ntlmrelayx gives different output on different versions #1620
Comments
|
Hi @Althibyani! How are you running In that version, we introduced some changes in the default behavior of the example regarding the multi-relay feature. I think your problem might be related to that. Please check this blogpost for more information. |
0xdeaddood
added
the
waiting for response
|
Hi @0xdeaddood I have kali 2023.3 with 2 Snapshots. one with Impacket v0.11.0 installed, and one with v0.9.23 Some versions have been tested on kali 2022.4 as well with same results This was my command on all tested versions "v0.9.24, v0.10.0 & v0.11.0"
v0.9.24 = works fine and catch two auth, SQL01$ & v0.10.0 & v0.11.0 = both of versions, the relay stopped after first auth "SQL01$" failed to execute commands. not like v0.9.24 which continue to relay until it gets the right user which is SQL-SVC. |
|
You can try setting a named target (DOMAIN\SQL-SVC@IP) |
Hi @0xdeaddood, Thank you for replay. I already tried, and I tried again just a few minutes ago. The command did not get executed on 10.14.15.21. However, still same result even with different ways, v0.9.23 worked completely fine. Just to make sure that SQL-SVC already has a privilege to execute commands on 10.11.12.21 and no issues in the LAB itself. |
|
I think the correct command line args are: |
|
@Althibyani please recheck after #1741. Thanks |
Configuration
impacket version: v0.11.0 & v0.9.24
Python version: 3
attacker machine: 10.10.10.100 kali linux 2023.3
SQL01 = 10.11.12.21
SQL02 = 10.11.12.22
The idea as follow:
I have SQLi on SQL01 server. The MSsql service is running in context of sql-svc service account (domain env)
Service Account SQL-SVC has high privileges on both SQL01 & SQL02 (I added him to local administrators group)
Both machines has signing off
So, by setting up ntlmrelayx.py on kali linux, we can use xp_dirtree to access \10.10.10.100\fakeshare share on kali from SQL01 to target SQL02 using the ntlmrelayx.py since sql-svc has high privileges.
The normal result is a success attack that gave me a Command execution on SQL02
The problem is , this attack went successfully using Impacket 0.9.24. But it did work uing Impacket 0.11.0 & 0.10.0
In 0.9.24 the relay received the first auth request which was SQL01$ machine Account l, I know that the MSSQL is running in context for SQL-SVC user but I do not know why I received request from SQL01$ first. However Since it does have any privileges on SQL02 the next step is failed which is the command execution.
The good thing in 0.9.24 it keeps receive the second auth request which this time is from SQL-SVC and the whole attack will succeed.
But for 0.10.0 & 0.11.0 the attack stopped completely after first request which is basically will fail to execute cuz SQL01$ machine account does not have any privileges on SQL02. Here the attack stops and not continuing to receive the second request like what happened with 0.9.24
please check photo bellow to understand more
Impacket 0.11.0
Imapcket 0.9.24
So, where is the issue here?
The text was updated successfully, but these errors were encountered: