impacket
impacket copied to clipboard
fortra
ntlmrelayx.py UPN usernames support
ntlmrelayx.py currently does not properly support usernames in UPN format if used in SOCKS-mode. To reproduce, start ntlmrelayx.py in SOCKS-mode as follows:
$ ntlmrelayx.py -smb2support -t 192.168.1.1 -socks
Then use curl to authenticate using credentials in UPN format:
$ curl -u 'user1@lab:password' --ntlm 'http://127.0.0.1'
ntlmrelayx.py will authenticate to the targeted SMB server successfully:
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target smb://192.168.1.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against smb://192.168.1.1 as /USER1@LAB SUCCEED
[*] SOCKS: Adding /USER1@[email protected](445) to active SOCKS connection. Enjoy
Using an empty domain with a username in UPN format in a NTLM authenticate packet is supported in a standard Windows AD environment, so the authentication is successful. However, the SOCKS-connection cannot be used in conjunction with other example scripts from Impacket, because the username is specified as /USER1@LAB instead of the regular format LAB/USER1:
ntlmrelayx> socks
Protocol Target Username AdminStatus Port·
-------- ------------ ---------- ----------- ----
SMB 192.168.1.1 /USER1@LAB FALSE 445
For example, trying to use smbclient.py together with proxychains configured to use the SOCKS proxy:
$ proxychains smbclient.py -no-pass 'lab/[email protected]'
ntlmrelayx.py outputs that no session for the user was found:
[-] SOCKS: No session for LAB/[email protected](445) available
I did not find a way to specify the username in UPN format using smbclient.py or other Impacket example scripts, so that the SOCKS connection can be used.
The same happens when initially connecting using SMB instead of HTTP.
Configuration
impacket version: Impacket v0.10.1.dev1+20220504.120002.d5097759 Python version: 3.9.2 Target OS: Linux
