lsarelayx: system wide NTLM relay tool
lsarelayx
lsarelayx is a system-wide NTLM relay tool designed to relay incoming NTLM-based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. Since lsarelayx hooks into the existing application authentication flow, the tool will also attempt to service the original authentication request after the relay is complete. This will prevent the target application/protocol from displaying errors and function as normal for end users authenticating against the lsarelayx host.
Features
- Relays NTLM connections system-wide, including SMB, HTTP/HTTPS, LDAP/LDAPS, or any other third-party application implementing the Windows authentication APIs.
- Where possible, downgrades incoming Kerberos authentication requests to NTLM. This will cause clients that would traditionally attempt Kerberos authentication to fall back to NTLM.
- Performs an LDAP query for the relayed user to fetch group membership info and create the correct authentication token for the original request.
- Dumps NetNTLM messages for offline cracking.
- Supports a passive mode that does not relay and only dumps captured NetNTLM hashes (no Kerberos downgrade in this mode).
How it works
lsarelayx comes in three parts. A fake LSA authentication provider was implemented within liblsarelay.dll, a user-mode console application as the control interface, and a new ntlmrelayx server module called RAW.
liblsarelayx.dll
liblsarelayx.dll is the LSA authentication provider that gets loaded by lsarelayx. Its predominant purpose is to hook the NTLM and Negotiate packages to facilitating redirecting authentication requests to lsarelayx over a local named pipe for relaying and dumping NetNTLM hashes. liblsarelayx is designed to be as simple as possible where all the heavy lifting is performed by lsarelayx
lsarelayx.exe
lsarelayx.exe is the main console application used to load the custom LSA authentication provider (liblsarelayx.dll), listen for incoming NTLM, and Negotiate tokens from the authentication provider, and relay to ntlmrelayx’s RAW server module. The tool also performs the LDAP queries used for capturing group information for relayed users and passing back to the LSA authentication provider.
RAW ntlmrelayx module
impacket’s ntlmrelayx has implemented a significant amount of work creating relay attacks and will continue to improve and add further attacks in the future. To take advantage of this in favour of reimplementing attacks directly within lsarelayx, a new ntlmrelayx server module was created called RAW. Currently, there is a PR open on GitHub that implements the RAW server module. The RAW server module is protocol-agnostic and is designed to accept the raw NTLM messages directly from 3rd party software like lsarelayx.
Until the PR is merged into the mainline impacket repo, you can use this version.
