New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code execution over ntlmrelayx socks connection #412
Comments
It should also be noted that while two of the outputs say "connection refused" that if I don't use the socks tunnel, I am able to get right in. |
Hey @Gilks Indeed neither
With regards to your questions:
Have you tried smbexec.py and atexec.py Those two should work since they use a single connection. In any case, if you can do remote code execution, that means you're Administrator. The very first thing I'd do is to run
Don't know I fully understand your question, please elaborate. Great to know you're using |
Interesting, I never knew that psexec required 4 separate SMB connections. I also was not aware that wmi/dcom both required signed packets.. There's a couple fun facts for the day. Thank you for the insight!
I did not try these two options before you suggested it. I gave them a try this morning and was met with the results below. It should be noted that I was able to get both tools working by providing the password.
I'm a pretty big fan of this attack. However, in more mature environments built-in Administrator tends to be disabled. In this scenario, the tester is forced to crack dumped hashes even if they captured an elevated account and established a
Certainly! This would be much easier to explain with a white board but I'll call upon my paint skills to get the job done. Here's a visual example. If the Attacker can reinitialize an If this is possible, that means an attacker could use a single socks connection to relay to all hosts in the network. This would only be useful if you were able to reinitialize the On an unrelated note, this idea stemmed from an attack I use on engagements where I'll relay to a machine and find there are no credentials in memory. I'll impersonate a delegation token and then run
|
Hey @Gilks Thanks for your answer.. I will need some time to go over it and get a reply to you. However, I see you're using impacket |
That was probably the fastest reply I've ever received on github. I have performed the update and attempted to use the following tools using
During both tests the output remained the same as the one posted above. The only difference is the impacket version number |
I know this is a semi-stale thread but just wanted to point out in my testing with |
Looking forward to reading the results. |
No answer, closing. |
Hi, I'm still having issues to do RCE using smbexec.py with a valid admin session. I get the error of "unpacket data doesn't match constant value" as described above. I'm using Impacket v0.9.20-dev |
Can confirm that this behavior is still occurring with smbexec.py -
|
Any chance of this content making it into a wiki for impacket? -- @asolino's explanation is great! I find that I'm often linking people to this bug when they want to understand what they can and can't do over an SMB relay, and it feels odd to link to a closed issue. |
When using ntlmrelayx.py and the -socks argument, users are able to reuse captured connections over socks. I'm able to use various impacket tools such as secretsdump.py or even enumerid.
Example:
ntlmrelayx.py -t 172.20.220.217 -smb2support -socks
However, I am not able to use any of the following tools (see below) with proxychains4 using the socks tunnel on 1080. This is in a dev environment where I explicitly enabled the built-in Administrator account for testing.
So my question two questions are:
Assuming the user is an Administrator- are you able to get code execution on machines where a socks connection has been established?
Is it possible to re-initiate an SMB connection over the socks tunnel to your attacking machine and relay it to additional hosts? The consequences of this would be pretty intense.
The text was updated successfully, but these errors were encountered: