Join GitHub today
Adding http_ntlmrelay module #589
This is a generic purpose NTLM relaying module. It acts as an HTTP server, and relays the credentials forwarded by the browser to other protocols (currently SMB and HTTP). It supports multiple HTTP/SMB operations, it supports NTLMv2, and it also supports attack chaining, so the result of one attack can be used in future attacks.
I have a few test configurations available here: http://sdrv.ms/MemcNN. Here are the contents from the README:
In every case, there are at least two external machines involved, domain_client and domain_victim. Both are assumed to be domain joined, and have users with permission.
The attack scenario is this:
After running the module with configured options, domain_client will visit the URI and negotiate windows creds. These credentials will relay to domain_victim, performing the configured action.
These scenarios have been tested on actual sites. However, the name details have sometimes been modified, both to avoid disclosure and to make the testing scenarios easier to understand.In terms of config, I've tested this on default win server 2008r2 and win server 2003 active directories with NTLM enabled IE8/9, Firefox, and chrome connecting to the HTTP server.
In each demo directory, there are resource.rc files that contain info regarding a scenario. In order of usability complexity, these are: