[NTLMRelayx.py] :: NTLMRelay if Client has SMB signing required

[c-f]

Configuration

impacket version: master (cd4fe47)
Python version: 3.7.7
Target OS: fedora-33

Debug Output With Command String

Sorry if i misinterpreted something but i was wondering if i can modify the security mode flag in SMB for the client.
To my understanding the packets from the client (connects to ntlmrelayx) will be forwarded directly to the target without any
modification. However if the client enforces a signature and the server doesn't than the relay is not forwarded to the target at all.

Thus i want to toggle the ''Security mode'' to remove the required signing (sent to the target). However in my attempts i was not successful in modifying impacket to my needs.

The idea is heavily copied from hackndo :) with his very good article about ntlm relaying. Based on the Matrix below this should work.

Thanks,
c-f

# start ntlmrelaying
ntlmrelayx.py -debug -ts -t smb://127.0.0.10:1337 -smb2support

# enforce SMB2 and Signing (verified via wireshark)
smbclient //127.0.0.1/sharey  -d10 -m smb2 -S=required

# smbserver - to test if a connection is established
nc -l -v -p 1337 

PCAP

- . -

Additional context

1. NTLM Matrix:

[0xdeaddood]

Hi @c-f!

The modification of the security mode flag is already implemented in impacket here: https://github.com/SecureAuthCorp/impacket/blob/cd4fe47cfcb72d7d35237a99e3df95cedf96e94f/impacket/examples/ntlmrelayx/clients/smbrelayclient.py#L64
If you capture some relay transmission from a client to a server, both of them without signing, you'll see something like this:

• 192.168.195.129 = impacket box
• 192.168.195.2 = server (target)
• 192.168.195.20 = client (victim)

However, as we are discussing in #1138, the current version of impacket can't relay connections coming from a client that enforces signing due to how the multi-relay capability works. Currently, impacket implements the following process:

1. We receive an incoming connection.
2. We "locally" authenticate the victim: we perform the SMB negotiate and the NTLM authentication to know the identity of the user we want to relay.
3. After that, the client sends us a TreeConnect request to the $IPC share.
4. We send a TreeConnect response with STATUS_NETWORK_SESSION_EXPIRED and force a re-authentication against us.
5. The client, starts a new authentication flow. Here, we tamper the security mode flag and start the credential relay to the server.

If the client forces signing, the previous flow stops after point 2. We never receive the TreeConnect request in step 3 because we can't sign the connection. Consequently, we don't have any credentials to relay. That could be the reason why you don't see the security mode flag modification. Meanwhile, you can use a previous version of impacket (v0.9.20) to test the NTLM relay with signed clients.

I hope I was clear. If you have further questions, let me know.

[Hackndo]

Could we add a flag to disable multi-relay capability? If you think it could be a good idea, I can take some time to PR this

[0xdeaddood]

Hi @Hackndo!

That would be great! Our idea is to keep the multi-relay capability as the default option and add a new flag (e.g, no-multirelay) to disable it. If you decide to start working on this, please take into account this PR: #1068, where we added support for multi-relay in HTTP.

[Hackndo]

Alright I'll work on this asap

[coffeegist]

This hit me today, great find! +1

[0xdeaddood]

Hi there!

FYI, I just added a new option --no-multirelay to disable multi-relaying capabilities (#1297). Useful in some scenarios like this one where the client requires SMB signing. The following command should works:

ntlmrelayx.py -debug -ts -t smb://127.0.0.10:1337 -smb2support --no-multirelay

Closing. Reopen if you have any questions or if you find something not working.

Thanks!