-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ntlmrelayx.py] fails to pick up requests over HTTP #1651
Comments
My team is having a similar issue. Auth PetitPotam SMB v1-3 > PC$ is not getting caught. Responder does. Pcredz does not. Someone else recommended you need to declare your network interface with ntlmrelayx. |
@Zamanry: Thanks; do you know the argument to do so so I can test that? |
-ip #.#.#.# where #.#.#.# is your interface IP. We’ll test PetitPotam with that parameter this afternoon |
Ah! I am already specifying |
Same issue here, any advice? |
I tried the -ip flag, never fixed it. I’ve encountered this issue at multiple clients now. |
Hi, been doing some tests and wasn't able to replay the same behavior you are having. There a couple parameters in ntlmrelayx to indicate in which interface ( Just thinking out loud, and trying to better understand the scenario to analyze where could the issue be: |
Hi, We've been doing some tests with multiple impacket versions. Here are our results: Impacket 0.9.24 (receiving authentications)We coerce an authentication through We do receive HTTP authentications in ntlmrelay: And we do receive the expected Impacket 0.10.0 (not receiving authentications)We coerce an authentication through In this case (ntlmrelay in impacket 0.10.0), we do not receive any HTTP authentication on ntlmrelay: But we do receive the expected Therefore, we need to find in which commit the issue was introduced between:
Best regards, |
@p0dalirius this issue is related to ldap parameters handling in ldapattack.py. The webdav connection it's being handled ( as it's being shown in wireshark ). Can you please try with the master branch version? it seems this was fixed in 337d50d |
@Sockmower sorry for the late response, can you provide the content of the target list file? |
Hey, yesterday was doing some tests with different Impacket versions and finally found the commit that removed the log message (c237962) related with the multirelay feature addition at #1297 It only affects WebDav requests. When processing an HTTP GET a message is always logged (unless in REDIRECT mode, but it wasn't the case in your tests) impacket/impacket/examples/ntlmrelayx/servers/httprelayserver.py Lines 245 to 250 in 829239e
But when processing WebDav, the PROPFIND method is not logging anything - at least until the connection is properly relayed - impacket/impacket/examples/ntlmrelayx/servers/httprelayserver.py Lines 182 to 189 in 829239e
A similar scenario, but for SMB relay, was solved in #1602. Will be submitting a new PR to handle these scenarios in all different relay servers; to give visibility on the received connections. thank you! |
I can jump in again! I was facing this issue with WebDAV coerced using PetitPotam code. Appreciate the help! |
I'm trying to capture and relay authentication using ntlmrelayx.py; a Responder session in the same terminal window picks up the HTTP requests fine, but ntlmrelayx fails to produce any output even when debug mode is on. The client at 172.0.0.1 is repeatedly making HTTP requests to a resource on the attacker machine. The responder output is included below for reference:
Running ntlmrelayx in the same terminal, while the HTTP requests are still being made:
Why is it that Responder picks up these requests just fine but ntlmrelayx fails to do so?
The text was updated successfully, but these errors were encountered: