Enhance attack logging for ntlmrelayx (#2032)

gabrielg5 · web-flow · commit 85a03c64b99f · 2025-09-24T23:46:27.000-03:00
* Adding ID to each client. Logging it when relay succeeds. Showin it in 'socks' command

* Avoid crashing ntlmrelayx when 'socks' command has an invalid filter

* Showing relayed connection information when running attacks in context of relay

* Showing scheme in attacks logging. Fixing table printing in 'socks' command

* Add whitespace to standardize

* Code cleanup. Set 'target' and 'relay_client' as optional parameters in ProtocolAttack (backwards compatibilty)

* Format identity filter
diff --git a/examples/ntlmrelayx.py b/examples/ntlmrelayx.py
@@ -83,7 +83,7 @@ def printTable(items, header):
 
         # Print header
         print(outputFormat.format(*header))
-        print('  '.join(['-' * itemLen for itemLen in colLen]))
+        print('  '.join(['-' * max(itemLen, 3) for itemLen in colLen]))
 
         # And now the rows
         for row in items:
@@ -112,7 +112,7 @@ def do_socks(self, line):
    - admin : true or false 
         '''
 
-        headers = ["Protocol", "Target", "Username", "AdminStatus", "Port"]
+        headers = ["Protocol", "Target", "Username", "AdminStatus", "Port", "ID"]
         url = "http://{}/ntlmrelayx/api/v1.0/relays".format(self.api_address)
         try:
             proxy_handler = ProxyHandler({})
@@ -135,7 +135,8 @@ def do_socks(self, line):
                     elif(_filter=='admin'):
                         _filter=3
                     else:
-                        logging.info('Expect : target / username / admin = value')                    
+                        logging.info('Expect : target / username / admin = value')
+                        return
                     _items=[]
                     for i in items:
                         if(_value.lower() in i[_filter].lower()):
diff --git a/impacket/examples/logger.py b/impacket/examples/logger.py
@@ -17,6 +17,7 @@
 import logging
 import sys
 from impacket import version
+from impacket.examples.ntlmrelayx.utils.identity_log import IdentityFilter
 
 # This module can be used by scripts using the Impacket library 
 # in order to configure the root logger to output events 
@@ -30,7 +31,7 @@ class ImpacketFormatter(logging.Formatter):
   Prefixing logged messages through the custom attribute 'bullet'.
   '''
   def __init__(self):
-      logging.Formatter.__init__(self,'%(bullet)s %(message)s', None)
+      logging.Formatter.__init__(self,'%(bullet)s %(identity)s%(message)s', None)
 
   def format(self, record):
     if record.levelno == logging.INFO:
@@ -49,7 +50,7 @@ class ImpacketFormatterTimeStamp(ImpacketFormatter):
   Prefixing logged messages through the custom attribute 'bullet'.
   '''
   def __init__(self):
-      logging.Formatter.__init__(self,'[%(asctime)-15s] %(bullet)s %(message)s', None)
+      logging.Formatter.__init__(self,'[%(asctime)-15s] %(bullet)s %(identity)s%(message)s', None)
 
   def formatTime(self, record, datefmt=None):
       return ImpacketFormatter.formatTime(self, record, datefmt="%Y-%m-%d %H:%M:%S")
@@ -63,6 +64,8 @@ def init(ts=False, debug=False):
     else:
         handler.setFormatter(ImpacketFormatter())
 
+    handler.addFilter(IdentityFilter())
+
     logging.getLogger().addHandler(handler)
 
     if debug is True:
@@ -71,4 +74,4 @@ def init(ts=False, debug=False):
         logging.debug(version.getInstallationPath())
     else:
         logging.getLogger().setLevel(logging.INFO)
-        logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)
+        logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)
diff --git a/impacket/examples/ntlmrelayx/attacks/__init__.py b/impacket/examples/ntlmrelayx/attacks/__init__.py
@@ -21,6 +21,8 @@
 from impacket import LOG
 from threading import Thread
 
