You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ntlmrelayx.py currently does not properly support usernames in UPN format if used in SOCKS-mode. To reproduce, start ntlmrelayx.py in SOCKS-mode as follows:
ntlmrelayx.py will authenticate to the targeted SMB server successfully:
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target smb://192.168.1.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against smb://192.168.1.1 as /USER1@LAB SUCCEED
[*] SOCKS: Adding /USER1@LAB@192.168.1.1(445) to active SOCKS connection. Enjoy
Using an empty domain with a username in UPN format in a NTLM authenticate packet is supported in a standard Windows AD environment, so the authentication is successful. However, the SOCKS-connection cannot be used in conjunction with other example scripts from Impacket, because the username is specified as /USER1@LAB instead of the regular format LAB/USER1:
ntlmrelayx.py outputs that no session for the user was found:
[-] SOCKS: No session for LAB/USER1@192.168.1.1(445) available
I did not find a way to specify the username in UPN format using smbclient.py or other Impacket example scripts, so that the SOCKS connection can be used.
The same happens when initially connecting using SMB instead of HTTP.
Configuration
impacket version: Impacket v0.10.1.dev1+20220504.120002.d5097759
Python version: 3.9.2
Target OS: Linux
The text was updated successfully, but these errors were encountered:
ntlmrelayx.py
currently does not properly support usernames in UPN format if used in SOCKS-mode. To reproduce, startntlmrelayx.py
in SOCKS-mode as follows:Then use
curl
to authenticate using credentials in UPN format:ntlmrelayx.py
will authenticate to the targeted SMB server successfully:Using an empty domain with a username in UPN format in a NTLM authenticate packet is supported in a standard Windows AD environment, so the authentication is successful. However, the SOCKS-connection cannot be used in conjunction with other example scripts from Impacket, because the username is specified as
/USER1@LAB
instead of the regular formatLAB/USER1
:For example, trying to use
smbclient.py
together withproxychains
configured to use the SOCKS proxy:ntlmrelayx.py
outputs that no session for the user was found:I did not find a way to specify the username in UPN format using
smbclient.py
or other Impacket example scripts, so that the SOCKS connection can be used.The same happens when initially connecting using SMB instead of HTTP.
Configuration
impacket version: Impacket v0.10.1.dev1+20220504.120002.d5097759
Python version: 3.9.2
Target OS: Linux
The text was updated successfully, but these errors were encountered: