ntlmrelayx.py: Fix problem with SMB MessageID for the SOCKS proxy. #1659
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix compatibility problems with other SMB clients connecting to the SOCKS proxy created by ntlmrelayx.py
by responding to SMB2 Negotiate Protocol requests with the same MessageID as received in the request.
When using ntlmrelayx.py as a socks server, for example using the following command
./ntlmrelayx.py -socks -t <target ip> -smb2support --no-http-server --no-wcf-server --no-raw-server
and connecting with a non-impacket tool that use SMB2 for the initial Negotiate Protocol request,
the client will send a MessageID of 0 and the server will respond with a MessageID of 1 which will
confuse some clients and thereby breaking the connection. This is because the SOCKS smb plugin
always returns a MessageID of 1 when receiving SMB2 Negotiate Protocol requests.
Using impacket's smbclient.py
proxychains ./smbclient.py <domain>/<username>@<target ip> -n
Works because this client begins by sending a SMB1 Negotiate Protocol response which the server
responds to with an SMB2 Negotiate Protocol response with a MessageID of 0. The client then sends
a new Negotiate Protocol request, this time using SMB2, with a MessageID of 1.
Using the Linux tool smbclient with proxychains to connect, this presents a problem as it will begin with SMB2 directly
and encounter a mismatch of MessageID between request and response.
proxychains smbclient -U "<domain>/<username>" -L \\<target ip>