+from impacket.examples.ntlmrelayx.utils.identity_log import identity_context
+
 PROTOCOL_ATTACKS = {}
 
 # Base class for Protocol Attacks for different protocols (SMB, MSSQL, etc)
@@ -31,9 +33,27 @@
 #     PROTOCOL_ATTACK_CLASSES = ["<name of the class for the plugin>", "<another class>"]
 # These classes must have the attribute PLUGIN_NAMES which is a list of protocol names
 # that will be matched later with the relay targets (e.g. SMB, LDAP, etc)
+
+def _wrap_run_with_identity(run_func):
+    def _wrapped(self, *a, **k):
+        if self.target is not None and self.relay_client is not None:
+            connection_identifier = '%s://%s/%s@%s [%s]' % (self.target.scheme, self.domain, self.username, self.target.hostname, self.relay_client.client_id)
+            with identity_context(connection_identifier):
+                return run_func(self, *a, **k)
+        else:
+            return run_func(self, *a, **k)
+    return _wrapped
+
 class ProtocolAttack(Thread):
     PLUGIN_NAMES = ['PROTOCOL']
-    def __init__(self, config, client, username):
+
+    def __init_subclass__(cls, **kwargs):
+        super().__init_subclass__(**kwargs)
+        # If subclass defines its own run(), wrap it
+        if 'run' in cls.__dict__:
+            cls.run = _wrap_run_with_identity(cls.run)
+
+    def __init__(self, config, client, username, target=None, relay_client=None):
         Thread.__init__(self)
         # Set threads as daemon
         self.daemon = True
@@ -43,6 +63,9 @@ def __init__(self, config, client, username):
         self.username = username.split('/')[1]
         # But we also store the domain for later use
         self.domain = username.split('/')[0]
+        # -- 
+        self.target = target 
+        self.relay_client = relay_client
 
     def run(self):
         raise RuntimeError('Virtual Function')
diff --git a/impacket/examples/ntlmrelayx/attacks/ldapattack.py b/impacket/examples/ntlmrelayx/attacks/ldapattack.py
@@ -116,10 +116,10 @@ class LDAPAttack(ProtocolAttack):
     GENERIC_EXECUTE         = 0x00020004
     GENERIC_ALL             = 0x000F01FF
 
-    def __init__(self, config, LDAPClient, username):
+    def __init__(self, config, LDAPClient, username, target=None, relay_client=None):
         self.computerName = '' if not config.addcomputer else config.addcomputer[0]
         self.computerPassword = '' if not config.addcomputer or len(config.addcomputer) < 2 else config.addcomputer[1]
-        ProtocolAttack.__init__(self, config, LDAPClient, username)
+        ProtocolAttack.__init__(self, config, LDAPClient, username, target, relay_client)
         if self.config.interactive:
             # Launch locally listening interactive shell.
             self.tcp_shell = TcpShell()
diff --git a/impacket/examples/ntlmrelayx/attacks/mssqlattack.py b/impacket/examples/ntlmrelayx/attacks/mssqlattack.py
@@ -26,8 +26,8 @@
 
 class MSSQLAttack(ProtocolAttack):
     PLUGIN_NAMES = ["MSSQL"]
-    def __init__(self, config, MSSQLclient, username):
-        ProtocolAttack.__init__(self, config, MSSQLclient, username)
+    def __init__(self, config, MSSQLclient, username, target=None, relay_client=None):
+        ProtocolAttack.__init__(self, config, MSSQLclient, username, target, relay_client)
         if self.config.interactive:
             # Launch locally listening interactive shell.
             self.tcp_shell = TcpShell()
diff --git a/impacket/examples/ntlmrelayx/attacks/rpcattack.py b/impacket/examples/ntlmrelayx/attacks/rpcattack.py
@@ -172,8 +172,8 @@ def _run(self):
 class RPCAttack(ProtocolAttack, TSCHRPCAttack):
     PLUGIN_NAMES = ["RPC"]
 
-    def __init__(self, config, dce, username):
-        ProtocolAttack.__init__(self, config, dce, username)
+    def __init__(self, config, dce, username, target=None, relay_client=None):
+        ProtocolAttack.__init__(self, config, dce, username, target, relay_client)
         self.dce = dce
         self.rpctransport = dce.get_rpc_transport()
         self.stringbinding = self.rpctransport.get_stringbinding()
diff --git a/impacket/examples/ntlmrelayx/attacks/smbattack.py b/impacket/examples/ntlmrelayx/attacks/smbattack.py
@@ -40,8 +40,8 @@ class SMBAttack(ProtocolAttack):
     shell if the -i option is specified.
     """
     PLUGIN_NAMES = ["SMB"]
-    def __init__(self, config, SMBClient, username):
-        ProtocolAttack.__init__(self, config, SMBClient, username)
+    def __init__(self, config, SMBClient, username, target=None, relay_client=None):
+        ProtocolAttack.__init__(self, config, SMBClient, username, target, relay_client)
         if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
             self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
         else:
diff --git a/impacket/examples/ntlmrelayx/clients/__init__.py b/impacket/examples/ntlmrelayx/clients/__init__.py
@@ -17,6 +17,7 @@
 #
 import os, sys
 from importlib.resources import files
+from threading import Lock
 from impacket import LOG
 
 PROTOCOL_CLIENTS = {}
@@ -26,6 +27,8 @@
 # writing a plugin for protocol clients:
 # PROTOCOL_CLIENT_CLASS = "<name of the class for the plugin>"
 # PLUGIN_NAME must be the protocol name that will be matched later with the relay targets (e.g. SMB, LDAP, etc)
+client_idx = 0
+lock = Lock()
 class ProtocolClient:
     PLUGIN_NAME = 'PROTOCOL'
     def __init__(self, serverConfig, target, targetPort, extendedSecurity=True):
@@ -95,6 +98,13 @@ def isAdmin(self):
         # By default, raise exception
         raise RuntimeError('Virtual Function')
 
+    def setClientId(self):
+        with lock:
+            global client_idx
+            client_idx += 1
+            self.client_id = client_idx
+
+
 clients_path = files('impacket.examples.ntlmrelayx').joinpath('clients')
 for file in [f.name for f in clients_path.iterdir() if f.is_file()]:
     if file.find('__') >= 0 or file.endswith('.py') is False:
diff --git a/impacket/examples/ntlmrelayx/servers/httprelayserver.py b/impacket/examples/ntlmrelayx/servers/httprelayserver.py
@@ -464,7 +464,8 @@ def do_relay(self, messageType, token, proxy, content = None):
                         self.do_AUTHHEAD(b'NTLM', proxy=proxy)
                 else:
                     # Relay worked, do whatever we want here...
-                    LOG.info("(HTTP): Authenticating connection from %s@%s against %s://%s SUCCEED" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
+                    self.client.setClientId()
+                    LOG.info("(HTTP): Authenticating connection from %s@%s against %s://%s SUCCEED [%s]" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
 
