Awesome
UltraRelay Updated by Lazaar Sami for the exploit CVE-2019-1040
UltraRelay is a tool for LLMNR poisoning and relaying NTLM credentials. It is based on Responder and impack.
I have updated the original version (https://github.com/5alt/ultrarelay) for the exploit CVE-2019-1040. Dirk-jan Mollema has updated ntlmrelayx (part of https://github.com/CoreSecurity/impacket) to have a --remove-mic flag, which exploits CVE-2019-1040 based on the technical description by the Preempt researchers (https://blog.preempt.com/drop-the-mic) see https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/ Especially, this tool can be used to relay credentials from JAVA http request to local SMB server and achieve RCE.
Dependency
Ussage
from the original version https://github.com/5alt/ultrarelay
Thunks to Jianing Wang and Junyu Zhou
python ultrarelay.py -ip 192.168.1.100
Value of the ip argument is attacker's ip address.
For the exploit CVE-2019-1040 i have added the flags --remove-mic ( Remove MIC to bypass the latest NTLM mitigation, see https://blog.preempt.com/drop-the-mic) and the flag -remove-target to remove the target in the challenge message (in case CVE-2019-1019 patch is not installed), inspired from the new version of ntlmrelayx updated by Dirk-jan Mollema (https://github.com/CoreSecurity/impacket) Ex: python ultrarelay.py -ip 192.168.1.3 --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support
Demo video
https://www.youtube.com/watch?v=VyoyA2GgKck
Contact
Lazaar sami, lazaars@gmail.com"# UltraRealy_with_CVE-2019-1040"