Ghost in the Browser: Hijacking Authenticated Sessions via NTLM Relay with ghostsurf

ghostsurf

NTLM HTTP relay tool with SOCKS proxy for browser session hijacking.

Capture NTLM auth, relay to HTTP/HTTPS targets, then browse as the victim through a SOCKS proxy. This works even when cookie replay doesn’t.

Features

• Browser Session Hijacking: SOCKS5 proxy lets you browse as the relayed user
• Auto Session Selection: Single session auto-selects; multiple sessions show an HTML picker
• Kernel-Mode Auth Workaround: Probe-first strategy for IIS/HTTP.sys targets
• Multi-User Relay: Relay multiple captured users to the same target with -r
• Thread-Safe: Concurrent browser connections with socket locking
• Header Preservation: Passes User-Agent, cookies, and other headers the target app depends on

Attack Flow

1. Start ghostsurf:

   ./ghostsurf -t https://target.local/ -k -r

2. Set up browser proxy (Firefox + FoxyProxy recommended):

   • Install FoxyProxy in Firefox
   • Add proxy: SOCKS5, 127.0.0.1, port 1080
   • Enable the proxy profile before browsing

   Firefox is recommended over Chrome — Chrome makes extensive background telemetry and tracking requests that get routed through the proxy, polluting your output and logs with failed requests.

   When browsing HTTPS targets, Firefox will show a certificate warning for the local SOCKS TLS connection (self-signed cert, patched for Firefox’s stricter certificate requirements). Accept it to proceed — this is expected and only applies to the local proxy, not the upstream target connection.

3. Trigger NTLM auth (coerced auth, phishing, responder, etc.)

4. Session captured → browse to target through proxy

5. Multiple sessions? Session picker UI appears, just click one. A cookie binds all subsequent requests to that relay session. To switch to a different session, close and reopen Firefox to clear the cookie.

Shell Commands

ghostsurf> socks      # List active sessions
ghostsurf> targets    # List configured targets
ghostsurf> exit       # Shutdown

Kernel-Mode Auth Workaround

IIS with kernel-mode authentication enabled (the default since IIS 7) binds NTLM auth to TCP connections at the kernel level via HTTP.sys. If a request hits a path configured for Anonymous authentication (static CSS, JS, images, fonts), HTTP.sys resets the authenticated context on the connection. The relay session silently dies with no error.

ghostsurf’s -k flag probes paths anonymously before using the relay socket:

1. Opens a fresh anonymous connection, sends the same request without NTLM
2. 401 response → path requires auth → forward through the authenticated relay socket
3. 200 response → path is public → return anonymous response directly, relay socket untouched
4. Results cached per path for negligible overhead after initial page load

Use -k for any IIS target. This includes CyberArk, Passwordstate, Delinea Secret Server, IBM Verify Privilege Vault, Thycotic Secret Server, BeyondTrust Password Safe, OneIdentity Password Manager, SCCM, and other software that preserves default IIS authentication settings. If unsure, just use -k — the overhead is minimal and it prevents silent session death.

Without -k, all requests go directly through the relay socket, which works for targets that don’t use kernel-mode authentication (Windows Admin Center, Apache, nginx, non-IIS stacks, IIS 6 and below on default settings).

Install & Use