Run NTLMRelayX with the adcs flag, in multirelay mode, and against an HTTP target with the following syntax: <scheme>://<netloc>/<path> (Example: http://127.0.0.1/certsrv/certfnsh.asp)
Behavior:
Even if the attack is successful, the relay will keep attacking the target forever.
Additional Information:
When an attack is successful, the target will be saved into a list (here: targetsutils.py#L108-L109)
The relay will keep asking for the next target until all the targets have been processed, the relevant code for this case is here: targetutils.py#L132-137.
Notice that there is a check to prevent already successful targets from being returned once again:
match = [x for x in self.finishedAttacks if x.geturl().upper() == tmpTarget.upper()]
if len(match) == 0: # <- HERE
self.generalCandidates.remove(target)
return target
However, there's a problem in how tmpTarget is generated:
Only <scheme> and <netloc> are being used, leaving out <path>. In our case tmpTarget would result in "http://127.0.0.1", the rest of the url is missing!
This is why tmpTarget won't ever match with anything inside self.finishedAttacks and will always be considered as a "new" target.
Note: In case you're wondering, the target is indeed being removed from self.generalCandidates, so why would the relay loop over it? Because it's added once again here: targetsutils.py#L152-L154, this is a normal behavior.
Configuration:
<scheme>://<netloc>/<path>
(Example: http://127.0.0.1/certsrv/certfnsh.asp)Behavior:
Additional Information:
tmpTarget
is generated:<scheme>
and<netloc>
are being used, leaving out<path>
. In our case tmpTarget would result in "http://127.0.0.1", the rest of the url is missing!tmpTarget
won't ever match with anything insideself.finishedAttacks
and will always be considered as a "new" target.