                     ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
                                                         authenticateMessage['user_name'],
@@ -530,7 +531,7 @@ def do_attack(self):
             if self.target.scheme.upper() in self.server.config.attacks:
                 # We have an attack.. go for it
                 clientThread = self.server.config.attacks[self.target.scheme.upper()](self.server.config, self.client.session,
-                                                                               self.authUser)
+                                                                               self.authUser, self.target, self.client)
                 clientThread.start()
             else:
                 LOG.error('(HTTP): No attack configured for %s' % self.target.scheme.upper())
diff --git a/impacket/examples/ntlmrelayx/servers/rawrelayserver.py b/impacket/examples/ntlmrelayx/servers/rawrelayserver.py
@@ -113,15 +113,15 @@ def handle(self):
                     # Relay worked, do whatever we want here...
                     self.request.sendall(struct.pack('h', 1))
                     self.request.sendall(struct.pack('?', True))
-
+                    self.client.setClientId()
                     if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
-                        LOG.info("(RAW): Authenticating connection from %s/%s@%s against %s://%s SUCCEED" % (
+                        LOG.info("(RAW): Authenticating connection from %s/%s@%s against %s://%s SUCCEED [%s]" % (
                             authenticateMessage['domain_name'].decode('utf-16le'), authenticateMessage['user_name'].decode('utf-16le'),
-                            self.client_address[0], self.target.scheme, self.target.netloc))
+                            self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
                     else:
-                        LOG.info("(RAW): Authenticating connection from %s/%s@%s against %s://%s SUCCEED" % (
+                        LOG.info("(RAW): Authenticating connection from %s/%s@%s against %s://%s SUCCEED [%s]" % (
                             authenticateMessage['domain_name'].decode('ascii'), authenticateMessage['user_name'].decode('ascii'),
-                            self.client_address[0], self.target.scheme, self.target.netloc))
+                            self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
 
                     ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
                                                         authenticateMessage['user_name'],
@@ -194,7 +194,7 @@ def do_attack(self):
             if self.target.scheme.upper() in self.server.config.attacks:
                 # We have an attack.. go for it
                 clientThread = self.server.config.attacks[self.target.scheme.upper()](self.server.config, self.client.session,
-                                                                               self.authUser)
+                                                                               self.authUser, self.target, self.client)
                 clientThread.start()
             else:
                 LOG.error('(RAW): No attack configured for %s' % self.target.scheme.upper())
diff --git a/impacket/examples/ntlmrelayx/servers/rpcrelayserver.py b/impacket/examples/ntlmrelayx/servers/rpcrelayserver.py
@@ -237,16 +237,16 @@ def negotiate_ntlm_session(self):
 
                 try:
                     self.do_ntlm_auth(token, authenticateMessage)
-
+                    self.client.setClientId()
                     # Relay worked, do whatever we want here...
                     if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
-                        LOG.info("(RPC): Authenticating connection from %s/%s@%s against %s://%s SUCCEED" % (
+                        LOG.info("(RPC): Authenticating connection from %s/%s@%s against %s://%s SUCCEED [%s]" % (
                             authenticateMessage['domain_name'].decode('utf-16le'), authenticateMessage['user_name'].decode('utf-16le'),
-                            self.client_address[0], self.target.scheme, self.target.netloc))
+                            self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
                     else:
-                        LOG.info("(RPC): Authenticating connection from %s/%s@%s against %s://%s SUCCEED" % (
+                        LOG.info("(RPC): Authenticating connection from %s/%s@%s against %s://%s SUCCEED [%s]" % (
                             authenticateMessage['domain_name'].decode('ascii'), authenticateMessage['user_name'].decode('ascii'),
-                            self.client_address[0], self.target.scheme, self.target.netloc))
+                            self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
 
                     ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
                                                         authenticateMessage['user_name'],
@@ -405,7 +405,9 @@ def do_attack(self):
                 # We have an attack.. go for it
                 clientThread = self.server.config.attacks[self.target.scheme.upper()](self.server.config,
                                                                                       self.client.session,
-                                                                                      self.auth_user)
+                                                                                      self.auth_user,
+                                                                                      self.target,
+                                                                                      self.client)
                 clientThread.start()
             else:
                 LOG.error('(RPC): No attack configured for %s' % self.target.scheme.upper())
diff --git a/impacket/examples/ntlmrelayx/servers/smbrelayserver.py b/impacket/examples/ntlmrelayx/servers/smbrelayserver.py
@@ -362,7 +362,8 @@ def SmbSessionSetup(self, connId, smbServer, recvPacket):
                 client.killConnection()
             else:
                 # We have a session, create a thread and do whatever we want
-                LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc))
+                self.client.setClientId()
+                LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED [%s]" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc, self.client.client_id))
                 # Log this target as processed for this client
 
                 if not self.config.isADCSAttack:
@@ -657,7 +658,8 @@ def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket):
                     return None, [packet], errorCode
                 else:
                     # We have a session, create a thread and do whatever we want
-                    LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc))
+                    self.client.setClientId()
+                    LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED [%s]" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc, self.client.client_id))
 
