A penetration-testing team operating inside a Windows domain captures several NTLMv2 challenge-response pairs with Responder from a help-desk workstation. The handshake belongs to an account that is a local administrator on multiple file servers where sensitive data is stored. The testers verify that SMB signing is disabled on the target server and want to reuse the captured authentication immediately-without cracking the hash-to open an interactive shell on the server. They decide to remain inside the Python-based Impacket toolkit. Which action will best achieve their objective?
Poison NBNS or DNS responses again to coerce additional hosts to connect to a rogue SMB share for new hash collection
Forge a golden Kerberos ticket using the technician's NT hash and inject it into LSASS on the attack box
Request a fraudulent certificate from Active Directory Certificate Services and import it to impersonate the technician over Kerberos
Relay the captured NTLM handshake to the file server with ntlmrelayx.py and execute a command once the session is established
Impacket's ntlmrelayx.py performs an NTLM relay attack: it takes the victim's authentication messages and forwards them to a different host that does not enforce SMB signing, thereby authenticating as the victim without any password or hash cracking. Once the relay completes, ntlmrelayx can execute commands, dump secrets, or open a SOCKS proxy on the server under the captured user's context. Forging AD CS certificates or crafting Kerberos golden tickets require certificate templates or the KRBTGT key-neither uses the captured NTLM handshake. Launching further name-resolution poisoning would only collect more hashes and does not immediately pivot with the credentials already obtained.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NTLMv2 and how does it work?
Open an interactive chat with Bash
What is SMB signing, and why is it important?
Open an interactive chat with Bash
How does ntlmrelayx.py work within the Impacket toolkit?