# CVE-2025-33073 Checker Script
This rough PoC checker script tests targets for CVE-2025-33073 vulnerability by attempting to perform NTLM reflection attacks using NTLM auth coercion via samba RPC, to do this you need to have account with access to the samba.
Also you need to register a domain `localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA` to your attacker IP, as described below in the internal windows DNS. This is by default enabled to any account in the domain. Also LLMNR poisoning can be used [instead](https://github.com/mverschu/CVE-2025-33073).
Before running this script, make sure you understand how the attack works, see explanation [here](https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025).
## Usage
```bash
# Usage: ./CVE-2025-33073-checker.sh -u USERNAME -p PASSWORD -d DOMAIN -i IP_FILE
# Example:
./CVE-2025-33073-checker.sh -u Administrator -p Password123 -d example.local -i samba_list_ips.txt
```
## Setup
- Install crackmapexec, netcat and python3
- Put [PetitPotam.py](https://github.com/topotam/PetitPotam) to the same directory as this script
- Register a domain localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA to attacker IP in DDNS. You can use [dnstool.py](https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py) or [powermad](https://github.com/Kevin-Robertson/Powermad).
## Resources
- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://github.com/mverschu/CVE-2025-33073
- https://github.com/topotam/PetitPotamLog in to view the POC file snapshot cached by Shenlong Bot
Log in to view