                     # Log this target as processed for this client
                     self.targetprocessor.registerTarget(self.target, True, self.authUser)
@@ -736,8 +738,9 @@ def SmbSessionSetupAndX(self, connId, smbServer, SMBCommand, recvPacket):
                 return None, [packet], errorCode
             else:
                 # We have a session, create a thread and do whatever we want
+                self.client.setClientId()
                 self.authUser = ('%s/%s' % (sessionSetupData['PrimaryDomain'], sessionSetupData['Account'])).upper()
-                LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc))
+                LOG.info("(SMB): Authenticating connection from %s@%s against %s://%s SUCCEED [%s]" % (self.authUser, connData['ClientIP'], self.target.scheme, self.target.netloc, self.client.client_id))
 
                 # Log this target as processed for this client
                 self.targetprocessor.registerTarget(self.target, True, self.authUser)
@@ -913,7 +916,7 @@ def do_attack(self,client):
         # If SOCKS is not enabled, or not supported for this scheme, fall back to "classic" attacks
         if self.target.scheme.upper() in self.config.attacks:
             # We have an attack.. go for it
-            clientThread = self.config.attacks[self.target.scheme.upper()](self.config, client.session, self.authUser)
+            clientThread = self.config.attacks[self.target.scheme.upper()](self.config, client.session, self.authUser, self.target, self.client)
             clientThread.start()
         else:
             LOG.error('(SMB): No attack configured for %s' % self.target.scheme.upper())
diff --git a/impacket/examples/ntlmrelayx/servers/socksserver.py b/impacket/examples/ntlmrelayx/servers/socksserver.py
@@ -217,7 +217,7 @@ def activeConnectionsWatcher(server):
             server.activeRelays[target][port] = {}
 
         if (userName in server.activeRelays[target][port]) is not True:
-            LOG.info('SOCKS: Adding %s@%s(%s) to active SOCKS connection. Enjoy' % (userName, target, port))
+            LOG.info('SOCKS: Adding %s://%s@%s(%s) [%s] to active SOCKS connection. Enjoy' % (scheme, userName, target, port, client.client_id))
             server.activeRelays[target][port][userName] = {}
             # This is the protocolClient. Needed because we need to access the killConnection from time to time.
             # Inside this instance, you have the session attribute pointing to the relayed session.
@@ -267,9 +267,10 @@ def get_relays():
                 for port in server.activeRelays[target]:
                     for user in server.activeRelays[target][port]:
                         if user != 'data' and user != 'scheme':
+                            client_id = server.activeRelays[target][port][user]['protocolClient'].client_id
                             protocol = server.activeRelays[target][port]['scheme']
                             isAdmin = server.activeRelays[target][port][user]['isAdmin']
-                            relays.append([protocol, target, user, isAdmin, str(port)])
+                            relays.append([protocol, target, user, isAdmin, str(port), str(client_id)])
             return jsonify(relays)
 
         @app.route('/ntlmrelayx/api/v1.0/relays', methods=['GET'])
diff --git a/impacket/examples/ntlmrelayx/servers/wcfrelayserver.py b/impacket/examples/ntlmrelayx/servers/wcfrelayserver.py
diff --git a/impacket/examples/ntlmrelayx/utils/identity_log.py b/impacket/examples/ntlmrelayx/utils/identity_log.py
