victim <-> attacker
will be killed AFTER the authentication, hence allowing an attacker to relay that authentication and get a valid session attacker <-> target
(if the target is not requiring signing).AvPairs
, a byte array containing the msAvFlags
flag, which is used to enable the MICAvPairs
in their calculation, leaving the MIC unprotected.msAvFlags
, which is protected by the NTLMv2 response, which can not be modified when not knowing the user's NT hash..html
, .json
and .grep
files. It will also gather lots of information regarding the domain users and groups, the computers, ADCS, etc.ms-DS-MachineAccountQuota
to create a domain machine account. The tester will then be able to use it for AD operations.--remove-mic
option will be needed when relaying to LDAP(S) because of the MIC protection.--escalate-user
) if the relayed account has sufficient privileges.WriteDACL
over domain object, see Abusing ACEs) to escalate a domain user privileges (--escalate-user
).--escalate-user
option must be supplied with a controlled machine account name. If no machine account is controlled, the --add-computer
option can be supplied instead like the "Account creation" tab before, and by targeting LDAPS instead of LDAP.-6
option (IPv6 support is not required since most hosts will send IPv4 but using this option is recommended since it will allow relay servers to work with IPv4 and IPv6)-smb2support
option--remove-mic
option, usually needed when attempting "cross-protocols unsigning relays" (e.g. SMB to SMB-with-required-signing, or SMB to LDAP/S)-remove-target
and -machine-account
arguments-tf
option instead of -t
, and the -w
option can be set to watch the target file for changes and update target list automaticallyldap://target
but the "all" keyword can be used (all://target
). If the protocol isn't specified, it defaults to smb.-tf
option can contain the following