ntlmrelayx.py -- log relayed NTLMv2 Hashes

[gladiatx0r]

If ntlmrelayx.py is attempting to relay NTLMv2 hashes against a series of targets in socks mode (maybe in non socks mode too didnt verify) and the relay fails, no record of the NTLMv2 hashes is saved. The ntlmv2 hashes only get logged if the relay is successful. Please modify the code base so that hashes get logged regardless of if the relay is successful.

[asolino]

If relay fails that could probably mean (most of the times) that the password was incorrect. Why would you like the hashes being logged?. I don't see the use case.

[gladiatx0r]

When performing LLMNR/NBT-NS poisoning you dont know which users hashes you will capture. Those users may or may not have access to the SMB machines you are targetting . Even if they dont have access to those machines (or the relay fails for some other reason), it would still prove useful to have their hashes to crack later (say to try their plaintext credentials on other servers, such as over ssh on Linux servers, or on Windows machines where smb signing is enabled, and relay is mitigated).

[BinaryScary]

If anyone wants this functionality I forked the project and added it.

[mpgn]

Hello @M4ximuss @BinaryScary just to clarify, you can already achieve this in ntlmrelayx by using option --output-file and get all the hash :)

To get only uniq user use the following bash command

awk -F':' '!seen[$1]++' /tmp/demo_ntlmv2

[mpgn]

Okay so I notice it's saving all hash even those with AUTH FAILED so be careful cracking a hash doesn't mean you go the legit password !