# Impacket$impacket-smbservershare.-smb2support# Static share on host$sudoadduser--systemshareuserAddingsystemuser`shareuser' (UID 130) ...Adding new user `shareuser' (UID 130) with group `nogroup' ...Creating home directory `/home/shareuser'...$sudomkdirshare$sudochmod777share$sudochown-Rshareuser:nogroup/srv/share$sudovim/etc/samba/smb.conf$cat/etc/samba/smb.conf[global]clientminprotocol=SMB2clientmaxprotocol=SMB3[share]path=/srv/sharewritable=yesbrowsable=yespublic=yescreatemask=0644directorymask=0755forceuser=shareuser$servicesmbdrestart
Download files Reclusively
smbclient \\\\10.10.11.152\\SharesEnterWORKGROUP\voidspassword:Try"help"togetalistofpossiblecommands.smb: \> recurseonsmb: \> ls.D0MonOct2517:39:152021..D0MonOct2517:39:152021DevD0MonOct2521:40:062021HelpDeskD0MonOct2517:48:422021\Dev.D0MonOct2521:40:062021..D0MonOct2521:40:062021winrm_backup.zipA2611MonOct2517:46:422021\HelpDesk.D0MonOct2517:48:422021..D0MonOct2517:48:422021LAPS.x64.msiA1118208MonOct2516:57:502021LAPS_Datasheet.docxA104422MonOct2516:57:462021LAPS_OperationsGuide.docxA641378MonOct2516:57:402021LAPS_TechnicalSpecification.docxA72683MonOct2516:57:442021smb: \> promptoffsmb: \> mget*getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (23.0 KiloBytes/sec) (average 23.0 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (3627.9 KiloBytes/sec) (average 2656.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (886.7 KiloBytes/sec) (average 2270.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (963.6 KiloBytes/sec) (average 1548.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (507.0 KiloBytes/sec) (average 1438.0 KiloBytes/sec)bas
Windows Shortcuts: Creating a shortcut with the icon property pointing to a UNC path will trigger an NTLM authentication attempt when it's viewed in Explorer (it doesn't even have to be clicked).
NTLM authentication uses a 3-way handshake between a client and server.
The client makes an authentication request to a server for a resource it wants to access.
The server sends a challenge to the client - the client needs to encrypt the challenge using the hash of their password.
The client sends the encrypted response to the server, which contacts a domain controller to verify the encrypted challenge is correct.
If on-premise a NTLM relay attack is usually quite trivial where we intercept or capture the first authentication request with tools like Responder and ntlmrelayx to impersonate the user.
However it's not as easy in an environment like this, where there are multiple network. Port 445 is always bound and in use by Windows - even local admins can't arbitrarily redirect traffic bound to this port or bind another tool to this port.
It's still possible to do with Cobalt Strike, but requires the use of multiple capabilities simultaneously.
Use a driver to redirect traffic destined for port 445 to another port (e.g. 8445) that we can bind to.
Use a reverse port forward on the port the SMB traffic is being redirected to. This will tunnel the SMB traffic over the C2 channel to our Team Server.
The tool of choice (ntlmrelayx) will be listening for SMB traffic on the Team Server.
A SOCKS proxy is required to allow ntlmrelayx to send traffic back into the target network.
The flow looks something like this:
PortBender is a reflective DLL and Aggressor script specifically designed to help facilitate this through Cobalt Strike. It requires local admin access in order for the driver to be loaded, and that the driver be located in the current working directory of the Beacon. It makes sense to use C:\Windows\System32\drivers since this is where most Windows drivers go.