Today, we’ll go back to the NTLM Reflection attack, based on the vulnerability CVE-2025-33073, which allows a remote user without authorization to execute any commands on the attacked machine with SYSTEM privileges. We previously discussed how to detect such attacks. Now, we’ll show how to use a specific case of this attack in penetration testing.
Typically, all Relay attacks only target hosts and services within an Active Directory domain. This is because if a host isn’t domain-joined, it has no machine account in AD and its users are local-only. When attempting a coerce attack in Responder, we won’t see anything, and in ntlmrelayx.py, we’ll get a message like:
Authenticating against smb://172.16.128.143 as / FAILEDHowever, a recent project on security assessment led us to think that NTLM Reflection can be a way to compromise a non-domain Windows host under certain conditions:
The patch that fixes this vulnerability is not installed.
Mandatory SMB signing is not required.
It is possible to add or spoof the necessary DNS record for the attack (e.g.,
localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA). Often, domain controllers are used as DNS servers throughout the infrastructure. By default, having any account, you can add the necessary A-record. If the attacker’s host is in the same L2 network segment as the vulnerable host, you can try LLMNR/NBNS/mDNS spoofing (as shown in the screenshot above), or an IPv6 attack with DNS spoofing.The ability to trigger authentication on behalf of the system. For example, there is an anonymous PetitPotam or a non-privileged account.
Although there are many conditions, they are feasible – and in this case, NTLM Reflection can help gain access to a host outside the domain.
