πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Kerberoasting
Unconstrained Delegation
Constrained Delegation
DCSync
Golden Tickets
Silver Tickets
Skeleton Keys
Active Directory Certificate Services
NTLMRelay
AS-REP Roasting
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
NTLMRelay
To achieve code execution the user or machine needs to be in the Administrator Group and/or have permissions to write on a share, in this example we have the user mwinchester on Desktop-Alpha moving to Desktop-Bravo since the user compromised was mwinchester but has no Administrator privileges on the current box, so we can relay the authentication and gain code execution on the target machine, the setup is simple.
Will start by running ntlmrelay targeting the machine we want to authenticate and enabling SMB2Support if necessary
The user needs to authenticate to our relaying machine, in this example the Linux Box. We have various methods to relay authentication but, in this case, will just force it by trying to browse a fake share on the Linux box, (various methods to control this authentication exists an example would be to Taint a Share and Force Authentication), from the Windows machine we can verify our user
The user is not an Administrator on the Box. The user tries to browse the Linux Machine
Our attacking machine will successfully relay the authentication to Desktop-Bravo and gain code execution
We can tell from here that a user was authenticating to the Linux machine, and we relayed that to our targeted box.
Previous
Active Directory Certificate Services
Next
AS-REP Roasting
Last modified 1mo ago
Copy link