In this new episode of CQURE Hacks, we’re diving into the CVE-2025-33073 Windows vulnerability that’s allowing attackers to capture the NTLM protocol.
This critical vulnerability in the Windows Server Message Block (SMB) client enables attackers to gain SYSTEM-level privileges on affected devices and originates from inadequate security restrictions embedded in SMB protocol operations.
The threat is real – legitimate users can engineer malicious programs that deceive target systems into establishing authentication with a fake SMB server. This exploitation method delivers maximum system authority to attackers, granting them comprehensive dominance over the infiltrated machine.
So, let’s see how granting this access looks like in practice.
Before attempting exploitation, two conditions must be verified:
Attempt 1: exploitation without adding DNS record
In this approach, we run the relay on this machine. Afterwards, we run PetitPotam and direct it to ourselves.
Result? PetitPotam worked, but the machine couldn’t authenticate without the mentioned DNS record.
Attempt 2: using a dedicated DNS record
We’re adding the DNS record to the IP address of the domain controller, and indicating it to our machine. Now, let’s also put add in the place of remove.
With these conditions, the operation is completed successfully.
Attempt 3: using the indication of the added DNS record
After re-running the ntlmrelay again, we change our IP address by the DNS record.
And just like that, we succeeded, and our machine is relayed to itself. We dumped SAM successfully.
Attempt 4: skipping the DNS record
First, we start with turning off the relay, clearing it and adding one more terminal.
We delete the previously added DNS record to avoid conflict, and now we can run the Responder with LLMNR poisoning. The Responder should have it turned on by default.
Second, we can run the impacket-ntmlmrelayx and use netexec with the coerce_plus module to exploit the printerbugPrinterBug vulnerability with this DNS indication.
You’ll see that tt doesn’t exist, but LLMNR poisoning helps us to identify our attacker’s machine.
After using it, the effect would be the same if we hadn’t added the DNS record.
At this stage, we have obtained the hash of the local admin, so we can authenticate locally.
Now, if we use module LSA from netexec, we can dump the LSSAS.
Conclusion
CVE-2025-33073 exemplifies how legacy authentication protocols can be exploited through protocol manipulation techniques. The vulnerability’s severity stems from its ability to transform limited network access into complete system compromise. Organizations must prioritize SMB hardening and authentication modernization to defend against these sophisticated reflection attacks.
And if you’re hungry for more cybersecurity knowledge, we’ve opened the registration for our 6-weeks Advanced Windows Security Course 2026, ensuring you’re prepared for the threat landscape of the next year!
Transcript of the video:
OK guys, let’s start by enumerating the machine that we want to attack.
First of all, we have to check if the SMB signing is off.
This allows us to relay via SMB. Next, the machine must be vulnerable to coerce.
That’s going to be the attack component. Now I’ll show you that without a special
DNS record, this attack won’t work.
But let’s try it anyway.
We run the relay on this machine and then we run PetitPotam and direct it to ourselves.
As we can see, PetitPotam worked, but a machine couldn’t authenticate without the mentioned DNS record.
OK, so let’s add this DNS record and it looks like this.
Here you have the IP address of the domain controller.
I’m adding the DNS record and indicating it to our machine.
Let me show you the IP that’s actually our machine.
So let’s also change, remove with add. OK, the operation is completed successfully.
Let’s try to launch the attack again, but this time by using the indication of added DNS record.
We rerun the NTLM relay.
Next we change our IP address by DNS record.
As you can see, we succeeded and our machine is relayed to itself.
We dumped SAM successfully.
Now I will show you the second way. We won’t add the DNS record this time.
OK, so let’s turn off the relay, clear it here and add one more terminal.
Let’s put it here.
First of all, we must delete this DNS record to avoid the conflict and make sure that everything gets just like starting from the scratch.
Now we can run the responder with LLMNR poisoning.
The responder should have it turned on by default, as you can see it’s on.
Next we can run impacket-ntlmrelayx and this time we will use netexec with the
coerce_plus module and exploit the PrinterBug vulnerability with this DNS indication.
As we can see, the effect will be the same if we hadn’t added the DNS record.
OK, so let’s see what we can do now.
We have the hash of the local admin and type admin here with his hash and as a local user
so we can authenticate locally.
We can use the module LSA from netexec.
And as we can see, we’ve got a little bit more information at our disposal.
Do you want to receive the geekiest cybersecurity solutions, tools, and tricks, straight to your inbox?
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
