victim <-> attackerwill be killed AFTER the authentication, hence allowing an attacker to relay that authentication and get a valid session
attacker <-> target(if the target is not requiring signing).
AvPairs, a byte array containing the
msAvFlagsflag, which is used to enable the MIC
AvPairsin their calculation, leaving the MIC unsupported for this version of NTLM.
msAvFlags, which is protected by the NTLMv2 response, which can not be modified when not knowing the user's NT hash.
.grepfiles. It will also gather lots of information regarding the domain users and groups, the computers, ADCS, etc.
--escalate-user) if the relayed account has sufficient privileges.
--escalate-useroption must be supplied with a controlled machine account name. If no machine account is controlled, the
--add-computeroption can be supplied instead like the "Account creation" tab before, and by targeting LDAPS instead of LDAP.
-6option (IPv6 support is not required since most hosts will send IPv4 but using this option is recommended since it will allow relay servers to work with IPv4 and IPv6)
--remove-micoption, usually needed when attempting "cross-protocols unsigning relays" (e.g. SMB to SMB-with-required-signing, or SMB to LDAP/S). This option can also be used when NTLMv1 is allowed (NTLMv1 doesn't support MIC).
-tfoption instead of
-t, and the
-woption can be set to watch the target file for changes and update target list automatically
ldap://targetbut the "all" keyword can be used (
all://target). If the protocol isn't specified, it defaults to smb.