ntlmrelayx will continuously create new computers and set up delegation for the same subject when spoofing/poisoning and relaying #2065
Description
Hi there, when Im on engagements and running responder/pretender/mitm6 and using those to leverage the ability to relay authentication to ldap through ntlmrelayx, it will create new computer objects and set up delegation with the computer and so long as the response is poisoned(as it probably will be if ur doing this to catch easy wins) then new computers will be created to set delegation on the same computer.
Would you guys consider adding logic for ntlmrelayx not to create a new computer if it already did to during the same execution cycle? otherwise it just keeps creating computers to delegate to the same object which makes it difficult to exploit other things as it runs up the allowance of joining machines to the domain?
Say you ran sudo responder -wd and then started ntlmrelayx -t ldap://10.10.240.44 --delegate-access -wh wpad.domain.local then you would see that if a computer got caught and its authentication relayed to ldap; so long as responder is poisoning computer A then ntlmrelayx will continue to create new computers and set up delegation between them and computer A.
If you're leaving ntlmrelayx running then I think it should only be creating one computer object in its execution cycle and so every new computer it catches and relays will have the same computer delegated to it that ntlmrelayx created the first time around.
It actually can ruin your engagement as ntlmrelayx in a good catch can end up creating 10 computers in a few minutes just to delagate to the same two computers instead of simply using the same computer it once created in its execution cycle.
I hope I was able to explain this well :)