Bypassing Windows authentication reflection mitigations for ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1.html
• Blog Title: Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (new page) and cross-link from NTLM / Places to steal NTLM creds / relay-related content; also potentially under Lateral Movement/NTLM Relay notes as a 'local reflection to SYSTEM via SMB arbitrary port' technique

🎯 Content Summary

Post title: Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1 (Synacktiv, 2026-04-27).
Core idea: Synacktiv revisits the Windows authentication reflection class (notably CVE-2025-33073) and shows Microsoft’s mitigation (blocking a specific SMB-client input pattern) didn’t remove the underlying risk. They then present a new, “trivial” local privilege escalation via NTLM loc...

🔧 Technical Details

Trick 1 — CMTI / CredMarshalTargetInfo “hostname smuggling” for reflection (CVE-2025-33073 class recap): If an authentication stack lets the caller append “additional target information” (base64) to a hostname, and LSASS strips that suffix before building NTLM/Kerberos blobs, an attacker can register/abuse DNS such that the unsanitized name resolves to an attacker IP while the sanitized name is used for the auth blob/SPN. This can yield NTLM local-auth exchanges (when sanitized target equals local machine name) or Kerberos AP-REQ messages for a chosen SPN (e.g., CIFS/HOST) delivered to attacker infrastructure, which can then be relayed to a service on the same machine to impersonate a coerced privileged client (often NT AUTHORITY\SYSTEM).

Trick 2 — NTLM local reflection via SMB arbitrary-port + TCP-connection reuse (CVE-2026-24294): If the SMB client supports connecting to a share on an ...

🤖 Agent Actions

I’m mapping the repo first, then I’ll read the existing Windows/NTLM relay material before deciding whether this belongs in an existing page or needs a new one.
I found existing Windows LPE and NTLM-related content, including a named-pipe-client-impersonation page that already references reflection-style potatoes. Next I’m reading the most relevant pages in full to avoid duplicating what HackTricks already covers.
The current LPE pages cover potatoes and named-pipe impersonation, but they don’t document this distinct SMB arbitrary-port plus connection-reuse reflection chain. I’m checking NTLM relay and credential-theft pages now so the placement decision is defensible and doesn’t duplicate adjacent content.
I’ve read more than five relevant pages now. The repo already has good coverage for generic NTLM, NTLM credential leakage, and potato-style impersonation, but not for this specific local reflection mechanism built on SMB arbitrary-port transport and TCP session reuse.
There’s already a short NTLM section mentioning the older CMTI reflection path, but not the new arbitrary-port SMB reuse variant. I’m reading that exact section now to choose between extending NTLM vs creating a focused Windows LPE page.
I’ve settled on a dedicated LPE page. The edits are going to be: add the new page with the technical chain and constraints, then add minimal links from the Windows LPE index and the existing NTLM reflection section so readers can find it without duplicating the writeup.
I’m editing now. The new page will stay focused on the technique itself, and the other edits will be kept to discovery links only so the technical content remains in one place.
The content is written. I’m doing a final pass on the rendered markdown targets now to catch bad relative links, awkward phrasing, or any accidental duplication before I stop.
Added a new HackTricks page for the technique at local-ntlm-reflection-via-smb-arbitrary-port.md. It documents the SMB arbitrary-port prerequisite, the TCP connection reuse/multiplexing condition, the same-share-path requirement, the ntlmrelayx.py relay step, the Windows Server 2025 vs Windows 11 24H2 constraint, and technical detection/hardening notes. References were added at the end of that page.

I also linked it from Windows Local Privilege Escalation README, from the existing NTLM reflection context in NTLM README, and added it to SUMMARY.md. I reviewed the diff and relative paths; no tests/build were run.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (new page) and cross-link from NTLM / Places to steal NTLM creds / relay-related content; also potentially under Lateral Movement/NTLM Relay notes as a 'local reflection to SYSTEM via SMB arbitrary port' technique".

Repository Maintenance:

• MD Files Formatting: 973 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0