Source: CQURE Academy
Author: Kate Chrzan
URL: https://cqureacademy.com/blog/65-ntlm-reflection-smb-flaw/
ONE SENTENCE SUMMARY:
CVE-2025-33073 enables attackers to exploit legacy SMB protocols and coercion methods for full system compromise via NTLM relay.
MAIN POINTS:
- SMB signing must be disabled on the target machine to allow authentication relay attacks.
- The target must be vulnerable to coercion techniques like PetitPotam for exploitation to proceed.
- Initial attack attempts without a DNS record fail due to inability to authenticate properly.
- Adding a DNS record pointing to the attacker’s machine enables successful NTLM relay and SAM dump.
- Changing the IP to the DNS record value allows the machine to relay authentication to itself.
- LLMNR poisoning via Responder enables attacks without needing the DNS record.
- Using impacket-ntlmrelayx with netexec and coerce_plus exploits the PrinterBug vulnerability.
- Successful execution allows retrieval of local admin hash and local authentication.
- Module LSA from netexec can be used to dump LSASS and gain further access.
- The vulnerability highlights critical risks from legacy authentication protocols and misconfigurations.
TAKEAWAYS:
- Disable SMB signing only if absolutely necessary, as it allows dangerous relay attacks.
- Monitor and restrict DNS records to prevent abuse in authentication redirection.
- Employ modern authentication mechanisms to mitigate legacy protocol exploitation.
- Use tools like Responder and PetitPotam carefully during red team engagements or internal audits.
- Regularly update systems and audit for coercion vulnerabilities like PrinterBug.