Don't report anonymous as a success when relaying#21390
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts SMB relay success reporting so that anonymous (blank identity) relays are not treated as meaningful “success” events and do not trigger session-related callbacks.
Changes:
- Demotes anonymous relay authentication messaging from
print_goodtoprint_status. - Skips
on_relay_successwhen the relayed identity is blank, and disconnects the relayed connection immediately in that case.
8651d7f to
621ace3
Compare
jheysel-r7
approved these changes
May 20, 2026
jheysel-r7
left a comment
Contributor
There was a problem hiding this comment.
Thanks for the fix @zeroSteiner!
Testing:
Before
msf auxiliary(server/relay/smb_to_ldap) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(server/relay/smb_to_ldap) >
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[+] Identity: - Successfully authenticated against relay target ldap://172.16.199.200:389
[+] Relay succeeded
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[+] Identity: - Successfully authenticated against relay target ldap://172.16.199.200:389
[+] Relay succeeded
After
msf auxiliary(server/relay/smb_to_ldap) >
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://172.16.199.200:389
[*] New request from 127.0.0.1
[*] Relaying to next target ldap://172.16.199.200:389
[*] Anonymous Identity - Successfully authenticated against relay target ldap://172.16.199.200:389
Contributor
Release NotesThis refines our smb_to_ldap relay attack reporting by demoting anonymous authentication messages from print_good to print_status, reflecting that anonymous sessions do not grant additional privileges. It also skips the #on_relay_success callback for these sessions to prevent modules from needlessly acting on unprivileged access. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When running a relay attack, the point is to obtain an authenticated session as an identity that would not otherwise be available to us. With that in mind, it's not a true success to report that relaying anonymous authentication was able to establish and authenticated session. The changes in this PR tweak the reporting slightly to demote the message from print_good to print_status when the relayed identity is anonymous. It also skips the
#on_relay_successcallback because the module doesn't need to be notified of an authenticated session which likely lacks any real privileges or access that we couldn't obtain ourselves by simply logging in anonymously.Verification
smb_to_ldaprelay to a domain controller. DCs respond to a bind request with a blank username and password with a success.smb_to_ldaprelay moduleexamples/authenticate.rb)Demo (After)
Demo (Before)