-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make default ntlmrelayx dump SAM and LSA #1253
base: master
Are you sure you want to change the base?
Conversation
Secrets and cached
This is great idea and would be an awesome addition to ntlmrelayx 👍 There are some of my additions that are currently working on my local version (lootdir taken into account, filename now replicate what secretsdump does when saving files, LSA hashes are saved just like when using secretsdump) but there's another that I'm struggling to implement. It is the ability to dump Kerberos keys for the machine account, which would be great for silver tickets and s4u2self abuses. This is, at the moment, not feasible for the following reason.
Retrieving the values during the |
Found a solution thanks to @p0dalirius and @wlayzz
Dumping the target's machine account's kerberos keys is essential as it allows silver ticket and s4u2self abuses and allows attackers to takeover the target without pass-the-hash, which can be limited sometimes. ntlmrelayx output during the dump (running with |
Improved exporting and added Kerberos keys calculation
This is a solid addition, but doesn't seem to have gotten much traction in the past year. Is there something that I can help do to move this along? |
This doesn't really seem to be getting any traction. In case anyone sees this pull request and thinks "hey, I'd really like this," this pull request (along with many others) have been accepted into ThePorgs' fork located here. |
Upstream is merging a few PRs here and there. My fork will be less and less relevant hopefully. @anadrianmanrique could you probably take a look? This PR wouldn't impact much things and only adds up things. It should be an quick and easy review & merge |
Hi! My concerns with this changes is that the default behavior wouldn't be as "atomic" as before. I'm trying to think a scenario dumping a huge amount of accounts and receiving in the middle of that a new connection to relay and also having to dump a big load of data. It looks to me like a behavior that the operator would like to configure. Opinions ? |
Agreed, but imo let's default to SAM + LSA dump, which will be fitted to most users' needs. And then give the ability to either dump only SAM or LSA 🤷 |
ok, we discussed with the team, we concluded it would be nice to have this functionality available through a new parameter ( like --dump-lsa ) and not as default |
I've always wished that the default SMB relay dumped SAM and LSA, so I modified it a bit.
I'm sure there is something more that needs to be added, but from my testing so far this change is functional. Not sure if there was a reason to only do SAM, but if not it would be cool to have it do both.