Comments (5)
Arno0x
commented on June 12, 2024
Hi,
This is due to the SSLContext version used in the HTTPRelayClient.py on line 33:
uv_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
It seems your Exchange server cannot handle SSLv2 or SSLv3 (admittedly too old), so you can try to replace this line with either of the two following options:
1/ uv_context = ssl.create_default_context() : which will create an SSL context with the recommended security settings for client sockets, or
2/ manually specify an SSL protocol version that would work in your environment:
uv_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)for instance.
Let me know which one works for you.
from ntlmrelaytoews.
RedSec-Shay
commented on June 12, 2024
Thanks , uv_context = ssl.create_default_context() didn't work , however manually specifying the protocol (TLSv1 like you suggested) worked.
Now if I browse to the 127.0.0.1 (relay server) it works great , I get prompted for creds , and those get sentto the exchange , getting the inbox.
However , trying from outlook (using hidden pic )I get
HTTPD: Received connection from 10.xxx.xxx.xxx, attacking target 192.168.xxx.xxx , but nothing else happen , I suspect it is because outlook get prompted for creds (using other auth) and not NTLM auth .
Does visiting the EWS url suppose the transparently relay the login creds (without prompt) ?
The URL I'm using is https://ip_of_exchange/EWS/exchange.asmx , is there other EWS URL that accept NTLM auth without triggering prompt ?
Thanks again for your help !
from ntlmrelaytoews.
Arno0x
commented on June 12, 2024
It's hard to tell, but Windows SSO will not automatically work (ie automatically get into an NTLM auth) as it depends on where the relay server is located in terms of trust zone (Intranet site) from the client perspective. Also the client (victim's) machine must be able to communicate with the DC.
Have you tried in verbose mode ? (-v flag) ?
I'll close this issue, as the originally reported issue is fixed.
from ntlmrelaytoews.
RedSec-Shay
commented on June 12, 2024
Thanks you .
Yes , I'm seeing this in verbose mode . both target and relay are able to communicate with the DC.
When you go the EWS URL (not the relay ) are you getting prompt for creds (HTTP auth) , or are you getting auth using SSO (NTLM) ?
from ntlmrelaytoews.
Arno0x
commented on June 12, 2024
In working scenarios: when the victim goes to the EWS URL (from let's say IE) it gets automatically authenticated using NTLM, so it doesn't get prompted for credentials.
from ntlmrelaytoews.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntlmrelaytoews.