1
00:00:00,120 --> 00:00:00,570
All right.

2
00:00:00,570 --> 00:00:03,860
So now let's talk about SMB relay.

3
00:00:03,860 --> 00:00:05,590
Well what is SMB relay.

4
00:00:05,610 --> 00:00:12,030
So think about your responder and think about how you were capturing these hashes.

5
00:00:12,030 --> 00:00:17,090
Well instead of taking the hashes out you capture off line and trying to crack them with hash cat.

6
00:00:17,100 --> 00:00:22,350
Well we can take those hashes and we can actually just relay those to another machine.

7
00:00:22,350 --> 00:00:23,990
Well how is this possible.

8
00:00:24,030 --> 00:00:25,900
So let's talk about the requirements.

9
00:00:26,100 --> 00:00:32,310
Big requirement number one requirement is that SMB signing has to be disable on the target.

10
00:00:32,310 --> 00:00:37,560
Now SMB signing is a packet level protocol so let's think about this.

11
00:00:37,680 --> 00:00:44,010
If SMB signing is enabled when we tried to relay credentials it's going to say hey you're not really

12
00:00:44,010 --> 00:00:44,840
that person.

13
00:00:44,850 --> 00:00:50,060
I you know this package is not signed by you and I'm not gonna let you in.

14
00:00:50,310 --> 00:00:54,590
But if S&amp;P signing is disabled it never checks for that.

15
00:00:54,600 --> 00:00:58,160
It never checks for authenticity of where this is coming from.

16
00:00:58,170 --> 00:01:01,720
It just says hey there's a user there's their hash.

17
00:01:01,890 --> 00:01:06,490
I'm going to let them on this machine if they have the permission to do so.

18
00:01:06,510 --> 00:01:13,140
So we're going to take this first requirement and add in a second requirement which is that the user

19
00:01:13,140 --> 00:01:17,730
being relayed has to have admin credentials on that machine.

20
00:01:17,850 --> 00:01:23,210
So we cannot relay a credential that we captured from one machine back to the same machine say we're

21
00:01:23,220 --> 00:01:26,920
like dot six we can't really that credential to about six as well.

22
00:01:26,940 --> 00:01:29,020
This has to be on two separate machines.

23
00:01:29,220 --> 00:01:34,410
And that user has to be an addon on that machine with SMB signing disabled.

24
00:01:34,410 --> 00:01:37,160
So we're going to take say Frank Castle.

25
00:01:37,380 --> 00:01:39,790
He's going to be an admin on two machines like we set.

26
00:01:39,810 --> 00:01:45,630
We're gonna take the captured hash relay it over to another machine where he's also in Amman and we're

27
00:01:45,690 --> 00:01:48,400
gonna do some malicious things to that machine.

28
00:01:48,450 --> 00:01:53,400
So let's take a look at this from a more actual perspective.

29
00:01:53,400 --> 00:01:57,360
So the first thing we're going to do is we're actually going to go into the responder configuration

30
00:01:57,360 --> 00:02:00,910
file and we're gonna turn off S&amp;P and HP.

31
00:02:00,990 --> 00:02:05,460
So we're going to be listening but we're not going to be responding on these servers.

32
00:02:05,460 --> 00:02:10,800
OK so what that means is we're going to use responder to capture and then we're gonna use another tool

33
00:02:10,800 --> 00:02:13,640
to relay but we're not actually going to respond back.

34
00:02:13,650 --> 00:02:19,710
So once this configuration is set what we're gonna do is we're going to boot up responder so with responder

35
00:02:19,710 --> 00:02:25,320
booted up the same way as before you're going to notice here the only difference is there's red on the

36
00:02:25,320 --> 00:02:31,380
HDP and red on the SMB server the off proxy was off by default and still remains off.

37
00:02:31,380 --> 00:02:34,680
So this is how your configuration should look.

38
00:02:34,680 --> 00:02:42,060
Once this is configured we also need to configure a tool called MTM relay X so a.m. relay X takes the

39
00:02:42,060 --> 00:02:48,360
relay it passes it to a target file that you specify and we'll talk about how we identify those targets

40
00:02:48,390 --> 00:02:55,350
in the next video and then we're going to say SMB to support as a switch as well so that we can incorporate

41
00:02:55,380 --> 00:02:57,150
anything with SMB too.

42
00:02:57,780 --> 00:03:02,640
So what we're gonna do here is all we're doing is identifying where we want to target and where we want

43
00:03:02,640 --> 00:03:03,780
to relay to.

44
00:03:03,780 --> 00:03:05,700
So we have our responder listening.

45
00:03:05,760 --> 00:03:07,700
We have our relay ready to go.

46
00:03:08,010 --> 00:03:10,350
And then we just wait for an event to happen.

47
00:03:10,350 --> 00:03:17,240
Same event as before we point at this machine with responder listening it can't access this machine

48
00:03:17,250 --> 00:03:18,670
DNS fails.

49
00:03:18,690 --> 00:03:25,050
Okay responder kicks in response to that message or doesn't respond to that message I should say and

50
00:03:25,050 --> 00:03:31,140
instead it relays these credentials that it captures to this other machine you could see it here it

51
00:03:31,140 --> 00:03:35,850
says hey we received a connection from 10 to zero to three that seven and we're going to attack the

52
00:03:35,850 --> 00:03:43,550
target of ten down there out three that six using Frank Castle's credentials if Frank Castle is in Adam

53
00:03:43,590 --> 00:03:45,750
on that machine this is gonna work.

54
00:03:45,780 --> 00:03:47,520
So authenticates against it.

55
00:03:47,580 --> 00:03:49,030
It succeeds.

56
00:03:49,080 --> 00:03:50,090
Guess what.

57
00:03:50,130 --> 00:03:54,750
Now we're coming in here and we're dumping out sensitive information.

58
00:03:54,750 --> 00:04:01,420
Most importantly we are dumping out what is called a Sam file or the Sam hashes here right now.

59
00:04:01,620 --> 00:04:05,790
Remember back to our lesson on Linux when we talked about shadow files.

60
00:04:05,790 --> 00:04:09,150
Think of the Sam as the shadow of the Windows world.

61
00:04:09,180 --> 00:04:14,710
These are all of our usernames and hashes for the local users on this computer.

62
00:04:14,820 --> 00:04:17,880
Again this is the local users on this computer.

63
00:04:17,880 --> 00:04:20,910
This is not the domain users but that's OK.

64
00:04:20,910 --> 00:04:26,490
We can take down an entire network and I've done it before utilizing only local users.

65
00:04:26,490 --> 00:04:29,620
We're going to talk about that in a later video on how that can happen.

66
00:04:29,790 --> 00:04:34,690
But from here we have usernames and hashes.

67
00:04:34,830 --> 00:04:35,090
OK.

68
00:04:35,100 --> 00:04:41,550
We could take these hashes offline again and try to crack them or we can pass this hash around and try

69
00:04:41,550 --> 00:04:43,680
to get access to other machines as well.

70
00:04:43,680 --> 00:04:49,680
So take a look at both of those and see why this is really really interesting here later on.

71
00:04:49,680 --> 00:04:58,440
So for now take away that we grab a hash we relayed to another machine if S&amp;P signing is disabled we

72
00:04:58,440 --> 00:05:04,780
can get on that machine is in Amman we can not only dump the Sam hashes like this but we can also take

73
00:05:04,780 --> 00:05:07,240
it further and get a full shell.

74
00:05:07,300 --> 00:05:08,260
If we want to.

75
00:05:08,560 --> 00:05:12,580
So we're going to do that in both scenarios we're gonna play this scenario first.

76
00:05:12,610 --> 00:05:15,250
Then we're gonna play another scenario out where we actually get a shell.

77
00:05:15,250 --> 00:05:17,440
You can see how you can do both of those.

78
00:05:17,470 --> 00:05:19,340
So let's go ahead and move on to the next video.

79
00:05:19,360 --> 00:05:21,970
We're actually going to demonstrate in SMB really.