https://ioctl.lol/tags/internal-pentest/Recent content in Internal-Pentest on ioctlHugoenioctlMon, 08 Dec 2025 00:00:00 +0000https://ioctl.lol/research/when-every-relay-fails/Mon, 08 Dec 2025 00:00:00 +0000https://ioctl.lol/research/when-every-relay-fails/<h2 id="the-setup-that-looked-easy">The Setup That Looked Easy</h2> <p>Internal pentest. Low-privileged domain credentials provided by the client. Standard assumed-breach scenario.</p> <p>Initial recon painted a promising picture:</p> <pre tabindex="0"><code>nxc smb 10.10.10.0/24 -u testuser -p &#39;Provided2025!&#39; --gen-relay-list relay.txt </code></pre><p>Both Domain Controllers — <strong>SMB signing disabled</strong>. Coercion scan confirmed every flavor was on the menu:</p> <pre tabindex="0"><code>nxc smb 10.10.10.11 -u testuser -p &#39;Provided2025!&#39; -M coerce_plus SMB 10.10.10.11 445 DC02 VULNERABLE, DFSCoerce SMB 10.10.10.11 445 DC02 VULNERABLE, PetitPotam SMB 10.10.10.11 445 DC02 VULNERABLE, PrinterBug SMB 10.10.10.11 445 DC02 VULNERABLE, MSEven </code></pre><p>SMB signing off on DCs + every coercion technique working = textbook relay scenario. Should be straightforward. Right?</p>