fortra · nitbx · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Mar 4, 2025
diff --git a/impacket/examples/ntlmrelayx/clients/httprelayclient.py b/impacket/examples/ntlmrelayx/clients/httprelayclient.py
@@ -51,11 +51,15 @@ def initConnection(self):
             self.path = '/'
         else:
             self.path = self.target.path
+        self.query = self.target.query
         return True
 
     def sendNegotiate(self,negotiateMessage):
         #Check if server wants auth
-        self.session.request('GET', self.path)
+        if self.query:
+            self.session.request('GET', self.path + '?' + self.query)
+        else:
+            self.session.request('GET', self.path)
         res = self.session.getresponse()
         res.read()
         if res.status != 401:
@@ -79,7 +83,10 @@ def sendNegotiate(self,negotiateMessage):
         #Negotiate auth
         negotiate = base64.b64encode(negotiateMessage).decode("ascii")
         headers = {'Authorization':'%s %s' % (self.authenticationMethod, negotiate)}
-        self.session.request('GET', self.path ,headers=headers)
+        if self.query:
+            self.session.request('GET', self.path + '?' + self.query, headers=headers)
+        else:
+            self.session.request('GET', self.path, headers=headers)
         res = self.session.getresponse()
         res.read()
         try:
@@ -100,7 +107,10 @@ def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
             token = authenticateMessageBlob
         auth = base64.b64encode(token).decode("ascii")
         headers = {'Authorization':'%s %s' % (self.authenticationMethod, auth)}
-        self.session.request('GET', self.path,headers=headers)
+        if self.query:
+            self.session.request('GET', self.path + '?' + self.query, headers=headers)
+        else:
+            self.session.request('GET', self.path, headers=headers)
         res = self.session.getresponse()
         if res.status == 401:
             return None, STATUS_ACCESS_DENIED
@@ -132,6 +142,7 @@ def initConnection(self):
             self.path = '/'
         else:
             self.path = self.target.path
+        self.query = self.target.query
         try:
             uv_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
             self.session = HTTPSConnection(self.targetHost,self.targetPort, context=uv_context)

diff --git a/impacket/examples/ntlmrelayx/utils/targetsutils.py b/impacket/examples/ntlmrelayx/utils/targetsutils.py
@@ -117,7 +117,10 @@ def registerTarget(self, target, gotRelay = False, gotUsername = None):
             # We have data about the username we relayed the connection for,
             # for a target that didn't have username specified.
             # Let's log it
-            newTarget = urlparse('%s://%s@%s%s' % (target.scheme, gotUsername.replace('/','\\'), target.netloc, target.path))
+            if target.query:
+                newTarget = urlparse('%s://%s@%s%s?%s' % (target.scheme, gotUsername.replace('/','\\'), target.netloc, target.path, target.query))
+            else:
+                newTarget = urlparse('%s://%s@%s%s' % (target.scheme, gotUsername.replace('/','\\'), target.netloc, target.path))
             if gotRelay:
                 self.finishedAttacks.append(newTarget)
             else: