5.1.2 - Relaying

Relaying

In a relaying attack, the target credentials are not captured directly, but they're forwarded to a local or remote service or an endpoint for authentication.

Two types based on authentication are:

NTLM Relaying
Kerberos Relaying

and the two most abused services for relaying are LDAP and AD CS.

In this HomeMade Labs is displayed the Net-NTLM relay attack tecnique:

Net-NTLM Relay Attack

Others techniques regarding priv esc are presente here here: Windows Privilege Escalation

PowerShell

Get services with unquoted paths and a space in their name
```
Get-WmiObject -Class win32_service | select pathname
```
Check permissions info regarding a service
```
sc.exe sdshow <service_name>
```

PowerUp

Get services with unquoted paths and a space in their name
```
Get-ServiceUnquoted -Verbose
```
Get services where the current user can write to its binary path or change arguments to the binary
```
Get-ModifiableServiceFile -Verbose
```
Get services where the user's current configuration can be modified
```
Get-ModifiableService -Verbose
```
Run all PrivEsc checks
```
Invoke-AllChecks
```

PrivEsc

Run all PrivEsc checks
```
Invoke-PrivEscCheck
```

WinPeas

Run all PrivEsc checks
```
winPEASx64.exe
```

Previous5.1.1 - Feature Abuse Next5.1.3 - GPO Abuse

Last updated 9 months ago