ntlmrelayx.py: RPC server and EPM#1974
Conversation
|
Hey guys, thanks for the PR I had #1442 in my to-do list. |
gabrielg5
left a comment
There was a problem hiding this comment.
hello @rtpt-romankarwacik,
did a quick test on both features (RPCRelayServer and relay to RPC ADCS) and seem to be working fine... tomorrow will do some more detailed tests but wanted to give you some feedback and questions on the code
Thank you!
gabrielg5
left a comment
There was a problem hiding this comment.
Added a couple more suggestions on the rpcrelayserver.
Still checking the "multirelay" capabilities on the rpcrelayserver to validate it's ok with current ntlmrelayx; could be left for a future implementation if something is missing there
Co-authored-by: Gabriel Gonzalez <gabriel.gonzalez@fortra.com>
gabrielg5
left a comment
There was a problem hiding this comment.
Hey @rtpt-romankarwacik hello!
Running last tests on the RPCRelayServer...
Found that rpc relay has an issue when triggering ntlmrelayx with multiple targets (through -tf)
As targets are currently obtained in the setup() function of the relay server, we may be skipping some of them in cases where the connection ends up not being relayed (empty-username for example)
Steps
- Create a file with multiple targets
http://1.1.1.1/certsrv
http://1.1.1.2/certsrv
http://1.1.1.3/certsrv
- Trigger ntlmrelayx with that targets file
ntlmrelayx -tf targets_file -smb2support --adcs
Tried putting the target gathering in the NTLMSSP_AUTH_NEGOTIATE section of negotiate_ntlm_session() function and think is working better.
Can do a quick commit in the branch so you can take a look at it or is there another function you think is better?
Thanks!!
|
Thanks @gabrielg5 , I just pushed the fixes |
|
Hey @rtpt-romankarwacik hello! I pushed a couple changes to your branch (this is the most important one 4e62a27) Main idea behind it was gathering the target the latest as possible; to avoid removing targets from the list that won't be tried to be relayed Let me know what you think! The other commit (48f1e0d) is an opportunistic enhancement on how available targets are filtered based in already finished attacks. In my targets file (with |
|
Looks nice, thank you! |
This pull request adds the RPC relay server for
ntlmrelayx.pyby @sploutchy (https://github.com/sploutchy/impacket/tree/potato ) with an additional simple EPM. I rebased the repository and excluded thepotato.pyexample, as I did not test it.In the following, printerbug is used to coerce a connection to the ntlmrelayx.py RPC server and relay it to ADCS:
This pull request also contains #1442 and would supercede it.