-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Shadow Credentials attack to ntlmrelayx #1249
Conversation
Co-authored-by: Tw1sm <mcreel31@gmail.com> Co-authored-by: nodauf <nodauf@users.noreply.github.com>
Hi ! I haven't actually tried it, but I think the target auto-select feature (in case no target has been configured as a CLI argument) will work for the first relay, but won't for any subsequent one. In this line the global If a different target gets relayed afterwards, the previous check If this is actually what happens, I suggest using a temporary variable to store the current relay target for the current relay and replacing all instances of Also, I guess the check Cheers ! |
@SAERXCIT Yes, you are absolutely right. Thank you for the explanation. I will push the fix asap. |
Why not integrate this with Adam's interactive LDAP client? That way this could be one of several great LDAP options and you can do some enumeration of where the object that you've managed to relay has permissions, instead of that "one-and-done" type approach. Either way, great addition. |
Hey there, that's a great idea @joshdodger197 ! In my opinion having both options would be better. This PR would allow relayed sessions to automatically attempt shadowcreds without requiring the attacker's interaction (useful when lots of sessions are relayed). The LDAP client option would be awesome too in some situations. |
I can see the immediate relay for shadow creds being useful in some situations, but having the ability to do some enumeration on the session you've relayed and make your choice from there I think would be too valuable an opportunity to pass up! More info: |
Just merged! Thanks @ShutdownRepo! |
Added PyWhisker's add feature to ntlmrelayx.
More info on The Hacker Recipes
This PR is a duplicate to #1132 which I messed because I don't know how to git properly...
Co-authored by @Tw1sm @nodauf @p0dalirius