Skip to content

Don't report anonymous as a success when relaying#21390

Merged
jheysel-r7 merged 1 commit into
rapid7:masterfrom
zeroSteiner:fix/skip-anonymous-relay
May 20, 2026
Merged

Don't report anonymous as a success when relaying#21390
jheysel-r7 merged 1 commit into
rapid7:masterfrom
zeroSteiner:fix/skip-anonymous-relay

Conversation

@zeroSteiner

@zeroSteiner zeroSteiner commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

When running a relay attack, the point is to obtain an authenticated session as an identity that would not otherwise be available to us. With that in mind, it's not a true success to report that relaying anonymous authentication was able to establish and authenticated session. The changes in this PR tweak the reporting slightly to demote the message from print_good to print_status when the relayed identity is anonymous. It also skips the #on_relay_success callback because the module doesn't need to be notified of an authenticated session which likely lacks any real privileges or access that we couldn't obtain ourselves by simply logging in anonymously.

Verification

  • Setup the smb_to_ldap relay to a domain controller. DCs respond to a bind request with a blank username and password with a success.
  • Use the smb_to_ldap relay module
  • Trigger authentication to the SMB server with no credentials (pro-tip use Update examples with argument parsing ruby_smb#298 and examples/authenticate.rb)
  • See that it no longer reports an anonymous session and the session object isn't created

Demo (After)

msf auxiliary(server/relay/smb_to_ldap) > 
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 192.168.159.128
[*] Relaying to next target ldap://192.168.159.10:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://192.168.159.10:389
[*] New request from 192.168.159.128
[*] Relaying to next target ldap://192.168.159.10:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://192.168.159.10:389

Demo (Before)

msf auxiliary(server/relay/smb_to_ldap) > 
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 192.168.159.128
[*] Relaying to next target ldap://192.168.159.10:389
[+] Identity:  - Successfully authenticated against relay target ldap://192.168.159.10:389
[+] Relay succeeded
[*] New request from 192.168.159.128
[*] Relaying to next target ldap://192.168.159.10:389
[+] Identity:  - Successfully authenticated against relay target ldap://192.168.159.10:389
[+] Relay succeeded

msf auxiliary(server/relay/smb_to_ldap) > sessions -i -1
[-] Invalid session identifier: -1

@smcintyre-r7 smcintyre-r7 requested a review from Copilot April 28, 2026 21:12
@zeroSteiner zeroSteiner changed the title Don't report anonymous as a success Don't report anonymous as a success when relaying Apr 28, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts SMB relay success reporting so that anonymous (blank identity) relays are not treated as meaningful “success” events and do not trigger session-related callbacks.

Changes:

  • Demotes anonymous relay authentication messaging from print_good to print_status.
  • Skips on_relay_success when the relayed identity is blank, and disconnects the relayed connection immediately in that case.

@zeroSteiner zeroSteiner force-pushed the fix/skip-anonymous-relay branch from 8651d7f to 621ace3 Compare April 29, 2026 13:13
@jheysel-r7 jheysel-r7 self-assigned this May 19, 2026

@jheysel-r7 jheysel-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @zeroSteiner!

Testing:

Before

msf auxiliary(server/relay/smb_to_ldap) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(server/relay/smb_to_ldap) >
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[+] Identity:  - Successfully authenticated against relay target ldap://172.16.199.200:389
[+] Relay succeeded
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[+] Identity:  - Successfully authenticated against relay target ldap://172.16.199.200:389
[+] Relay succeeded

After

msf auxiliary(server/relay/smb_to_ldap) >
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://172.16.199.200:389
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://172.16.199.200:389

@github-project-automation github-project-automation Bot moved this from Todo to In Progress in Metasploit Kanban May 20, 2026
@jheysel-r7 jheysel-r7 added the rn-fix release notes fix label May 20, 2026
@jheysel-r7 jheysel-r7 merged commit a6b20a6 into rapid7:master May 20, 2026
51 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban May 20, 2026
@jheysel-r7

Copy link
Copy Markdown
Contributor

Release Notes

This refines our smb_to_ldap relay attack reporting by demoting anonymous authentication messages from print_good to print_status, reflecting that anonymous sessions do not grant additional privileges. It also skips the #on_relay_success callback for these sessions to prevent modules from needlessly acting on unprivileged access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rn-fix release notes fix

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

4 participants