPC is commonly enabled.

Psexec allows us to interact with the machine shell to enable/perform all other operations in this case, gaining persistent hold.

Use the following command:

Psexec.exe –s \\[machineIP] –u [user name ] –p [password] cmd.exe

4) Post exploitation Tweaks | Memory Analysis

Considering the successful Pass the Hash attack and obtaining the reverse shell we can move forward for persistence and RDP access on the target machine. Following below is the list of commands along with the description that can be executed on the obtained shell.

In order to dump the above-extracted files(SAM, Security, System and LSASS ) we use the Mimikatz credential dumping tool. Mimikatz may not perfectly work for the LSASS dump, alternative pypykatz is preferred

#Mimikatz

privilege::debug

token::elevate

log samdump.txt

# dumping sam

1) Method-1

lsadump::sam /system:[systemdump file] /sam:[samdump file ]

2) Method-2

lsadump::sam /sam:[samdump file ]

#dumping lsas

pypykatz lsa minidump [lsa.dmp file ]

pypykatz lsa minidump /home/kali/Desktop/creddump/lsass.DMP > lsassdump.txt